Here are first issues:
[root@proxy ~]# kdestroy
<NOW RESET DONE FOR HOST squid-k IN AD>
[root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k
-- init_password: Wiping the computer password structure
-- get_dc_host: Attempting to find a Domain Controller to use
-- get_dc_host: Found Domain Controller: TEST-admsdc02
-- get_default_keytab: Obtaining the default keytab name:
/etc/squid/HTTP.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-iN2kxe
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: squid-k$
-- try_machine_keytab_princ: Trying to authenticate for squid-k$ from
local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/proxy
from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for squid-k$ with password.
-- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- try_user_creds: Error: krb5_cc_get_principal failed (No
credentials cache found)
-- try_user_creds: User ticket cache was not valid.
Error: could not find any credentials to authenticate with. Neither keytab,
default machine password, nor calling user's tickets worked. Try
"kinit"ing yourself some tickets with permission to create computer
objects, or pre-creating the computer object in AD and selecting
'reset account'.
-- ~KRB5Context: Destroying Kerberos Context
[root@proxy ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.GE
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_keytab_name = /etc/squid/HTTP.keytab
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[realms]
TEST.GE = {
kdc = TEST-admsdc01.test.ge
kdc = TEST-admsdc01.test.ge
admin_server = TEST-admsdc01.test.ge
default_domain = test.ge
}
[domain_realm]
test.ge = TEST.GE
.test.ge = TEST.GE
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Where can I find the reason?
Best regards,
George Machitidze
On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
> Hello James
>
> Great job! Thanks for reply
>
> I will check and update with tests :)
>
> Best regards,
> George Machitidze
>
>
>
> On Thu, Jan 12, 2012 at 1:00 PM, James Robertson <j@xxxxxxxxxxxxxxxx> wrote:
>>> When I try to use Opera browser I am getting ugly message after
>>> entering credentials:
>>>
>>> authenticateNegotiateHandleReply: Error validating user via Negotiate.
>>> Error returned 'BH received type 1 NTLM token'
>>
>> Opera does not support Kerberos as far as I know. You will still
>> need to support NTLM. you will have issues with iTunes and possibly
>> various other apps as that need NTLM support.
>>
>>> Is there any "universal", well tested configuration/manual that will
>>> make all clients work?
>>
>> I just completed a guide based on Debian that supports Kerberos, NTLM
>> and basic auth and was planning on updating the Squid Wiki also
>> sometime soon. You should be able to translate that to your RH.
>>
>> HTH.
>>
>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
