Hi. Im trying to configure SSO (single sing on) with Kerberos. I have this error [root@squid squid]# kinit administrator Password for administrator@xxxxxxxxxxx: Warning: Your password will expire in 28 days on mié 21 sep 2016 12:20:39 ART [root@squid squid]# msktutil -c -b "CN=COMPUTERS" -s HTTP/squid.XXXXXXX.lan -h squid.XXXXXXX.lan -k /etc/PROXY.keytab --computer-name squid --upn HTTP/squid.XXXXXXX.lan --server ubuntu.XXXXXXX.lan --verbose -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 78 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-AkkOKq -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: squid$ -- try_machine_keytab_princ: Trying to authenticate for squid$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Looping detected inside krb5_get_in_tkt) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/squid.XXXXXXX.lan from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for squid$ with password. -- create_default_machine_password: Default machine password for squid$ is squid -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Looping detected inside krb5_get_in_tkt) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: ubuntu.XXXXXXX.lan try_tls=YES -- ldap_connect: Connecting to LDAP server: ubuntu.XXXXXXX.lan try_tls=NO SASL/GSSAPI authentication started SASL username: administrator@xxxxxxxxxxx SASL SSF: 56 SASL data security layer installed. -- ldap_connect: LDAP_OPT_X_SASL_SSF=56 -- ldap_get_base_dn: Determining default LDAP base: dc=XXXXXXX,dc=LAN -- ldap_check_account: Checking that a computer account for squid$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x11000 -- ldap_check_account: Found default supportedEncryptionTypes = 7 -- ldap_check_account: Found dNSHostName = squid.XXXXXXX.lan -- ldap_check_account: Found Principal: host/SQUID -- ldap_check_account: Found Principal: host/squid.XXXXXXX.lan -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to HTTP/squid.XXXXXXX.lan@xxxxxxxxxxx -- ldap_set_supportedEncryptionTypes: DEE dn=CN=SQUID,CN=Computers,DC=XXXXXXX,DC=lan old=7 new=28 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set msDs-supportedEncryptionTypes to 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 131164420010000000 -- set_password: Successfully set password, waiting for it to be reflected in LDAP. -- ldap_get_pwdLastSet: pwdLastSet is 131164503580000000 -- set_password: Successfully reset computer's password -- ldap_add_principal: Checking that adding principal HTTP/squid.XXXXXXX.lan to squid$ won't cause a conflict -- ldap_add_principal: Adding principal HTTP/squid.XXXXXXX.lan to LDAP entry -- execute: Updating all entries for squid.XXXXXXX.lan in the keytab WRFILE:/etc/PROXY.keytab -- update_keytab: Updating all entires for squid$ -- ldap_get_kvno: KVNO is 3 -- add_principal_keytab: Adding principal to keytab: squid$ -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: host/SQUID -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: host/squid.XXXXXXX.lan -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: HTTP/squid.XXXXXXX.lan -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan -- add_principal_keytab: Adding entry of enctype 0x12 -- ~msktutil_exec: Destroying msktutil_exec -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure -- ~KRB5Context: Destroying Kerberos Context What i can do??? there`s a way more simple with SAMBA?? I try ------------------------------------------------------- Join host to domain with net ads join Create keytab for HTTP/fqdn with net ads keytab kinit administrator@DOMAIN export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab net ads keytab CREATE net ads keytab ADD HTTP unset KRB5_KTNAME ------------------------------------------------------------ And i get [root@squid squid]# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab [root@squid squid]# net ads keytab CREATE [root@squid squid]# net ads keytab ADD HTTP Processing principals to add... ../source3/libads/kerberos_keytab.c:331: unable to determine machine account's dns name in AD! Some help??? Thanks! -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-SSO-Error-krb5-get-init-creds-keytab-failed-tp4679099.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
