I will check that and inform you. But how did you troubleshoot that the entry is missing from AD? On 1 May 2011 14:51, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > It looks like you do not have an entry in AD. Can you search AD for entries > with serviceprincipalname = HTTP/proxyserver.orangegroup.com ? > > Markus > > > "Go Wow" <gowows@xxxxxxxxx> wrote in message > news:BANLkTinUivd8YFNnX+Gp6aZxd0RhzTKjTQ@xxxxxxxxxxxxxxxxx > On 1 May 2011 00:00, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >> >> Hi Go, >> >> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ? > > Yes I used --enctypes 28 > >> >> what does klist -e show and what does >> kinit <user> >> kvno HTTP/proxyserver.orangegroup.com >> >> show (<user> being your userid ) ? > > Here is the complete output > > root@proxyserver:/home/owner# whoami > root > root@proxyserver:/home/owner# klist > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > root@proxyserver:/home/owner# klist -e > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) > root@proxyserver:/home/owner# kinit Administrator > Password for Administrator@xxxxxxxxxxxxxxx: > root@proxyserver:/home/owner# klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator@xxxxxxxxxxxxxxx > > Valid starting Expires Service principal > 05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/ORANGEGROUP.COM@xxxxxxxxxxxxxxx > renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with > HMAC/md5,ArcFour with HMAC/md5 > root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com > kvno: Server not found in Kerberos database while getting credentials > for http/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx > root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com > kvno: Server not found in Kerberos database while getting credentials > for HTTP/proxyserver.orangegroup.com@xxxxxxxxxxxxxxx > >> When you purge tickets (with kerbtray) , start wireshark with a filter on >> port 88 and access a webpage via the proxy do you see any errors in >> wireshark ? Can you send me the capture ? > > I will email you the port 88 capture in a sec. > > Thanks for your help. > >> Markus >> >> >> "Go Wow" <gowows@xxxxxxxxx> wrote in message >> news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw@xxxxxxxxxxxxxxxxx >> I tried with msktutil version 0.4 but same thing is happening. >> >> I followed your guide, firstly with samba/winbind, I created the >> keytab and configure negotiate parameters in squid.conf but when I >> open browser pointing to squid3 as proxy server (with fqdn not IP) it >> prompts for username/password. This system is Windows 7 64 Bit. >> >> Then I tried msktutil. The command I used is same as I mentioned below. >> >> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >> ad01.orangegroup.com --verbose >> >> The output of the command gives me one error saying but creates the keytab >> file >> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >> (Client not found in Kerberos database) >> >> I have kerbtray installed on client system and I can see my domains >> krtgt/domain.com listed. As a matter of fact I'm using sharepoint >> server which uses the same method to authenticate and im able to login >> to it without entering username/password. I tried with purging tickets >> but no change. >> >> Regards >> >> >> On 30 April 2011 16:17, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >>> >>> Hi Go, >>> >>> Can you describe in detail what you did ( e.g. exact msktutil command). >>> BTW >>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4) >>> which you should try in the case you use an older version. >>> >>> It looks to me that your client is not able to get the Kerberos ticket >>> from >>> AD why the client falls back to NTLM and the negotiate wrapper deals now >>> with these case. >>> >>> To find out why the client does not get the ticket you can run wireshark >>> and look for traffic on port 88. >>> >>> Markus >>> >>> >>> "Go Wow" <gowows@xxxxxxxxx> wrote in message >>> news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ@xxxxxxxxxxxxxxxxx >>> When I run msktutil I get this line in the output. >>> >>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database) >>> >>> I did kinit before issuing msktutil and it ran successfully. I can see >>> tickets when I issue klist. >>> >>> >>> >>> On 30 April 2011 10:43, Go Wow <gowows@xxxxxxxxx> wrote: >>>> >>>> Hi, >>>> >>>> I'm trying to configure Kerberos Authentication for squid. I'm >>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the >>>> kerberos authentication guide on squid-cache and many other guides, I >>>> always end up with these logs in my cache.log. My client browser keeps >>>> prompting for username/password. Even a valid set of credentials are >>>> not accepted. >>>> >>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM >>>> token >>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error >>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>> token' >>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid >>>> (length: 59). >>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded >>>> length: 40). >>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM >>>> token >>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>> token' >>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR >>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid >>>> (length: 59). >>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode >>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded >>>> length: 40). >>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM >>>> token >>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error >>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM >>>> token' >>>> >>>> >>>> I want to check and make sure my keytab entries are good. How do I do >>>> that? My client System can list the tickets for client principal. >>>> >>>> Please have a look at my krb5.conf & keytab file here >>>> http://pastebin.com/vTBr3r5D >>>> >>>> I'm using this command to create the keytab file. >>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h >>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name >>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server >>>> ad01.orangegroup.com --verbose >>>> >>>> All the domains are resolving properly to IPs. >>>> >>>> Thanks for your help. >>>> >>> >>> >>> >> >> >> > > >
