[squid-users] Squid and Kerberos problems
Olivier CALVANO
o.calvano at gmail.com
Sun May 3 23:06:05 UTC 2015
No i de with the msktutil dev :)
Thanks for your help
Le lundi 4 mai 2015, Markus Moeller <huaraz at moeller.plus.com> a écrit :
> So this worked ?
>
> Markus
>
> "Olivier CALVANO" <o.calvano at gmail.com
> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>> wrote in message
> news:CAJajPeddju9t4QAiPSmT-5JUsn4Gf6Nj0Pff3JBJ+BzXzTXOUQ at mail.gmail.com...
> hoo i have deleted "--enctypes 28"
>
> and now:
>
> [root at gw msktutil-1.0rc1]# ./msktutil -c -b "CN=COMPUTERS" -s HTTP/
> ophtcysrv1v4.myaddomain.fr -k /etc/squid/PROXY.keytab --computer-name
> OPHTCYSRV1V4-K --upn HTTP/ophtcysrv1v4.myaddomain.fr --server
> myad.myaddomain.fr --verbose
> -- init_password: Wiping the computer password structure
> -- generate_new_password: Generating a new, random password for the
> computer account
> -- generate_new_password: Characters read from /dev/urandom = 94
> -- create_fake_krb5_conf: Created a fake krb5.conf file:
> /tmp/.msktkrb5.conf-RyUQcT
> -- reload: Reloading Kerberos Context
> -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
> -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$
> from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No
> such file or directory)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$
> from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No
> such file or directory)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_keytab_princ: Trying to authenticate for host/
> mydnshostname.fr from local keytab...
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
> -- try_machine_keytab_princ: Authentication with keytab failed
> -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with
> password.
> -- create_default_machine_password: Default machine password for
> OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
> (Preauthentication failed)
> -- try_machine_password: Authentication with password failed
> -- try_user_creds: Checking if default ticket cache has tickets...
> -- finalize_exec: Authenticated using method 5
> -- LDAPConnection: Connecting to LDAP server: myad.myaddomain.fr
> SASL/GSSAPI authentication started
> SASL username: Myusername at myaddomain.fr
> <javascript:_e(%7B%7D,'cvml','Myusername at myaddomain.fr');>
> SASL SSF: 56
> SASL data security layer installed.
> -- ldap_get_base_dn: Determining default LDAP base: dc=SODIAAL,dc=FR
> -- ldap_check_account: Checking that a computer account for
> OPHTCYSRV1V4-K$ exists
> -- ldap_check_account: Checking computer account - found
> -- ldap_check_account: Found userAccountControl = 0x1000
> -- ldap_check_account: Found supportedEncryptionTypes = 28
> -- ldap_check_account: Found dNSHostName = mydnshostname.fr
> -- ldap_check_account: userPrincipal specified on command line
> -- ldap_check_account_strings: Inspecting (and updating) computer account
> attributes
> -- ldap_check_account_strings: Found userPrincipalName = HTTP/
> ophtcysrv1v4.myaddomain.fr at myaddomain.fr
> <javascript:_e(%7B%7D,'cvml','ophtcysrv1v4.myaddomain.fr at myaddomain.fr');>
> -- ldap_check_account_strings: userPrincipalName should be HTTP/
> ophtcysrv1v4.myaddomain.fr at myaddomain.fr
> <javascript:_e(%7B%7D,'cvml','ophtcysrv1v4.myaddomain.fr at myaddomain.fr');>
> -- ldap_check_account_strings: Nothing to do
> -- ldap_set_supportedEncryptionTypes: No need to change
> msDs-supportedEncryptionTypes they are 28
> -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
> 0x200000 to 0x0
> -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000
> -- ldap_get_kvno: KVNO is 1
> -- set_password: Attempting to reset computer's password
> -- set_password: Try change password using user's ticket cache
> -- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776
> -- set_password: Successfully set password.
> -- ldap_add_principal: Checking that adding principal HTTP/
> ophtcysrv1v4.myaddomain.fr to OPHTCYSRV1V4-K$ won't cause a conflict
> -- ldap_add_principal: Adding principal HTTP/ophtcysrv1v4.myaddomain.fr
> to LDAP entry
> -- ldap_add_principal: Checking that adding principal host/
> mydnshostname.fr to OPHTCYSRV1V4-K$ won't cause a conflict
> -- ldap_add_principal: Adding principal host/mydnshostname.fr to LDAP
> entry
> -- execute: Updating all entries for mydnshostname.fr in the keytab
> WRFILE:/etc/squid/PROXY.keytab
> -- update_keytab: Updating all entries for OPHTCYSRV1V4-K$
> -- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x17
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x11
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x12
> -- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$
> -- add_principal_keytab: Removing entries with kvno < 0
> -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2,
> enctype=23
> -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2,
> enctype=17
> -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2,
> enctype=18
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x17
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x11
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x12
> -- add_principal_keytab: Adding principal to keytab: HTTP/
> ophtcysrv1v4.myaddomain.fr
> -- add_principal_keytab: Removing entries with kvno < 0
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x17
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x11
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x12
> -- add_principal_keytab: Adding principal to keytab: host/OPHTCYSRV1V4-K
> -- add_principal_keytab: Removing entries with kvno < 0
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x17
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x11
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x12
> -- update_keytab: Entries for SPN HTTP/ophtcysrv1v4.myaddomain.fr have
> already been added. Skipping ...
> -- add_principal_keytab: Adding principal to keytab: host/mydnshostname.fr
> -- add_principal_keytab: Removing entries with kvno < 0
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x17
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x11
> -- add_principal_keytab: Using salt of
> myaddomain.frhostophtcysrv1v4-k.myaddomain.fr
> -- add_principal_keytab: Adding entry of enctype 0x12
> -- wait_for_new_kvno: Checking new kvno via ldap
> -- ldap_get_kvno: KVNO is 1
> Waiting for account replication (0 seconds past)
> -- ldap_get_kvno: KVNO is 2
> -- ~KRB5Context: Destroying Kerberos Context
>
>
>
> it's good for you ?
>
> regards
> olivier
>
>
> 2015-05-03 13:25 GMT+02:00 Markus Moeller <huaraz at moeller.plus.com
> <javascript:_e(%7B%7D,'cvml','huaraz at moeller.plus.com');>>:
>
>> Did you compile msktutil or is it a package in centos ?
>>
>> Markus
>>
>> "Olivier CALVANO" <o.calvano at gmail.com
>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>> wrote in message
>> news:CAJajPecQD+_1KRUfwa9eAC4iYAKapZBLyg-9vuueKLGWUecopQ at mail.gmail.com.
>> ..
>> Hi
>>
>>
>> Thanks for your answer
>>
>> CentOS Linux release 7.1.1503 (Core)
>>
>> krb5-workstation-1.12.2-14.el7.x86_64
>> krb5-libs-1.12.2-14.el7.x86_64
>>
>> regards
>> olivier
>>
>>
>> 2015-05-03 0:25 GMT+02:00 Markus Moeller <huaraz at moeller.plus.com
>> <javascript:_e(%7B%7D,'cvml','huaraz at moeller.plus.com');>>:
>>
>>> Which OS and Kerberos version do you have ? There might be some
>>> issue with the cache used KEYRING:persistent:0:0
>>> Markus
>>>
>>> "Olivier CALVANO" <o.calvano at gmail.com
>>> <javascript:_e(%7B%7D,'cvml','o.calvano at gmail.com');>> wrote in message
>>> news:CAJajPefo3t8b1=_v5PFj3H0gq4Jk3OosuTW8gNHY7Z-Gs21qLg at mail.gmail.com.
>>> ..
>>> Hi
>>>
>>> I request your help because i want use NTLM/Kerberos for authenticate my
>>> user.
>>>
>>> For NTLM, i use Winbind, no problems,
>>>
>>> [root at gw]# wbinfo -t
>>> checking the trust secret for domain MYADDOMAIN via RPC calls succeeded
>>>
>>> but for Kerberos, i can't create the .keytab
>>>
>>>
>>> [root at gw]# kinit MYUSERNAME
>>> Password for MYUSERNAME at MYADDOMAIN.FR
>>> <javascript:_e(%7B%7D,'cvml','MYUSERNAME at MYADDOMAIN.FR');>:
>>>
>>> [root at gw]# klist
>>> Ticket cache: KEYRING:persistent:0:0
>>> Default principal: MYUSERNAME at MYADDOMAIN.FR
>>> <javascript:_e(%7B%7D,'cvml','MYUSERNAME at MYADDOMAIN.FR');>
>>>
>>> Valid starting Expires Service principal
>>> 02/05/2015 04:51:25 02/05/2015 14:51:25 krbtgt/
>>> MYADDOMAIN.FR at MYADDOMAIN.FR
>>> <javascript:_e(%7B%7D,'cvml','MYADDOMAIN.FR at MYADDOMAIN.FR');>
>>> renew until 09/05/2015 04:51:07
>>>
>>> MYUSERNAME is the same account that i join the domain (net join) with
>>> winbind
>>>
>>>
>>> after, i put:
>>>
>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/
>>> gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab
>>> --computer-name OPHTCYSRV1V4-K --upn HTTP/
>>> gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose
>>>
>>> and i have a error:
>>>
>>> [root at gw etc]# msktutil -c -b "CN=COMPUTERS" -s HTTP/
>>> gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab
>>> --computer-name OPHTCYSRV1V4-K --upn HTTP/
>>> gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose
>>> -- init_password: Wiping the computer password structure
>>> -- generate_new_password: Generating a new, random password for the
>>> computer account
>>> -- generate_new_password: Characters read from /dev/udandom = 84
>>> -- create_fake_krb5_conf: Created a fake krb5.conf file:
>>> /tmp/.msktkrb5.conf-jnxTuG
>>> -- reload: Reloading Kerberos Context
>>> -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$
>>> -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$
>>> from local keytab...
>>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>>> (Client not found in Kerberos database)
>>> -- try_machine_keytab_princ: Authentication with keytab failed
>>> -- try_machine_keytab_princ: Trying to authenticate for host/
>>> gw.srv1-v4.tcy.myinternetdomain.org from local keytab...
>>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>>> (Client not found in Kerberos database)
>>> -- try_machine_keytab_princ: Authentication with keytab failed
>>> -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with
>>> password.
>>> -- create_default_machine_password: Default machine password for
>>> OPHTCYSRV1V4-K$ is ophtcysrv1v4-k
>>> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
>>> (Client not found in Kerberos database)
>>> -- try_machine_password: Authentication with password failed
>>> -- try_user_creds: Checking if default ticket cache has tickets...
>>> -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials
>>> cache found)
>>> -- try_user_creds: User ticket cache was not valid.
>>> Error: could not find any credentials to authenticate with. Neither
>>> keytab,
>>> default machine password, nor calling user's tickets worked. Try
>>> "kinit"ing yourself some tickets with permission to create computer
>>> objects, or pre-creating the computer object in AD and selecting
>>> 'reset account'.
>>> -- ~KRB5Context: Destroying Kerberos Context
>>>
>>>
>>>
>>> same error if i change gw.srv1-v4.tcy.myinternetdomain.org to
>>> ophtcysrv1v4.myaddomain.fr
>>>
>>>
>>> anyone know the origin of this error ?
>>>
>>> thanks
>>> Olivier
>>>
>>>
>>> ------------------------------
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> <javascript:_e(%7B%7D,'cvml','squid-users at lists.squid-cache.org');>
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> <javascript:_e(%7B%7D,'cvml','squid-users at lists.squid-cache.org');>
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>>
>> ------------------------------
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> <javascript:_e(%7B%7D,'cvml','squid-users at lists.squid-cache.org');>
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> <javascript:_e(%7B%7D,'cvml','squid-users at lists.squid-cache.org');>
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>
> ------------------------------
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> <javascript:_e(%7B%7D,'cvml','squid-users at lists.squid-cache.org');>
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150504/adcd9a5c/attachment-0001.html>
More information about the squid-users
mailing list