"Tom Tux" <tomtux80@xxxxxxxxx> wrote in message
news:AANLkTikVPJwrOa_sGBYvZpN2VyiSYBC3961JURlf9gVi@xxxxxxxxxxxxxxxxx
Hi Markus
Thank you. But what's the meaning of the kerberos-ticket cached on the
squid (which I can not renew because of "kinit(v5): Ticket expired
while renewing credentials")?
That is your user cache like on an XP PC. It has nothing to do with the
server.
Do I have to renew it with a kinit [username]? As much I understand, I
have not to renew it....correct?
Yes correct. You would have to do this if you would like to use for example
Firefox on Linux.
I had destroy the ticket on the squid with "kdestroy" and the client
is still able to connect.....why?
As I already said the client cache is the important cache. With kdestroy
you just clear the cache of the user who is logged in. (like kerbtray clear
the cache in XP of the logged in user)
Have a look how Kerberos works. In short the client ( in your case the user
on XP ) is requesting some encrypted information from the kdc ( Active
Directory in your case) and then the client application (IE in your case)
sends the encrypted information to the server (squid in your case). The
server uses the keytab to verify the encrypted information for each request
the client send to the server. The server does not need to cache anything
only the client caches to avoid to many requests to AD.
Regards,
Tom
Regards
Markus
2010/7/2 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Hi Tom,
The important ticket is the one on the client (I assume a XP PC). Windows
will usually renew the ticket automatically every 10 hours for 7 days. The
proxy will request new tickets for the ldap authentication, but uses a
memory cache which you can not access.
Regards
Markus
"Tom Tux" <tomtux80@xxxxxxxxx> wrote in message
news:AANLkTikQgFLhT3qy1hPgPlVk7Z5JUeUTwdk-BoD0f2cR@xxxxxxxxxxxxxxxxx
Hi Markus
Is it necessary to renew periodically the kerberos-ticket? I've
defined a a ticket_lifetime for 24h.
I've now the following output:
proxy-test-01:~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@xxxxx
Valid starting Expires Service principal
07/01/10 08:47:31 07/01/10 18:47:33 krbtgt/XX.YY@xxxxx
renew until 07/02/10 07:34:41
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Now, the ticket seems to be expired. But I'm still able to
authenticate. Why? What is the behavior, if the kerberos-ticket is
expired? If I try to renew with "kinit -R", I got the following error:
proxy-test-01:~ # kinit -R
kinit(v5): Ticket expired while renewing credentials
Is this normal? How can I solve this behavior?
Thanks you.
Regards,
Tom
2010/7/1 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
You could have used a tool like kerbtray or just lock and unlock the PC
which would have refreshed the cache.
Regards
Markus
"Tom Tux" <tomtux80@xxxxxxxxx> wrote in message
news:AANLkTiljGRnzRu9WXIvAp0Tj22OnXaknjanBCZLvshiB@xxxxxxxxxxxxxxxxx
Hi Markus
This problem is solved now. I rebootet the client, which results in
clearing the client-kerberos cache. Now I'm able to authenticate and I
can use the squid_kerb_ldap-helper.
Thanks a lot for your hints.
Regards
Tom
2010/7/1 Tom Tux <tomtux80@xxxxxxxxx>:
Hi Markus
Thank you.
So, I made my kerberos-configuration from scratch. This will mean:
- Delete computer-account in AD
- Remove /etc/krb5.keytab
- Check with "setspn -L proxy-test-01" if there were no SPN's -> OK.
Then I created the account again with the following command:
./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k
/etc/krb5.keytab --computer-name proxy-test-01 --upn
HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose
The computer-account was created successfully. In the msktutil-output,
I can see, that the KVNO is set to "2".
On the Domain-Controller, I can also see, that the
"msDS-KeyVersionNumber" is also set to "2".
But I'm not able to authenticate. I got the following
squid-cache-error:
2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information. Key version number for principal in key
table is incorrect'
What's wrong here? I tried with "kinit" and "kinit -R" again -> no
success. How can I fix this problem?
Regards
Tom
2010/6/30 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Hi Tom
squid_kerb_ldap tries to use the keytab to authenticate squid against
AD.
The keytab contains basically the password for the "user" http/<fqdn>
which
maps in AD to the userprincipalname attribute. In your case
squid_kerb_ldap
tries to use host/proxy-test-01.xx.yy@xxxxx but does not find in AD an
entry
which has the userprincipalname attribute with that value and therfore
can
not check group memberships. msktutil has the option --upn which will
set
the AD attribute accordingly (see
alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos).
2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
host/proxy-test-01.xx.yy@xxxxx
2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
credentials
from keytab : Client not found in Kerberos database
Regards
Markus
"Tom Tux" <tomtux80@xxxxxxxxx> wrote in message
news:AANLkTilZ_WeFjeU1bMnPSgvnhAhTe6RJMr6bjA-uuQ_m@xxxxxxxxxxxxxxxxx
Hi
I'm trying to authenticate our clients with squid_kerb_ldap against
our ad. There exists a global-group called "Internet". My squid.conf
looks like this:
auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth
-i
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
/usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet
acl inetAccess external SQUID_KERB_LDAP
http_access allow inetAccess
My "klist -k" looks like this:
proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 host/proxy-test-01.xx.yy@xxxxx
4 host/proxy-test-01.xx.yy@xxxxx
4 host/proxy-test-01.xx.yy@xxxxx
4 host/proxy-test-01@xxxxx
4 host/proxy-test-01@xxxxx
4 host/proxy-test-01@xxxxx
4 PROXY-TEST-01$@XX.YY
4 PROXY-TEST-01$@XX.YY
4 PROXY-TEST-01$@XX.YY
4 HTTP/proxy-test-01.xx.yy@xxxxx
4 HTTP/proxy-test-01.xx.yy@xxxxx
4 HTTP/proxy-test-01.xx.yy@xxxxx
4 HTTP/proxy-test-01@xxxxx
4 HTTP/proxy-test-01@xxxxx
4 HTTP/proxy-test-01@xxxxx
5 proxy-test-01$@XX.YY
5 proxy-test-01$@XX.YY
5 proxy-test-01$@XX.YY
5 HTTP/proxy-test-01.xx.yy@xxxxx
5 HTTP/proxy-test-01.xx.yy@xxxxx
5 HTTP/proxy-test-01.xx.yy@xxxxx
5 HTTP/proxy-test-01@xxxxx
5 HTTP/proxy-test-01@xxxxx
5 HTTP/proxy-test-01@xxxxx
5 host/proxy-test-01.xx.yy@xxxxx
5 host/proxy-test-01.xx.yy@xxxxx
5 host/proxy-test-01.xx.yy@xxxxx
Without squid_kerb_ldap, the internet-access is working fine. With
the
helper, I got the following errors in the cache.log:
2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER@xxxxx
authenticated
2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain:
XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: group@domain
Internet@NULL
2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop:
group@domain Internet@NULL
2010/06/30 09:45:48| squid_kerb_ldap: Default group loop:
group@domain
Internet@NULL
2010/06/30 09:45:48| squid_kerb_ldap: Found group@domain
Internet@NULL
2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache
2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name
2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name
/etc/krb5.keytab
2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab
/etc/krb5.keytab
2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name:
XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: Found principal name:
host/proxy-test-01.xx.yy@xxxxx
2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_22001
2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
host/proxy-test-01.xx.yy@xxxxx
2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
credentials from keytab : Client not found in Kerberos database
2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos
credential cache
2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of
group@domain Internet@NULL
2010/06/30 09:45:48| squid_kerb_ldap: ERR
2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER@xxxxx
authenticated
What could this be? The user "testuser" is member of the ad-group
"Internet".
Thanks a lot.
Tom
