[squid-users] Squid and Kerberos problems

Markus Moeller huaraz at moeller.plus.com
Sun May 3 11:25:46 UTC 2015 

Did you compile msktutil or is it a package in centos ? 

Markus

"Olivier CALVANO" <o.calvano at gmail.com> wrote in message news:CAJajPecQD+_1KRUfwa9eAC4iYAKapZBLyg-9vuueKLGWUecopQ at mail.gmail.com...
Hi



Thanks for your answer

CentOS Linux release 7.1.1503 (Core)

krb5-workstation-1.12.2-14.el7.x86_64
krb5-libs-1.12.2-14.el7.x86_64


regards

olivier



2015-05-03 0:25 GMT+02:00 Markus Moeller <huaraz at moeller.plus.com>:

  Which OS and Kerberos version do you have ?  There might be some issue with the cache used KEYRING:persistent:0:0

  Markus

  "Olivier CALVANO" <o.calvano at gmail.com> wrote in message news:CAJajPefo3t8b1=_v5PFj3H0gq4Jk3OosuTW8gNHY7Z-Gs21qLg at mail.gmail.com...
  Hi


  I request your help because i want use NTLM/Kerberos for authenticate my user.


  For NTLM, i use Winbind, no problems, 

  [root at gw]# wbinfo -t
  checking the trust secret for domain MYADDOMAIN via RPC calls succeeded


  but for Kerberos, i can't create the .keytab


  [root at gw]# kinit MYUSERNAME
  Password for MYUSERNAME at MYADDOMAIN.FR:

  [root at gw]# klist
  Ticket cache: KEYRING:persistent:0:0
  Default principal: MYUSERNAME at MYADDOMAIN.FR

  Valid starting       Expires              Service principal
  02/05/2015 04:51:25  02/05/2015 14:51:25  krbtgt/MYADDOMAIN.FR at MYADDOMAIN.FR
          renew until 09/05/2015 04:51:07


  MYUSERNAME is the same account that i join the domain (net join) with winbind



  after, i put:

  msktutil -c -b "CN=COMPUTERS" -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose


  and i have a error:

  [root at gw etc]# msktutil -c -b "CN=COMPUTERS" -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose
  -- init_password: Wiping the computer password structure
  -- generate_new_password: Generating a new, random password for the computer account
  -- generate_new_password:  Characters read from /dev/udandom = 84
  -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-jnxTuG
  -- reload: Reloading Kerberos Context
  -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
  -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab...
  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
  -- try_machine_keytab_princ: Authentication with keytab failed
  -- try_machine_keytab_princ: Trying to authenticate for host/gw.srv1-v4.tcy.myinternetdomain.org from local keytab...
  -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
  -- try_machine_keytab_princ: Authentication with keytab failed
  -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password.
  -- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
  -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
  -- try_machine_password: Authentication with password failed
  -- try_user_creds: Checking if default ticket cache has tickets...
  -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
  -- try_user_creds: User ticket cache was not valid.
  Error: could not find any credentials to authenticate with. Neither keytab,
       default machine password, nor calling user's tickets worked. Try
       "kinit"ing yourself some tickets with permission to create computer
       objects, or pre-creating the computer object in AD and selecting
       'reset account'.
  -- ~KRB5Context: Destroying Kerberos Context




  same error if i change gw.srv1-v4.tcy.myinternetdomain.org to ophtcysrv1v4.myaddomain.fr



  anyone know the origin of this error ?


  thanks

  Olivier




------------------------------------------------------------------------------
  _______________________________________________
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users


  _______________________________________________
  squid-users mailing list
  squid-users at lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users





--------------------------------------------------------------------------------
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150503/cf148dde/attachment.html>

More information about the squid-users mailing list