I've just noticed that there is also LDAP modify request in captured traffic that is trying to set servicePrincipalName attribute and ends up with insufficientAccessRights result! I will ask for additional privileges from our domain admin and see if it solves the issue. On Sun, Nov 3, 2013 at 9:36 AM, Mihail Lukin <mihail.lukin@xxxxxxxxx> wrote: > I wonder why `net ads keytab add HTTP` doesn't change the keytab. The > output of this command is: > > <pre>Warning: "kerberos method" must be set to a keytab method to use > keytab functions. > Processing principals to add...</pre> > > and exit code is 0, so there is no sign of an error. > I sniffed network traffic while running this command and found that > there was an LDAP search query and the result contained this > computer's entry which has servicePrincipalName with 4 values and > HTTP/squidsrv.my.doma.in is there. > > Unfortunately, this service principal didn't appear in keytab. > > > On Sun, Nov 3, 2013 at 4:20 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: >> Exactly you need the HTTP service principal in the keytab. >> >> Regards >> Markus >> >> >> "Mihail Lukin" wrote in message >> news:CAAmm_rYG0GiLjvaT50eeFL4JTzU9Ux0k01CvDCXH7D5H2C=0uQ@xxxxxxxxxxxxxx... >> >> >> Thanks for the tip! >> >> Here is what it shows: >> Server Name (Service and Instance): HTTP/squidsrv.my.doma.in >> >> So, it is the right protocol and host name. But I do not see exact >> much in keytab. I'm not sure if it is the issue. I created keytab >> exactly as was shown here: >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab >> (samba version, not msktutil). >> >> >> On Sun, Nov 3, 2013 at 1:29 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> >> wrote: >>> >>> Hi Mihail, >>> >>> If you use wireshark you can expand the details of: >>> >>> Proxy-Authorization: Negotiate YIIHoAYGKwYBB... >>> >>> It will tell you which service principal the client is sending to the >>> server ? I wonder if the name matches the names in your keytab. >>> >>> >>> Markus >>> >>> -----Original Message----- From: Mihail Lukin >>> Sent: Saturday, November 02, 2013 9:15 PM >>> To: Markus Moeller >>> Cc: squid-users >>> Subject: Re: Re: squid_kerb_auth: Unspecified GSS failure >>> (W2K8) >>> >>> >>> Hi, Markus! >>> >>> 1) Here is the output: >>> Keytab name: FILE:/etc/squid/HTTP.keytab >>> KVNO Timestamp Principal >>> ---- ----------------- >>> -------------------------------------------------------- >>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (des-cbc-crc) >>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (des-cbc-md5) >>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx (arcfour-hmac) >>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx >>> (aes128-cts-hmac-sha1-96) >>> 2 10/30/13 14:14:09 host/squidsrv.my.doma.in@xxxxxxxxxx >>> (aes256-cts-hmac-sha1-96) >>> 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (des-cbc-crc) >>> 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (des-cbc-md5) >>> 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (arcfour-hmac) >>> 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (aes128-cts-hmac-sha1-96) >>> 2 10/30/13 14:14:09 host/squidsrv@xxxxxxxxxx (aes256-cts-hmac-sha1-96) >>> 2 10/30/13 14:14:09 SQUIDSRV$@MY.DOMA.IN (des-cbc-crc) >>> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (des-cbc-md5) >>> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (arcfour-hmac) >>> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes128-cts-hmac-sha1-96) >>> 2 10/30/13 14:14:10 SQUIDSRV$@MY.DOMA.IN (aes256-cts-hmac-sha1-96) >>> >>> 2) I see request header "Proxy-Authorization: Negotiate YIIHoAYGKwYBB..." >>> 3) It worth to mention that using ntlm_auth instead of squid_kerb_auth >>> works fine on this server. >>> >>> >>> On Fri, Nov 1, 2013 at 1:45 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> >>> wrote: >>>> >>>> >>>> Hi Mihail, >>>> >>>> What does a klist -ekt <keytab> show ? ( I assume you use MIT Kerberos >>>> on >>>> the squid server) >>>> >>>> What do you see with wireshark in the authentication header send to >>>> squid >>>> ? >>>> >>>> Markus >>>> >>>> "Mihail Lukin" wrote in message >>>> >>>> news:CAAmm_rZHZ8m1VbYF5mVW-ZbQYvOQhW0Nmf4saOp8GsY5x9KVJQ@xxxxxxxxxxxxxx... >>>> >>>> >>>> I don't know why access-time is not being updated, but strace has >>>> shown that keytab is being read successfully by squid_kerb_auth >>>> process. >>>> >>>> On Thu, Oct 31, 2013 at 8:15 AM, Mihail Lukin <mihail.lukin@xxxxxxxxx> >>>> wrote: >>>>> >>>>> >>>>> >>>>> Hello, Markus! >>>>> >>>>> Sorry for not mentioning it at once, KRB5_KTNAME is being exported in >>>>> /etc/sysconfig/squid and is readable by squid group. But there is >>>>> still something wrong with it: keytab's access time is not changed >>>>> neither when I restart squid not when I request an URL through the >>>>> proxy. >>>>> >>>>> I think I should strace squid_kerb_auth to see what happens. Thanks >>>>> for the hint! >>>>> >>>>> On Thu, Oct 31, 2013 at 12:53 AM, Markus Moeller >>>>> <huaraz@xxxxxxxxxxxxxxxx> wrote: >>>>>> >>>>>> >>>>>> >>>>>> Hi Mihail, >>>>>> >>>>>> Did you use export KRB5_KTNAME to point to the right keytab ? Is the >>>>>> keytab readable by the user under which squid runs ? >>>>>> >>>>>> Markus >>>>>> >>>>>> "Mihail Lukin" wrote in message >>>>>> >>>>>> >>>>>> >>>>>> news:CAAmm_rZ8jNoeFMRGthiYeHQ+GgSfmySFnw8708dwdDVUW3=R_g@xxxxxxxxxxxxxx... >>>>>> >>>>>> Hello, >>>>>> >>>>>> I'm trying to configure Squid 3.1 to authenticate through AD with W2K8 >>>>>> DC with Kerberos. I used this how-to: >>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos on >>>>>> CentOS 6 box that I've joined to domain with `net ads join`. >>>>>> >>>>>> Now I'm getting the error in cache.log when I'm trying to visit any >>>>>> URL through this proxy: >>>>>> >>>>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Got 'YR base64 encoded >>>>>> data' from squid (length: 2295). >>>>>> 2013/10/30 17:07:41| squid_kerb_auth: DEBUG: Decode 'base64 encoded >>>>>> data' (decoded length: 1717). >>>>>> 2013/10/30 17:07:41| squid_kerb_auth: ERROR: gss_acquire_cred() >>>>>> failed: Unspecified GSS failure. Minor code may provide more >>>>>> information. >>>>>> 2013/10/30 17:07:41| authenticateNegotiateHandleReply: Error >>>>>> validating user via Negotiate. Error returned 'BH gss_acquire_cred() >>>>>> failed: Unspecified GSS failure. Minor code may provide more >>>>>> information. ' >>>>>> >>>>>> I could not figure out what the "minor code" is... I googled a lot with >>>>>> no >>>>>> luck. >>>>>> Any help is very appreciated. Thanks in advance! >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> С уважением, >>>>> Михаил Лукин >>>> >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> С уважением, >>>> Михаил Лукин >>>> >>> >>> >> >>
