Search squid archive

Re: Squid and Kerberos problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



So this worked ?
 
Markus
 
"Olivier CALVANO" <o.calvano@xxxxxxxxx> wrote in message news:CAJajPeddju9t4QAiPSmT-5JUsn4Gf6Nj0Pff3JBJ+BzXzTXOUQ@xxxxxxxxxxxxxx...
hoo i have deleted "--enctypes 28"

and now:

[root@gw msktutil-1.0rc1]# ./msktutil -c -b "CN=COMPUTERS" -s HTTP/ophtcysrv1v4.myaddomain.fr -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/ophtcysrv1v4.myaddomain.fr --server myad.myaddomain.fr --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password:  Characters read from /dev/urandom = 94
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-RyUQcT
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
-- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/mydnshostname.fr from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password.
-- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 5
-- LDAPConnection: Connecting to LDAP server: myad.myaddomain.fr
SASL/GSSAPI authentication started
SASL username: Myusername@xxxxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
-- ldap_get_base_dn: Determining default LDAP base: dc=SODIAAL,dc=FR
-- ldap_check_account: Checking that a computer account for OPHTCYSRV1V4-K$ exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x1000
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found dNSHostName = mydnshostname.fr
-- ldap_check_account: userPrincipal specified on command line
-- ldap_check_account_strings: Inspecting (and updating) computer account attributes
-- ldap_check_account_strings: Found userPrincipalName = HTTP/ophtcysrv1v4.myaddomain.fr@xxxxxxxxxxxxx
-- ldap_check_account_strings: userPrincipalName should be HTTP/ophtcysrv1v4.myaddomain.fr@xxxxxxxxxxxxx
-- ldap_check_account_strings: Nothing to do
-- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
-- ldap_get_kvno: KVNO is 1
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776
-- set_password: Successfully set password.
-- ldap_add_principal: Checking that adding principal HTTP/ophtcysrv1v4.myaddomain.fr to OPHTCYSRV1V4-K$ won't cause a conflict
-- ldap_add_principal: Adding principal HTTP/ophtcysrv1v4.myaddomain.fr to LDAP entry
-- ldap_add_principal: Checking that adding principal host/mydnshostname.fr to OPHTCYSRV1V4-K$ won't cause a conflict
-- ldap_add_principal: Adding principal host/mydnshostname.fr to LDAP entry
-- execute: Updating all entries for mydnshostname.fr in the keytab WRFILE:/etc/squid/PROXY.keytab
-- update_keytab: Updating all entries for OPHTCYSRV1V4-K$
-- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x17
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x11
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, enctype=23
-- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, enctype=17
-- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, enctype=18
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x17
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x11
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: HTTP/ophtcysrv1v4.myaddomain.fr
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x17
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x11
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: host/OPHTCYSRV1V4-K
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x17
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x11
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x12
-- update_keytab: Entries for SPN HTTP/ophtcysrv1v4.myaddomain.fr have already been added. Skipping ...
-- add_principal_keytab: Adding principal to keytab: host/mydnshostname.fr
-- add_principal_keytab: Removing entries with kvno < 0
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x17
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x11
-- add_principal_keytab:     Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
-- add_principal_keytab:   Adding entry of enctype 0x12
-- wait_for_new_kvno: Checking new kvno via ldap
-- ldap_get_kvno: KVNO is 1
Waiting for account replication (0 seconds past)
-- ldap_get_kvno: KVNO is 2
-- ~KRB5Context: Destroying Kerberos Context



it's good for you ?

regards
olivier

 
2015-05-03 13:25 GMT+02:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Did you compile msktutil or is it a package in centos ?
 
Markus
 
"Olivier CALVANO" <o.calvano@xxxxxxxxx> wrote in message news:CAJajPecQD+_1KRUfwa9eAC4iYAKapZBLyg-9vuueKLGWUecopQ@xxxxxxxxxxxxxx...
Hi


Thanks for your answer

CentOS Linux release 7.1.1503 (Core)

krb5-workstation-1.12.2-14.el7.x86_64
krb5-libs-1.12.2-14.el7.x86_64

regards
olivier

 
2015-05-03 0:25 GMT+02:00 Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>:
Which OS and Kerberos version do you have ?  There might be some issue with the cache used KEYRING:persistent:0:0
Markus
 
"Olivier CALVANO" <o.calvano@xxxxxxxxx> wrote in message news:CAJajPefo3t8b1=_v5PFj3H0gq4Jk3OosuTW8gNHY7Z-Gs21qLg@xxxxxxxxxxxxxx...
Hi

I request your help because i want use NTLM/Kerberos for authenticate my user.

For NTLM, i use Winbind, no problems,

[root@gw]# wbinfo -t
checking the trust secret for domain MYADDOMAIN via RPC calls succeeded

but for Kerberos, i can't create the .keytab


[root@gw]# kinit MYUSERNAME
Password for MYUSERNAME@xxxxxxxxxxxxx:

[root@gw]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: MYUSERNAME@xxxxxxxxxxxxx

Valid starting       Expires              Service principal
02/05/2015 04:51:25  02/05/2015 14:51:25  krbtgt/MYADDOMAIN.FR@xxxxxxxxxxxxx
        renew until 09/05/2015 04:51:07

MYUSERNAME is the same account that i join the domain (net join) with winbind


after, i put:

msktutil -c -b "CN=COMPUTERS" -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose
 
and i have a error:

[root@gw etc]# msktutil -c -b "CN=COMPUTERS" -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password:  Characters read from /dev/udandom = 84
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-jnxTuG
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
-- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/gw.srv1-v4.tcy.myinternetdomain.org from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password.
-- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
-- try_user_creds: User ticket cache was not valid.
Error: could not find any credentials to authenticate with. Neither keytab,
     default machine password, nor calling user's tickets worked. Try
     "kinit"ing yourself some tickets with permission to create computer
     objects, or pre-creating the computer object in AD and selecting
     'reset account'.
-- ~KRB5Context: Destroying Kerberos Context



 
 
anyone know the origin of this error ?

thanks
Olivier

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

 


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux