Hi, I try to use kerberos in my squid. Nut I get an error message :
############################33
msktutil --auto-update --verbose --computer-name suqidpnb1 --server dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 95
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QCbGC5
-- destroy_g_context: Destroying Kerberos Context
-- initialize_g_context: Creating Kerberos Context
-- finalize_exec: SAM Account Name is: suqidpnb1$
-- try_machine_keytab_princ: Trying to authenticate for suqidpnb1$ from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for SUQIDPNB1$ from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/localhost from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for suqidpnb1$ with password
-- create_default_machine_password: Default machine password for suqidpnb1$ is suqidpnb1
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets
-- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
-- try_user_creds: User ticket cache was not valid
Error: could not find any credentials to authenticate with. Neither keytab,
default machine password, nor calling user's tickets worked. Try
"kinit"ing yourself some tickets with permission to create computer
objects, or pre-creating the computer object in AD and selecting
'reset account'.
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 95
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QCbGC5
-- destroy_g_context: Destroying Kerberos Context
-- initialize_g_context: Creating Kerberos Context
-- finalize_exec: SAM Account Name is: suqidpnb1$
-- try_machine_keytab_princ: Trying to authenticate for suqidpnb1$ from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for SUQIDPNB1$ from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/localhost from local keytab
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for suqidpnb1$ with password
-- create_default_machine_password: Default machine password for suqidpnb1$ is suqidpnb1
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets
-- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
-- try_user_creds: User ticket cache was not valid
Error: could not find any credentials to authenticate with. Neither keytab,
default machine password, nor calling user's tickets worked. Try
"kinit"ing yourself some tickets with permission to create computer
objects, or pre-creating the computer object in AD and selecting
'reset account'.
#############################33
Can't find why this happen:
My AD is 2012R2 function level
I create keytab with this:
msktutil -c -b "OU=Servers,DC=toyo,DC=grp" -s HTTP/squidtoyopnb1.toyo.grp -k /etc/squid/PROXY.keytab --computer-name SQUIDPNB1 --upn HTTP/squidtoyopnb1.toyo.grp --server dctoyo1.toyo.grp --verbose --enctypes 28
Keytab file permission is:
-rw-r----- 1 root squid 933 Sep 25 13:37 PROXY.keytab
and keytab file (klist -k output):
3 SQUIDPNB1$@TOYO.GRP
3 SQUIDPNB1$@TOYO.GRP
3 SQUIDPNB1$@TOYO.GRP
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
3 SQUIDPNB1$@TOYO.GRP
3 SQUIDPNB1$@TOYO.GRP
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
krb5.conf:
[libdefaults]
default_realm = TOYO.GRP
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
TOYO.GRP = {
kdc = dctoyo1.toyo.grp
kdc = DCTOYO2.toyo.grp
admin_server = 10.65.12.254
default_domain = toyo.grp
}
[domain_realm]
toyo.grp = TOYO.GRP
.toyo.grp = TOYO.GRP
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
default_realm = TOYO.GRP
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /etc/squid/PROXY.keytab
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
TOYO.GRP = {
kdc = dctoyo1.toyo.grp
kdc = DCTOYO2.toyo.grp
admin_server = 10.65.12.254
default_domain = toyo.grp
}
[domain_realm]
toyo.grp = TOYO.GRP
.toyo.grp = TOYO.GRP
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Tevfik Ceydeliler
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
