[squid-users] SSO (ldap kerberos)

Craddock, Tommy Tommy.Craddock at bicgraphic.com
Tue Sep 13 18:55:46 UTC 2016 

Hello, 

You get that because that is what happens when you update a keytab using the msktutil program. 
 
Tommy E CRADDOCK JR

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of erdosain9
Sent: Tuesday, September 13, 2016 2:33 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] SSO (ldap kerberos)

Hi again.


I get this

msktutil --auto-update --verbose --computer-name squid-k -k PROXY.keytab
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/udandom = 95
 -- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR
TCP)
 -- get_dc_host: Found DC: ads-01.example.lan
 -- get_dc_host: Canonicalizing DC through forward/reverse lookup...
 -- get_dc_host: Found Domain Controller: ads-01.example.lan
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-L8DxV8
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: squid-k$
 -- try_machine_keytab_princ: Trying to authenticate for squid-k$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/squid.example.lan from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for squid-k$ with password.
 -- create_default_machine_password: Default machine password for squid-k$ is squid-k
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: ads-01.example.lan try_tls=YES
 -- ldap_connect: Connecting to LDAP server: ads-01.example.lan try_tls=NO SASL/GSSAPI authentication started SASL username: administrator at example.LAN SASL SSF: 56 SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=example,dc=LAN
 -- get_default_ou: Determining default OU: CN=Computers,DC=example,DC=lan
 -- ldap_check_account: Checking that a computer account for squid-k$ exists
 -- ldap_check_account: Checking computer account - found
 -- ldap_check_account: Found userAccountControl = 0x1000

 -- ldap_check_account: Found supportedEncryptionTypes = 28

 -- ldap_check_account: Found dNSHostName = squid.example.lan

 -- ldap_check_account:   Found Principal: HTTP/squid.example.lan
 -- ldap_check_account:   Found Principal: host/squid.example.lan
 -- ldap_check_account:   Found User Principal: HTTP/squid.example.lan
 -- ldap_check_account_strings: Inspecting (and updating) computer account attributes
 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28

 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
 -- ldap_set_userAccountControl_flag:  userAccountControl not changed 0x1000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 131182651460000000
 -- set_password: Successfully set password, waiting for it to be reflected in LDAP.
 -- ldap_get_pwdLastSet: pwdLastSet is 131182651580000000
 -- set_password: Successfully reset computer's password
 -- execute: Updating all entries for squid.example.lan in the keytab WRFILE:PROXY.keytab

 -- update_keytab: Updating all entires for squid-k$
 -- ldap_get_kvno: KVNO is 4
 -- add_principal_keytab: Adding principal to keytab: squid-k$
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: HTTP/squid.example.lan
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: host/squid.example.lan
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of
example.LANhostsquid-k.example.lan
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context


Why?? 
I am following this
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
............




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSO-ldap-kerberos-tp4679470p4679490.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

More information about the squid-users mailing list