-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi friends, I have a problem for implement kerberos authentication on my squid server. I'm using this article of the squid wiki: http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory My server is Red Hat Enterprise Linux (minimal) 6.2 (all package updated), with the official RH squid package (3.1.10). I launch the kinit without problems: - ---------------------------------------------------------------------------------------------------- [root@proxy01 ~]# kinit administrator@MYDOMAIN Password for administrator@MYDOMAIN: [root@proxy01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MYDOMAIN Valid starting Expires Service principal 02/24/12 08:46:05 02/24/12 18:46:09 krbtgt/MYDOMAIN@MYDOMAIN renew until 02/25/12 08:46:05 - --------------------------------------------------------------------------------------------------- The problem appear when I launch msktutil for build the keytab file: - ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [root@hostname ~]# msktutil -c -b "CN=COMPUTERS" -s HTTP/hostname.mydomain -k /etc/squid/PROXY.keytab \ - --computer-name PROXY01KRB --upn HTTP/hostname.mydomain --server dc1.mydomain --verbose -- init_password: Wiping the computer password structure -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-XbERrw -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: PROXY01KRB$ -- try_machine_keytab_princ: Trying to authenticate for PROXY01KRB$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unsupported key table format version number) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/proxy01 from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for PROXY01KRB$ with password. -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: dc1.mydomain try_tls=YES -- ldap_connect: Connecting to LDAP server: dc1.mydomain try_tls=NO SASL/GSSAPI authentication started SASL username: administrator@MYDOMAIN SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56 -- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 82 -- ldap_check_account: Checking that a computer account for PROXY01KRB$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x1000 -- ldap_check_account: Found default supportedEncryptionTypes = 7 -- ldap_check_account: Found dNSHostName = proxy01 -- ldap_check_account: Found User Principal: HTTP/proxy01.mydomain -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to HTTP/proxy01.mydomain@MYDOMAIN -- ldap_set_supportedEncryptionTypes: DEE dn=CN=PROXY01KRB,CN=Computers,DC=mydomain old=7 new=28 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set msDs-supportedEncryptionTypes to 28 -- ldap_simple_set_attr: ldap_modify_ext_s failed (No such attribute) -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 0 Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for requested realm) Error: set_password failed -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure -- ~KRB5Context: Destroying Kerberos Context - ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- My /etc/krb5.conf - ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h #renew_lifetime = 7d #forwardable = true default_keytab_name = /etc/squid/PROXY.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md [realms] MYDOMAIN = { kdc = dc1.mydomain kdc = dc2.mydomain admin_server = dc1.mydomain default_domain = MYDOMAIN } [domain_realm] .MYDOMAIN = MYDOMAIN MYDOMAIN = MYDOMAIN - ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- All DNS stuffs all correctly configured, resolve without problem, also the inverse pointers. The NTP sync is enabled and I forced a ntpdate before start the process for get the time synced with the domain controller. The really weird is that yesterday, after many test changing the hostname, the --computer-name parameter of msktutil, all work fine and keytab file was generated. Today, I wanted create a new keytab file with definitive names (yesterday I has been doing some test), and problem appear again. I don't know the cause. Yesterday, I also tried generate the keytab using this articles, without success: http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5 http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos so I don't know if some of this steps were the cause of the keytab was generated correctly later. I hope you can help me. Thank you very much in advance, Regards -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGcBAEBAgAGBQJPTWgyAAoJEIpX8BNkVPVbeTEL/3oNIzrqIzL05s4sDwAWpMCk GT3LYCy0oF/q9OykoCXcKJZbODeKOY/lsWfYYgFf8/9cjYPoM/t03rSTxMz4jDYZ bvVdKLxkqWHhb+MdDhrqnhYFyakq+N9ap9MiuQYiKPm+pjXojnRGuFhW0hTR6hVI rnxHbFO7DmcyUzJvMhl85o7eE7NC70uPfq7K5jntVzTi5IWVEYM1X8Tt9SgFWZ44 TuCGKNZOs4/e3qbFnyByCUtypme9ANfSFi3dIhkFmeuoe9e9nBUKEsH90fXRWgad 6b5SO3B9ysYxXg1usphode4P82O6miW5ToUfPfMJms0L0yDytkyJ6Tv4raPVfoaF brAyhGSS/Q9+PYK03to5CNeN1j+8egjtgt5isZFBm1cmybHq+VlDgKUaw864byK7 RiPCw6RMZMaM00qJTQbA8UWIhrsBRMytrwlb/jcqFGMSgvywB74NQlsExsDuLTTy AnS18wgTkc8wTBWGWBYrWETR8pgj1KKLYm5n9FzLrw== =4M0g -----END PGP SIGNATURE-----
