Search squid archive

Re: Kerberos nad keytab problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I also had problems with msktutil.. so i suggest you try this, see below..
Im using it for few years and it always works (for me offcourse)..
 
It should be pretty simple, but the site squid-cache (wiki) is in my opinion a bit outdated.
And its for Amos to adapt it on the site.
 
Amos or Alex, please review below, you might want to add it.
And add your parts to it, like running this without a correct spn.
 
Its tested in use and and working since squid 3.1 upto 4.8.
Tested on debian Wheezy (7) upto Buster (10)
 
Below assumes the server your setting up, does have an A and PTR record.
(note, which should be added at the domain join of winbind, as of samba4.x )
 
This is my howto.
A Debian based, with Kerberos Auth against an Samba Active Directory
Should be adaptable for any OS, should also work with MS Active Directory.
But since i dont have any, im not testing it.
 
 
# Install a minimal OS, at install only choose base + ssh server.
# Setup these variable for a copy/past, might be handy, and then "it just works" 
 
# Obligated to set.  # ADDOM;
# This should match the netbios (NT4) domain name in caps, per example from a login: NTDOM\username
ADDOM="NTDOM"
 
# These should be fine, but if you have multiple ipnumbers and hostnames, you might want to adjust these.
FQDN="$(hostname -f)"
HOSTN="$(hostname -s)"

# Requirements before you start installing the sofrware like: squid winbind krb5-user
 
# Login, sudo to root.
# /etc/resolv.conf, set as followed.
#search must.match.your.primarydnsdomain.tld
# nameserver ip_of_AD_DC
 
# Verify it:
grep search /etc/resolv.conf
grep nameserver /etc/resolv.conf
 
# If ok, then run :
apt update 
apt install squid winbind krb5-user -y
 
# Just hit enter on every question, the defaults are fine. (verified in Debian).
 
# And now verify /etc/krb5.conf
less /etc/krb5.conf
 
 
# It should look like this : 
#[libdefaults]
#        default_realm = YOUR.Detected_REALM.TLD
#
# The following krb5.conf variables are only for MIT Kerberos.
#       kdc_timesync = 1
#        ccache_type = 4
#        forwardable = true
#        proxiable = true
 
# ... and more..

#  >>  P.s.  i never touch krb5.conf, never needed, it "just works" <<
 
# Set REALM Variable now, default should be ok. dont touch it.
REALM="$(grep default_realm /etc/krb5.conf |awk {' print $NF '}) "
# It's used for smb.conf and the auth part of squid.
 
# then stop squid and samba and configure it.
systemctl stop squid winbind
 
# flush the log, so if you start it you start with a clean log.  
> /var/log/squid/cache.log
 
# Configure smb.conf and join the AD domain,  the minimal setting for smb.conf.
cp /etc/samba/smb.conf{,.original}
 
echo "# Auth-Only setup with winbind. ( no Shares )
 
    workgroup = ${ADDOM}
    security = ADS
    realm = ${REALM}
    netbios name = $(echo ${HOSTN^^})
 
    ## make sure the below number never overlap system ranges, see /etc/adduser.conf
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-9999
 
    ## map ids from the domain and (*) the range may not overlap !
    idmap config ${ADDOM} : backend = rid
    idmap config ${ADDOM} : range = 10000-3999999
 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
 
    # renew the kerberos ticket
    winbind refresh tickets = yes
" > /etc/samba/smb.conf
 
# And verify it.
less /etc/samba/smb.conf
 
# Next step, join the AD domain.
# Login/auth with kerberos.
kinit Administrator
 
# and join the domain.
net ads join -k
 
# Creating the squid keytab file.
 
export KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab
net ads keytab ADD HTTP/${FQDN}

#Verify the keytab file :
klist -ke /etc/squid/squid-HTTP-${HOSTN}.keytab
 
# destroy you authentication ticket for Administrator.
kdestroy
 
# set correct rights.
chmod 640 /etc/squid/squid-HTTP-${HOSTN}.keytab
chown root:proxy /etc/squid/squid-HTTP-${HOSTN}.keytab
# Note, you might need to change the "proxy" group name here.
 
# and setup you squid auth.
echo "auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \\
    --kerberos /usr/lib/squid/negotiate_kerberos_auth \\
      -k etc/squid/squid-HTTP-${HOSTN}.keytab" \\
      -s HTTP/"${FQDN}"@"${REALM}"  \\
    --ntlm /usr/bin/ntlm_auth \\
      --helper-protocol=gss-spnego --domain="${ADDOM}"
 
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate children 10
auth_param negotiate keep_alive on" > /etc/squid/conf.d/auth.conf
 
systemctl start winbind squid
 
# Done
# And check squid log how it started.
cat /var/log/squid/cache.log
Now go configure the other parts you need of squid.
And enjoy..  :-)
 
 
Greetz,
 
Louis
 
 
 


Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Tevfik Ceydeliler
Verzonden: woensdag 25 september 2019 13:59
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Kerberos nad keytab problem

Hi, I try to use kerberos in my squid. Nut I get an error message :

############################33
msktutil --auto-update --verbose --computer-name suqidpnb1 --server dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab  
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/urandom = 95
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QCbGC5
 -- destroy_g_context: Destroying Kerberos Context
 -- initialize_g_context: Creating Kerberos Context
 -- finalize_exec: SAM Account Name is: suqidpnb1$
 -- try_machine_keytab_princ: Trying to authenticate for suqidpnb1$ from local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for SUQIDPNB1$ from local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/localhost from local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for suqidpnb1$ with password
 -- create_default_machine_password: Default machine password for suqidpnb1$ is suqidpnb1
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets
 -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
 -- try_user_creds: User ticket cache was not valid
Error: could not find any credentials to authenticate with. Neither keytab,
default machine password, nor calling user's tickets worked. Try
"kinit"ing yourself some tickets with permission to create computer
objects, or pre-creating the computer object in AD and selecting
'reset account'.

#############################33
Can't find why this happen:


My AD is 2012R2 function level
I create keytab with this:
msktutil -c -b "OU=Servers,DC=toyo,DC=grp" -s HTTP/squidtoyopnb1.toyo.grp -k /etc/squid/PROXY.keytab --computer-name SQUIDPNB1 --upn HTTP/squidtoyopnb1.toyo.grp --server dctoyo1.toyo.grp --verbose --enctypes 28

Keytab file permission is:
-rw-r----- 1 root squid 933 Sep 25 13:37 PROXY.keytab

and keytab file (klist -k output):

   3 SQUIDPNB1$@TOYO.GRP
   3 SQUIDPNB1$@TOYO.GRP
   3 SQUIDPNB1$@TOYO.GRP
   3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
   3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
   3 HTTP/squidtoyopnb1.toyo.grp@xxxxxxxx
   3 host/squidtoyopnb1@xxxxxxxx
   3 host/squidtoyopnb1@xxxxxxxx
   3 host/squidtoyopnb1@xxxxxxxx
   3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
   3 host/squidtoyopnb1.toyo.grp@xxxxxxxx
   3 host/squidtoyopnb1.toyo.grp@xxxxxxxx

krb5.conf:
[libdefaults]
default_realm = TOYO.GRP
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid/PROXY.keytab

    ; for Windows 2008 with AES
          default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
          default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
          permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    [realms]
TOYO.GRP = {
                kdc = dctoyo1.toyo.grp
                kdc = DCTOYO2.toyo.grp
                admin_server = 10.65.12.254
                default_domain = toyo.grp
     }

    [domain_realm]
     toyo.grp = TOYO.GRP
     .toyo.grp = TOYO.GRP

    [logging]
      kdc = FILE:/var/log/kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb5lib.log




--
Tevfik Ceydeliler
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux