Re: Squid and Kerberos problems

Olivier CALVANO <o.calvano@xxxxxxxxx> · Sun, 3 May 2015 19:34:37 +0200

hum a new problems ??

[root@gw]# msktutil --auto-update --verbose --computer-name ophtcysrv1v4-k -k /etc/squid/PROXY.keytab
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 84
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain MYDOMAIN.FR for procotol tcp
 -- get_dc_host: Found DC: dc122001.mydomain.fr
 -- get_dc_host: Canonicalizing DC through forward/reverse lookup...
Error: gethostbyaddr failed
 -- get_dc_host: Found Domain Controller:
Error: get_dc_host failed
 -- ~KRB5Context: Destroying Kerberos Context

2015-05-03 13:25 GMT+02:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

Did you compile msktutil or is it a package in centos ? 

Markus

"Olivier CALVANO" <o.calvano@xxxxxxxxx> wrote in message 
news:CAJajPecQD+_1KRUfwa9eAC4iYAKapZBLyg-9vuueKLGWUecopQ@xxxxxxxxxxxxxx...

Hi

Thanks for your answer

CentOS Linux release 
7.1.1503 
(Core)

krb5-workstation-1.12.2-14.el7.x86_64
krb5-libs-1.12.2-14.el7.x86_64

regards
olivier

2015-05-03 0:25 GMT+02:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:

  Which OS and Kerberos version do you have ?  There might be some 
  issue with the cache used KEYRING:persistent:0:0

  Markus

  "Olivier CALVANO" <o.calvano@xxxxxxxxx> wrote in message 
  news:CAJajPefo3t8b1=_v5PFj3H0gq4Jk3OosuTW8gNHY7Z-Gs21qLg@xxxxxxxxxxxxxx...

  Hi

I request your help because i want use NTLM/Kerberos for 
  authenticate my user.

For NTLM, i use Winbind, no problems, 

[root@gw]# wbinfo -t
checking the trust secret for domain 
  MYADDOMAIN via RPC calls succeeded

but for Kerberos, i can't 
  create the .keytab

[root@gw]# kinit MYUSERNAME
Password for MYUSERNAME@xxxxxxxxxxxxx:

[root@gw]# klist
Ticket 
  cache: KEYRING:persistent:0:0
Default principal: MYUSERNAME@xxxxxxxxxxxxx

Valid 
  starting       
  Expires              
  Service principal
02/05/2015 04:51:25  02/05/2015 14:51:25  
  krbtgt/MYADDOMAIN.FR@xxxxxxxxxxxxx

  renew until 09/05/2015 04:51:07

MYUSERNAME is the same account 
  that i join the domain (net join) with winbind

after, i 
  put:

msktutil -c -b "CN=COMPUTERS" -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k 
  /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 
  --verbose

  and i have a error:

[root@gw etc]# msktutil -c -b "CN=COMPUTERS" 
  -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k 
  /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 
  --verbose
-- init_password: Wiping the computer password structure
-- 
  generate_new_password: Generating a new, random password for the computer 
  account
-- generate_new_password:  Characters read from /dev/udandom = 
  84
-- create_fake_krb5_conf: Created a fake krb5.conf file: 
  /tmp/.msktkrb5.conf-jnxTuG
-- reload: Reloading Kerberos Context
-- 
  finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
-- 
  try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from 
  local keytab...
-- try_machine_keytab_princ: Error: 
  krb5_get_init_creds_keytab failed (Client not found in Kerberos 
  database)
-- try_machine_keytab_princ: Authentication with keytab 
  failed
-- try_machine_keytab_princ: Trying to authenticate for host/gw.srv1-v4.tcy.myinternetdomain.org from local 
  keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab 
  failed (Client not found in Kerberos database)
-- try_machine_keytab_princ: 
  Authentication with keytab failed
-- try_machine_password: Trying to 
  authenticate for OPHTCYSRV1V4-K$ with password.
-- 
  create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ 
  is ophtcysrv1v4-k
-- try_machine_password: Error: 
  krb5_get_init_creds_keytab failed (Client not found in Kerberos 
  database)
-- try_machine_password: Authentication with password 
  failed
-- try_user_creds: Checking if default ticket cache has 
  tickets...
-- try_user_creds: Error: krb5_cc_get_principal failed (No 
  credentials cache found)
-- try_user_creds: User ticket cache was not 
  valid.
Error: could not find any credentials to authenticate with. Neither 
  keytab,
     default machine password, nor calling 
  user's tickets worked. Try
     "kinit"ing yourself 
  some tickets with permission to create computer

  objects, or pre-creating the computer object in AD and 
  selecting
     'reset account'.
-- ~KRB5Context: 
  Destroying Kerberos Context

  same error if i change gw.srv1-v4.tcy.myinternetdomain.org to ophtcysrv1v4.myaddomain.fr

  anyone know the origin of this error ?

  thanks

  Olivier

  _______________________________________________
squid-users mailing 
  list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users 
  mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing 
list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users