I tried with msktutil version 0.4 but same thing is happening. I followed your guide, firstly with samba/winbind, I created the keytab and configure negotiate parameters in squid.conf but when I open browser pointing to squid3 as proxy server (with fqdn not IP) it prompts for username/password. This system is Windows 7 64 Bit. Then I tried msktutil. The command I used is same as I mentioned below. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server ad01.orangegroup.com --verbose The output of the command gives me one error saying but creates the keytab file -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) I have kerbtray installed on client system and I can see my domains krtgt/domain.com listed. As a matter of fact I'm using sharepoint server which uses the same method to authenticate and im able to login to it without entering username/password. I tried with purging tickets but no change. Regards On 30 April 2011 16:17, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Go, > > Can you describe in detail what you did ( e.g. exact msktutil command). BTW > I updated yesterday the wiki pointing to a newer msktutil (version 0.4) > which you should try in the case you use an older version. > > It looks to me that your client is not able to get the Kerberos ticket from > AD why the client falls back to NTLM and the negotiate wrapper deals now > with these case. > > To find out why the client does not get the ticket you can run wireshark > and look for traffic on port 88. > > Markus > > > "Go Wow" <gowows@xxxxxxxxx> wrote in message > news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ@xxxxxxxxxxxxxxxxx > When I run msktutil I get this line in the output. > > krb5_get_init_creds_keytab failed (Client not found in Kerberos database) > > I did kinit before issuing msktutil and it ran successfully. I can see > tickets when I issue klist. > > > > On 30 April 2011 10:43, Go Wow <gowows@xxxxxxxxx> wrote: >> >> Hi, >> >> I'm trying to configure Kerberos Authentication for squid. I'm >> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >> kerberos authentication guide on squid-cache and many other guides, I >> always end up with these logs in my cache.log. My client browser keeps >> prompting for username/password. Even a valid set of credentials are >> not accepted. >> >> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token >> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH received type 1 NTLM >> token' >> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid >> (length: 59). >> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded >> length: 40). >> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token >> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH received type 1 NTLM >> token' >> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid >> (length: 59). >> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded >> length: 40). >> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token >> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH received type 1 NTLM >> token' >> >> >> I want to check and make sure my keytab entries are good. How do I do >> that? My client System can list the tickets for client principal. >> >> Please have a look at my krb5.conf & keytab file here >> http://pastebin.com/vTBr3r5D >> >> I'm using this command to create the keytab file. >> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >> ad01.orangegroup.com --verbose >> >> All the domains are resolving properly to IPs. >> >> Thanks for your help. >> > > >
