For squid_kerb_ldap to work the AD entry must have a userprincipalname
attribute set to one of the keytab entry names e.g.
HTTP/ubuntu.pfsee.net@xxxxxxxxx
. This is one of the differences of msktutil with --upn to net ads join.
Markus
----- Original Message -----
From: "Rafal Zawierta" <zawierta@xxxxxxxxx>
To: <huaraz@xxxxxxxxxxxxxxxx>
Sent: Wednesday, January 19, 2011 11:39 PM
Subject: squid_kerb_ldap question
Hello Markus!
If you don't mind I'd like to ask you for help with my squid_kerb_ldap
problem.
After 2 long days I have squid_kerb_auth working.
I have ubuntu host, which was joined AD by net join command AND
krb5.keytab also was created in such way.
Now, when I start my squid with kerb_ldap helper I get:
2011/01/20 00:20:14| squid_kerb_ldap: Error while initialising
credentials from keytab : Client not found in Kerberos database
2011/01/20 00:20:14| squid_kerb_ldap: Error during setup of Kerberos
credential cache
AFAIK the problem is with my keytab - I'm right? Is it possible to fix
it whithout running msktutil? Or the only good way is to delete (?) my
keytab and create a new one with msktutil with --upn option?
ktutil on proxy server shows me:
ktutil: rkt /etc/squid/HTTP.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/ubuntu.pfsee.net@xxxxxxxxx
2 2 host/ubuntu.pfsee.net@xxxxxxxxx
3 2 host/ubuntu.pfsee.net@xxxxxxxxx
4 2 host/ubuntu@xxxxxxxxx
5 2 host/ubuntu@xxxxxxxxx
6 2 host/ubuntu@xxxxxxxxx
7 2 UBUNTU$@PFSEE.NET
8 2 UBUNTU$@PFSEE.NET
9 2 UBUNTU$@PFSEE.NET
10 2 HTTP/ubuntu.pfsee.net@xxxxxxxxx
11 2 HTTP/ubuntu.pfsee.net@xxxxxxxxx
12 2 HTTP/ubuntu.pfsee.net@xxxxxxxxx
13 2 HTTP/ubuntu@xxxxxxxxx
14 2 HTTP/ubuntu@xxxxxxxxx
15 2 HTTP/ubuntu@xxxxxxxxx
But on AD server in AD users and computers there is NO http or
whatever entry in Users. Just ubuntu in Computers.
Regards
Rafal
