"James Robertson" <j@xxxxxxxxxxxxxxxx> wrote in message
news:CAMALoy9d=kwHQAAfP8=1suhwnW8eq7Q=JR3AaTAUJs25nx8CRQ@xxxxxxxxxxxxxx...
Looking at your email again. You say your hostname is
3msydproxy01.example.local including the domain. So it should have
worked.
I think the problem is that ou don't use the -s HTTP switch for the auto
update as I see msktutils tries to authenticate as host/<fqdn> instead of
HTTP/<fqdn> and get correctly the reply there is not client with that
UPN.
Because I reset the account in AD doesn't that mean the only method
that would work is the try_machine_password method?
No. The machine password is linked to the UPN. What you can do is for
example kinit -kt /etc/squid3/PROXY.keytab HTTP/3msydproxy01.example.local.
Which is a "login" as "user" HTTP/3msydproxy01.example.local using the
password stored in the keytab.
(Sorry about the line wrap, it's a gmail thing you cannot disable in
plain text... grr)
# hostname -f
3msydproxy01.example.local
## Create account command using computer name 3MSYDPROXY01-HTTP
# msktutil -c -b "ou=MEMBER SERVERS,ou=EXAMPLE" -s
HTTP/3msydproxy01.example.local -k /etc/squid3/PROXY.keytab \
--computer-name 3MSYDPROXY01-HTTP --upn
HTTP/3msydproxy01.example.local --server dc1.example.local --verbose
--enctypes 28
## auto update command after account reset in AD (and kdestroy)
# msktutil --auto-update --verbose --computer-name 3msydproxy01-http
--server dc1.example.local -s HTTP/3msydproxy01.example.local
...
-- try_machine_password: Trying to authenticate for
3msydproxy01-http$ with password.
-- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
-- try_machine_password: Authentication with password failed
...
This doesn't matter what does the next lines say ?
-- try_machine_keytab_princ: Trying to authenticate for HTTP
/3msydproxy01.example.local from local keytab...
This should be successful.
The kinit test before the update and a wireshark capture would help identify
the issue (i.e. a msktutil error).
Whereas, if I create the computer name to match the machines hostname
msktutil --auto-update works.
## Create account command using computer name 3MSYDPROXY01
# msktutil -c -b "ou=MEMBER SERVERS,ou=EXAMPLE" -s
HTTP/3msydproxy01.example.local -k /etc/squid3/PROXY.keytab \
--computer-name 3MSYDPROXY01 --upn HTTP/3msydproxy01.example.local
--server dc1.example.local --verbose --enctypes 28
## auto update command after account reset in AD (and kdestroy)
# msktutil --auto-update --verbose --computer-name 3msydproxy01
--server dc1.example.local -s HTTP/3msydproxy01.example.local
...
-- try_machine_password: Trying to authenticate for 3msydproxy01$
with password.
-- switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-aSNdFw
-- finalize_exec: Authenticated using method 3
-- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=YES
-- ldap_connect: Connecting to LDAP server: dc1.example.local try_tls=NO
SASL/GSSAPI authentication started
SASL username: 3msydproxy01$@example.local
SASL SSF: 56
SASL data security layer installed.
...
Perhaps this is a bug in msktutil?
Regards
Markus
