[squid-users] Kerberos SSO Error: krb5_get_init_creds_keytab failed

erdosain9 erdosain9 at gmail.com
Tue Aug 23 18:42:19 UTC 2016 

Hi.
Im trying to configure SSO (single sing on) with Kerberos.
I have this error

[root at squid squid]# kinit administrator
Password for administrator at XXXXXXX.LAN: 
Warning: Your password will expire in 28 days on miƩ 21 sep 2016 12:20:39
ART
[root at squid squid]# msktutil -c -b "CN=COMPUTERS" -s HTTP/squid.XXXXXXX.lan
-h squid.XXXXXXX.lan -k /etc/PROXY.keytab --computer-name squid --upn
HTTP/squid.XXXXXXX.lan --server ubuntu.XXXXXXX.lan --verbose
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password:  Characters read from /dev/udandom = 78
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-AkkOKq
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: squid$
 -- try_machine_keytab_princ: Trying to authenticate for squid$ from local
keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Looping detected inside krb5_get_in_tkt)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for
host/squid.XXXXXXX.lan from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for squid$ with password.
 -- create_default_machine_password: Default machine password for squid$ is
squid
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Looping
detected inside krb5_get_in_tkt)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: ubuntu.XXXXXXX.lan try_tls=YES
 -- ldap_connect: Connecting to LDAP server: ubuntu.XXXXXXX.lan try_tls=NO
SASL/GSSAPI authentication started
SASL username: administrator at XXXXXXX.LAN
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=XXXXXXX,dc=LAN
 -- ldap_check_account: Checking that a computer account for squid$ exists
 -- ldap_check_account: Checking computer account - found
 -- ldap_check_account: Found userAccountControl = 0x11000

 -- ldap_check_account: Found default supportedEncryptionTypes = 7

 -- ldap_check_account: Found dNSHostName = squid.XXXXXXX.lan

 -- ldap_check_account:   Found Principal: host/SQUID
 -- ldap_check_account:   Found Principal: host/squid.XXXXXXX.lan
 -- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName
to HTTP/squid.XXXXXXX.lan at XXXXXXX.LAN
 -- ldap_set_supportedEncryptionTypes: DEE
dn=CN=SQUID,CN=Computers,DC=XXXXXXX,DC=lan old=7 new=28

 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
msDs-supportedEncryptionTypes to 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
 -- ldap_set_userAccountControl_flag:  userAccountControl not changed
0x11000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 131164420010000000
 -- set_password: Successfully set password, waiting for it to be reflected
in LDAP.
 -- ldap_get_pwdLastSet: pwdLastSet is 131164503580000000
 -- set_password: Successfully reset computer's password
 -- ldap_add_principal: Checking that adding principal
HTTP/squid.XXXXXXX.lan to squid$ won't cause a conflict
 -- ldap_add_principal: Adding principal HTTP/squid.XXXXXXX.lan to LDAP
entry
 -- execute: Updating all entries for squid.XXXXXXX.lan in the keytab
WRFILE:/etc/PROXY.keytab

 -- update_keytab: Updating all entires for squid$
 -- ldap_get_kvno: KVNO is 3
 -- add_principal_keytab: Adding principal to keytab: squid$
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: host/SQUID
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: host/squid.XXXXXXX.lan
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: HTTP/squid.XXXXXXX.lan
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of XXXXXXX.LANhostsquid.XXXXXXX.lan
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context

What i can do???
there`s a way more simple with SAMBA??

I try 
-------------------------------------------------------
Join host to domain with net ads join
Create keytab for HTTP/fqdn with net ads keytab

kinit administrator at DOMAIN

export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab

net ads keytab CREATE
net ads keytab ADD HTTP

unset KRB5_KTNAME
------------------------------------------------------------

And i get

[root at squid squid]# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
[root at squid squid]# net ads keytab CREATE
[root at squid squid]# net ads keytab ADD HTTP
Processing principals to add...
../source3/libads/kerberos_keytab.c:331: unable to determine machine
account's dns name in AD!

Some help???
Thanks!



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Kerberos-SSO-Error-krb5-get-init-creds-keytab-failed-tp4679099.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list