[squid-users] Squid and Kerberos problems

Olivier CALVANO o.calvano at gmail.com
Sun May 3 17:24:21 UTC 2015 

Hi

i have compiled the 1.0rc version :



[root at gw msktutil-1.0rc1]# ./msktutil -c -b "CN=COMPUTERS" -s HTTP/
ophtcysrv1v4.myaddomain.fr -k /etc/squid/PROXY.keytab --computer-name
OPHTCYSRV1V4-K --upn HTTP/ophtcysrv1v4.myasdomain.fr --server
myad.myaddomain.fr --verbose --enctypes 28
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password:  Characters read from /dev/urandom = 93
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-jPXQHu
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
 -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/
gw.srv1-v4.tcy.sodiaal.ophelys.org from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with
password.
 -- create_default_machine_password: Default machine password for
OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 5
 -- LDAPConnection: Connecting to LDAP server: myad.myaddomain.fr
SASL/GSSAPI authentication started
SASL username: Myusername at MYADDOMAIN.FR
SASL SSF: 56
SASL data security layer installed.
 -- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN,dc=FR
 -- ldap_check_account: Checking that a computer account for
OPHTCYSRV1V4-K$ exists
 -- ldap_check_account: Computer account not found, create the account
No computer account for OPHTCYSRV1V4-K found, creating a new one.
 -- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
 -- ldap_check_account_strings: Found userPrincipalName =
 -- ldap_check_account_strings: userPrincipalName should be HTTP/
ophtcysrv1v4.myaddomain.fr at MYADDOMAIN.FR
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
 -- ldap_get_kvno: KVNO is 1
 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache
 -- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776
Error: Unable to set machine password for OPHTCYSRV1V4-K$: (3)
Authentication error
Error: set_password failed
 -- ~KRB5Context: Destroying Kerberos Context






2015-05-03 13:25 GMT+02:00 Markus Moeller <huaraz at moeller.plus.com>:

>   Did you compile msktutil or is it a package in centos ?
>
> Markus
>
>  "Olivier CALVANO" <o.calvano at gmail.com> wrote in message
> news:CAJajPecQD+_1KRUfwa9eAC4iYAKapZBLyg-9vuueKLGWUecopQ at mail.gmail.com...
>    Hi
>
>
> Thanks for your answer
>
> CentOS Linux release 7.1.1503 (Core)
>
> krb5-workstation-1.12.2-14.el7.x86_64
> krb5-libs-1.12.2-14.el7.x86_64
>
> regards
> olivier
>
>
> 2015-05-03 0:25 GMT+02:00 Markus Moeller <huaraz at moeller.plus.com>:
>
>>   Which OS and Kerberos version do you have ?  There might be some issue
>> with the cache used KEYRING:persistent:0:0
>> Markus
>>
>>  "Olivier CALVANO" <o.calvano at gmail.com> wrote in message
>> news:CAJajPefo3t8b1=_v5PFj3H0gq4Jk3OosuTW8gNHY7Z-Gs21qLg at mail.gmail.com.
>> ..
>>      Hi
>>
>> I request your help because i want use NTLM/Kerberos for authenticate my
>> user.
>>
>> For NTLM, i use Winbind, no problems,
>>
>> [root at gw]# wbinfo -t
>> checking the trust secret for domain MYADDOMAIN via RPC calls succeeded
>>
>> but for Kerberos, i can't create the .keytab
>>
>>
>> [root at gw]# kinit MYUSERNAME
>> Password for MYUSERNAME at MYADDOMAIN.FR:
>>
>> [root at gw]# klist
>> Ticket cache: KEYRING:persistent:0:0
>> Default principal: MYUSERNAME at MYADDOMAIN.FR
>>
>> Valid starting       Expires              Service principal
>> 02/05/2015 04:51:25  02/05/2015 14:51:25  krbtgt/
>> MYADDOMAIN.FR at MYADDOMAIN.FR
>>         renew until 09/05/2015 04:51:07
>>
>> MYUSERNAME is the same account that i join the domain (net join) with
>> winbind
>>
>>
>> after, i put:
>>
>> msktutil -c -b "CN=COMPUTERS" -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org
>> -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/
>> gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose
>>
>> and i have a error:
>>
>> [root at gw etc]# msktutil -c -b "CN=COMPUTERS" -s HTTP/
>> gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab
>> --computer-name OPHTCYSRV1V4-K --upn HTTP/
>> gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose
>> -- init_password: Wiping the computer password structure
>> -- generate_new_password: Generating a new, random password for the
>> computer account
>> -- generate_new_password:  Characters read from /dev/udandom = 84
>> -- create_fake_krb5_conf: Created a fake krb5.conf file:
>> /tmp/.msktkrb5.conf-jnxTuG
>> -- reload: Reloading Kerberos Context
>> -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
>> -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$
>> from local keytab...
>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>> -- try_machine_keytab_princ: Authentication with keytab failed
>> -- try_machine_keytab_princ: Trying to authenticate for host/
>> gw.srv1-v4.tcy.myinternetdomain.org from local keytab...
>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>> (Client not found in Kerberos database)
>> -- try_machine_keytab_princ: Authentication with keytab failed
>> -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with
>> password.
>> -- create_default_machine_password: Default machine password for
>> OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
>> -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
>> not found in Kerberos database)
>> -- try_machine_password: Authentication with password failed
>> -- try_user_creds: Checking if default ticket cache has tickets...
>> -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials
>> cache found)
>> -- try_user_creds: User ticket cache was not valid.
>> Error: could not find any credentials to authenticate with. Neither
>> keytab,
>>      default machine password, nor calling user's tickets worked. Try
>>      "kinit"ing yourself some tickets with permission to create computer
>>      objects, or pre-creating the computer object in AD and selecting
>>      'reset account'.
>> -- ~KRB5Context: Destroying Kerberos Context
>>
>>
>>
>> same error if i change gw.srv1-v4.tcy.myinternetdomain.org to
>> ophtcysrv1v4.myaddomain.fr
>>
>>
>> anyone know the origin of this error ?
>>
>> thanks
>> Olivier
>>
>>
>> ------------------------------
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
> ------------------------------
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150503/3e31a876/attachment-0001.html>

More information about the squid-users mailing list