Nevermind - my fault
On Redhat winbind is running with root and owner of file is root:root,
i've changed it to squid.
Best regards,
George Machitidze
On Thu, Jan 12, 2012 at 4:01 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
> Here are first issues:
>
> [root@proxy ~]# kdestroy
>
> <NOW RESET DONE FOR HOST squid-k IN AD>
>
> [root@proxy ~]# msktutil --auto-update --verbose --computer-name squid-k
> -- init_password: Wiping the computer password structure
> -- get_dc_host: Attempting to find a Domain Controller to use
> -- get_dc_host: Found Domain Controller: TEST-admsdc02
> -- get_default_keytab: Obtaining the default keytab name:
> /etc/squid/HTTP.keytab
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-iN2kxe
> -- reload: Reloading Kerberos Context
> -- finalize_exec: SAM Account Name is: squid-k$
> -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from
> local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for host/proxy
> from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_password: Trying to authenticate for squid-k$ with password.
> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_password: Authentication with password failed
> -- try_user_creds: Checking if default ticket cache has tickets...
> -- try_user_creds: Error: krb5_cc_get_principal failed (No
> credentials cache found)
> -- try_user_creds: User ticket cache was not valid.
> Error: could not find any credentials to authenticate with. Neither keytab,
> default machine password, nor calling user's tickets worked. Try
> "kinit"ing yourself some tickets with permission to create computer
> objects, or pre-creating the computer object in AD and selecting
> 'reset account'.
> -- ~KRB5Context: Destroying Kerberos Context
>
> [root@proxy ~]# cat /etc/krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = TEST.GE
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
> default_keytab_name = /etc/squid/HTTP.keytab
> default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> [realms]
> TEST.GE = {
> kdc = TEST-admsdc01.test.ge
> kdc = TEST-admsdc01.test.ge
> admin_server = TEST-admsdc01.test.ge
> default_domain = test.ge
> }
>
> [domain_realm]
> test.ge = TEST.GE
> .test.ge = TEST.GE
>
> [appdefaults]
> pam = {
> debug = true
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> Where can I find the reason?
>
> Best regards,
> George Machitidze
>
>
>
> On Thu, Jan 12, 2012 at 1:11 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
>> Hello James
>>
>> Great job! Thanks for reply
>>
>> I will check and update with tests :)
>>
>> Best regards,
>> George Machitidze
>>
>>
>>
>> On Thu, Jan 12, 2012 at 1:00 PM, James Robertson <j@xxxxxxxxxxxxxxxx> wrote:
>>>> When I try to use Opera browser I am getting ugly message after
>>>> entering credentials:
>>>>
>>>> authenticateNegotiateHandleReply: Error validating user via Negotiate.
>>>> Error returned 'BH received type 1 NTLM token'
>>>
>>> Opera does not support Kerberos as far as I know. You will still
>>> need to support NTLM. you will have issues with iTunes and possibly
>>> various other apps as that need NTLM support.
>>>
>>>> Is there any "universal", well tested configuration/manual that will
>>>> make all clients work?
>>>
>>> I just completed a guide based on Debian that supports Kerberos, NTLM
>>> and basic auth and was planning on updating the Squid Wiki also
>>> sometime soon. You should be able to translate that to your RH.
>>>
>>> HTH.
>>>
>>> http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
