When I run msktutil I get this line in the output. krb5_get_init_creds_keytab failed (Client not found in Kerberos database) I did kinit before issuing msktutil and it ran successfully. I can see tickets when I issue klist. On 30 April 2011 10:43, Go Wow <gowows@xxxxxxxxx> wrote: > Hi, > > I'm trying to configure Kerberos Authentication for squid. I'm > running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the > kerberos authentication guide on squid-cache and many other guides, I > always end up with these logs in my cache.log. My client browser keeps > prompting for username/password. Even a valid set of credentials are > not accepted. > > 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token > 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH received type 1 NTLM > token' > 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid > (length: 59). > 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded > length: 40). > 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token > 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH received type 1 NTLM > token' > 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR > TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid > (length: 59). > 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode > 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded > length: 40). > 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token > 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error > validating user via Negotiate. Error returned 'BH received type 1 NTLM > token' > > > I want to check and make sure my keytab entries are good. How do I do > that? My client System can list the tickets for client principal. > > Please have a look at my krb5.conf & keytab file here > http://pastebin.com/vTBr3r5D > > I'm using this command to create the keytab file. > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h > proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name > proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server > ad01.orangegroup.com --verbose > > All the domains are resolving properly to IPs. > > Thanks for your help. >
