[squid-users] Kerberos nad keytab problem

Tevfik Ceydeliler tevfik.ceydeliler at gmail.com
Wed Sep 25 11:58:43 UTC 2019 

Hi, I try to use kerberos in my squid. Nut I get an error message :

############################33
msktutil --auto-update --verbose --computer-name suqidpnb1 --server
dctoyo1.toyo.grp -k /etc/squid/PROXY.keytab
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password:  Characters read from /dev/urandom = 95
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-QCbGC5
 -- destroy_g_context: Destroying Kerberos Context
 -- initialize_g_context: Creating Kerberos Context
 -- finalize_exec: SAM Account Name is: suqidpnb1$
 -- try_machine_keytab_princ: Trying to authenticate for suqidpnb1$ from
local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for SUQIDPNB1$ from
local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/localhost
from local keytab
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key
table entry not found)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for suqidpnb1$ with
password
 -- create_default_machine_password: Default machine password for
suqidpnb1$ is suqidpnb1
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client
not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets
 -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials
cache found)
 -- try_user_creds: User ticket cache was not valid
Error: could not find any credentials to authenticate with. Neither keytab,
default machine password, nor calling user's tickets worked. Try
"kinit"ing yourself some tickets with permission to create computer
objects, or pre-creating the computer object in AD and selecting
'reset account'.

#############################33
Can't find why this happen:


My AD is 2012R2 function level
I create keytab with this:
msktutil -c -b "OU=Servers,DC=toyo,DC=grp" -s HTTP/squidtoyopnb1.toyo.grp
-k /etc/squid/PROXY.keytab --computer-name SQUIDPNB1 --upn
HTTP/squidtoyopnb1.toyo.grp --server dctoyo1.toyo.grp --verbose --enctypes
28

Keytab file permission is:
-rw-r----- 1 root squid 933 Sep 25 13:37 PROXY.keytab

and keytab file (klist -k output):

   3 SQUIDPNB1$@TOYO.GRP
   3 SQUIDPNB1$@TOYO.GRP
   3 SQUIDPNB1$@TOYO.GRP
   3 HTTP/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 HTTP/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 HTTP/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 host/squidtoyopnb1 at TOYO.GRP
   3 host/squidtoyopnb1 at TOYO.GRP
   3 host/squidtoyopnb1 at TOYO.GRP
   3 host/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 host/squidtoyopnb1.toyo.grp at TOYO.GRP
   3 host/squidtoyopnb1.toyo.grp at TOYO.GRP

krb5.conf:
[libdefaults]
default_realm = TOYO.GRP
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid/PROXY.keytab

    ; for Windows 2008 with AES
          default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5
          default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5
          permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

    [realms]
TOYO.GRP = {
                kdc = dctoyo1.toyo.grp
                kdc = DCTOYO2.toyo.grp
                admin_server = 10.65.12.254
                default_domain = toyo.grp
     }

    [domain_realm]
     toyo.grp = TOYO.GRP
     .toyo.grp = TOYO.GRP

    [logging]
      kdc = FILE:/var/log/kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb5lib.log




-- 
Tevfik Ceydeliler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190925/b46c996d/attachment-0001.html>

More information about the squid-users mailing list