<div dir="ltr"><div><div><div><div>hoo i have deleted "--enctypes 28"<br><br></div>and now:<br><br>[root@gw msktutil-1.0rc1]# ./msktutil -c -b "CN=COMPUTERS" -s HTTP/<a href="http://ophtcysrv1v4.myaddomain.fr">ophtcysrv1v4.myaddomain.fr</a> -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/<a href="http://ophtcysrv1v4.myaddomain.fr">ophtcysrv1v4.myaddomain.fr</a> --server <a href="http://myad.myaddomain.fr">myad.myaddomain.fr</a> --verbose<br> -- init_password: Wiping the computer password structure<br> -- generate_new_password: Generating a new, random password for the computer account<br> -- generate_new_password: Characters read from /dev/urandom = 94<br> -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-RyUQcT<br> -- reload: Reloading Kerberos Context<br> -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$<br> -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab...<br> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)<br> -- try_machine_keytab_princ: Authentication with keytab failed<br> -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab...<br> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory)<br> -- try_machine_keytab_princ: Authentication with keytab failed<br> -- try_machine_keytab_princ: Trying to authenticate for host/<a href="http://mydnshostname.fr">mydnshostname.fr</a> from local keytab...<br> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)<br> -- try_machine_keytab_princ: Authentication with keytab failed<br> -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password.<br> -- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k<br> -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)<br> -- try_machine_password: Authentication with password failed<br> -- try_user_creds: Checking if default ticket cache has tickets...<br> -- finalize_exec: Authenticated using method 5<br> -- LDAPConnection: Connecting to LDAP server: <a href="http://myad.myaddomain.fr">myad.myaddomain.fr</a><br>SASL/GSSAPI authentication started<br>SASL username: <a href="mailto:Myusername@myaddomain.fr">Myusername@myaddomain.fr</a><br>SASL SSF: 56<br>SASL data security layer installed.<br> -- ldap_get_base_dn: Determining default LDAP base: dc=SODIAAL,dc=FR<br> -- ldap_check_account: Checking that a computer account for OPHTCYSRV1V4-K$ exists<br> -- ldap_check_account: Checking computer account - found<br> -- ldap_check_account: Found userAccountControl = 0x1000<br> -- ldap_check_account: Found supportedEncryptionTypes = 28<br> -- ldap_check_account: Found dNSHostName = <a href="http://mydnshostname.fr">mydnshostname.fr</a><br> -- ldap_check_account: userPrincipal specified on command line<br> -- ldap_check_account_strings: Inspecting (and updating) computer account attributes<br> -- ldap_check_account_strings: Found userPrincipalName = HTTP/<a href="mailto:ophtcysrv1v4.myaddomain.fr@myaddomain.fr">ophtcysrv1v4.myaddomain.fr@myaddomain.fr</a><br> -- ldap_check_account_strings: userPrincipalName should be HTTP/<a href="mailto:ophtcysrv1v4.myaddomain.fr@myaddomain.fr">ophtcysrv1v4.myaddomain.fr@myaddomain.fr</a><br> -- ldap_check_account_strings: Nothing to do<br> -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28<br> -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0<br> -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000<br> -- ldap_get_kvno: KVNO is 1<br> -- set_password: Attempting to reset computer's password<br> -- set_password: Try change password using user's ticket cache<br> -- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776<br> -- set_password: Successfully set password.<br> -- ldap_add_principal: Checking that adding principal HTTP/<a href="http://ophtcysrv1v4.myaddomain.fr">ophtcysrv1v4.myaddomain.fr</a> to OPHTCYSRV1V4-K$ won't cause a conflict<br> -- ldap_add_principal: Adding principal HTTP/<a href="http://ophtcysrv1v4.myaddomain.fr">ophtcysrv1v4.myaddomain.fr</a> to LDAP entry<br> -- ldap_add_principal: Checking that adding principal host/<a href="http://mydnshostname.fr">mydnshostname.fr</a> to OPHTCYSRV1V4-K$ won't cause a conflict<br> -- ldap_add_principal: Adding principal host/<a href="http://mydnshostname.fr">mydnshostname.fr</a> to LDAP entry<br> -- execute: Updating all entries for <a href="http://mydnshostname.fr">mydnshostname.fr</a> in the keytab WRFILE:/etc/squid/PROXY.keytab<br> -- update_keytab: Updating all entries for OPHTCYSRV1V4-K$<br> -- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x17<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x11<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x12<br> -- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$<br> -- add_principal_keytab: Removing entries with kvno < 0<br> -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@<a href="http://myaddomain.fr">myaddomain.fr</a> kvno=2, enctype=23<br> -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@<a href="http://myaddomain.fr">myaddomain.fr</a> kvno=2, enctype=17<br> -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@<a href="http://myaddomain.fr">myaddomain.fr</a> kvno=2, enctype=18<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x17<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x11<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x12<br> -- add_principal_keytab: Adding principal to keytab: HTTP/<a href="http://ophtcysrv1v4.myaddomain.fr">ophtcysrv1v4.myaddomain.fr</a><br> -- add_principal_keytab: Removing entries with kvno < 0<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x17<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x11<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x12<br> -- add_principal_keytab: Adding principal to keytab: host/OPHTCYSRV1V4-K<br> -- add_principal_keytab: Removing entries with kvno < 0<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x17<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x11<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x12<br> -- update_keytab: Entries for SPN HTTP/<a href="http://ophtcysrv1v4.myaddomain.fr">ophtcysrv1v4.myaddomain.fr</a> have already been added. Skipping ...<br> -- add_principal_keytab: Adding principal to keytab: host/<a href="http://mydnshostname.fr">mydnshostname.fr</a><br> -- add_principal_keytab: Removing entries with kvno < 0<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x17<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x11<br> -- add_principal_keytab: Using salt of <a href="http://myaddomain.frhostophtcysrv1v4-k.myaddomain.fr">myaddomain.frhostophtcysrv1v4-k.myaddomain.fr</a><br> -- add_principal_keytab: Adding entry of enctype 0x12<br> -- wait_for_new_kvno: Checking new kvno via ldap<br> -- ldap_get_kvno: KVNO is 1<br>Waiting for account replication (0 seconds past)<br> -- ldap_get_kvno: KVNO is 2<br> -- ~KRB5Context: Destroying Kerberos Context<br><br><br><br></div>it's good for you ?<br><br></div>regards<br></div>olivier<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-05-03 13:25 GMT+02:00 Markus Moeller <span dir="ltr"><<a href="mailto:huaraz@moeller.plus.com" target="_blank">huaraz@moeller.plus.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div style="FONT-SIZE:12pt;FONT-FAMILY:'Calibri';COLOR:#000000">
<div>Did you compile msktutil or is it a package in centos ? </div>
<div> </div>
<div>Markus</div>
<div> </div>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div style="FONT-SIZE:small;FONT-FAMILY:'Calibri';FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;TEXT-DECORATION:none;DISPLAY:inline">
<div>"Olivier CALVANO" <<a href="mailto:o.calvano@gmail.com" target="_blank">o.calvano@gmail.com</a>> wrote in message
news:CAJajPecQD+_1KRUfwa9eAC4iYAKapZBLyg-9vuueKLGWUecopQ@mail.gmail.com...</div></div></div><div><div class="h5">
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div style="FONT-SIZE:small;FONT-FAMILY:'Calibri';FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;TEXT-DECORATION:none;DISPLAY:inline">
<div dir="ltr">
<div>
<div>
<div>Hi<br><br><br></div>Thanks for your answer<br><br>CentOS Linux release
7.1.1503
(Core)<br><br>krb5-workstation-1.12.2-14.el7.x86_64<br>krb5-libs-1.12.2-14.el7.x86_64<br><br></div>regards<br></div>olivier<br><br></div>
<div class="gmail_extra">
<div> </div>
<div class="gmail_quote">2015-05-03 0:25 GMT+02:00 Markus Moeller <span dir="ltr"><<a href="mailto:huaraz@moeller.plus.com" target="_blank">huaraz@moeller.plus.com</a>></span>:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT:1ex;MARGIN:0px 0px 0px 0.8ex;BORDER-LEFT:#ccc 1px solid">
<div dir="ltr">
<div dir="ltr">
<div style="FONT-SIZE:12pt;FONT-FAMILY:'Calibri';COLOR:#000000">
<div>Which OS and Kerberos version do you have ? There might be some
issue with the cache used KEYRING:persistent:0:0<br></div>
<div>Markus</div>
<div> </div>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div style="FONT-SIZE:small;FONT-FAMILY:'Calibri';FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;TEXT-DECORATION:none;DISPLAY:inline">
<div>"Olivier CALVANO" <<a href="mailto:o.calvano@gmail.com" target="_blank">o.calvano@gmail.com</a>> wrote in message
news:CAJajPefo3t8b1=_v5PFj3H0gq4Jk3OosuTW8gNHY7Z-Gs21qLg@mail.gmail.com...</div></div></div>
<div style="BORDER-TOP-COLOR:#000000;BORDER-BOTTOM-COLOR:#000000;PADDING-LEFT:5px;MARGIN-LEFT:5px;BORDER-LEFT:#000000 4px solid;BORDER-RIGHT-COLOR:#000000">
<div style="FONT-SIZE:small;FONT-FAMILY:'Calibri';FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;TEXT-DECORATION:none;DISPLAY:inline">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Hi<br><br></div>I request your help because i want use NTLM/Kerberos for
authenticate my user.<br><br></div>For NTLM, i use Winbind, no problems,
<br><br>[root@gw]# wbinfo -t<br>checking the trust secret for domain
MYADDOMAIN via RPC calls succeeded<br><br></div>but for Kerberos, i can't
create the .keytab<br><br><br>[root@gw]# kinit MYUSERNAME<br>Password for <a href="mailto:MYUSERNAME@MYADDOMAIN.FR" target="_blank">MYUSERNAME@MYADDOMAIN.FR</a>:<br><br>[root@gw]# klist<br>Ticket
cache: KEYRING:persistent:0:0<br>Default principal: <a href="mailto:MYUSERNAME@MYADDOMAIN.FR" target="_blank">MYUSERNAME@MYADDOMAIN.FR</a><br><br>Valid
starting
Expires
Service principal<br>02/05/2015 04:51:25 02/05/2015 14:51:25
krbtgt/<a href="mailto:MYADDOMAIN.FR@MYADDOMAIN.FR" target="_blank">MYADDOMAIN.FR@MYADDOMAIN.FR</a><br>
renew until 09/05/2015 04:51:07<br><br></div>MYUSERNAME is the same account
that i join the domain (net join) with winbind<br><br><br></div>after, i
put:<br><br>msktutil -c -b "CN=COMPUTERS" -s HTTP/<a href="http://gw.srv1-v4.tcy.myinternetdomain.org" target="_blank">gw.srv1-v4.tcy.myinternetdomain.org</a> -k
/etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/<a href="http://gw.srv1-v4.tcy.myinternetdomain.org" target="_blank">gw.srv1-v4.tcy.myinternetdomain.org</a> --server adserver1
--verbose<br>
<div> </div>
<div>and i have a error:<br><br>[root@gw etc]# msktutil -c -b "CN=COMPUTERS"
-s HTTP/<a href="http://gw.srv1-v4.tcy.myinternetdomain.org" target="_blank">gw.srv1-v4.tcy.myinternetdomain.org</a> -k
/etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/<a href="http://gw.srv1-v4.tcy.myinternetdomain.org" target="_blank">gw.srv1-v4.tcy.myinternetdomain.org</a> --server adserver1
--verbose<br>-- init_password: Wiping the computer password structure<br>--
generate_new_password: Generating a new, random password for the computer
account<br>-- generate_new_password: Characters read from /dev/udandom =
84<br>-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-jnxTuG<br>-- reload: Reloading Kerberos Context<br>--
finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$<br>--
try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from
local keytab...<br>-- try_machine_keytab_princ: Error:
krb5_get_init_creds_keytab failed (Client not found in Kerberos
database)<br>-- try_machine_keytab_princ: Authentication with keytab
failed<br>-- try_machine_keytab_princ: Trying to authenticate for host/<a href="http://gw.srv1-v4.tcy.myinternetdomain.org" target="_blank">gw.srv1-v4.tcy.myinternetdomain.org</a> from local
keytab...<br>-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab
failed (Client not found in Kerberos database)<br>-- try_machine_keytab_princ:
Authentication with keytab failed<br>-- try_machine_password: Trying to
authenticate for OPHTCYSRV1V4-K$ with password.<br>--
create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$
is ophtcysrv1v4-k<br>-- try_machine_password: Error:
krb5_get_init_creds_keytab failed (Client not found in Kerberos
database)<br>-- try_machine_password: Authentication with password
failed<br>-- try_user_creds: Checking if default ticket cache has
tickets...<br>-- try_user_creds: Error: krb5_cc_get_principal failed (No
credentials cache found)<br>-- try_user_creds: User ticket cache was not
valid.<br>Error: could not find any credentials to authenticate with. Neither
keytab,<br> default machine password, nor calling
user's tickets worked. Try<br> "kinit"ing yourself
some tickets with permission to create computer<br>
objects, or pre-creating the computer object in AD and
selecting<br> 'reset account'.<br>-- ~KRB5Context:
Destroying Kerberos Context<br><br><br><br></div>
<div>same error if i change <a href="http://gw.srv1-v4.tcy.myinternetdomain.org" target="_blank">gw.srv1-v4.tcy.myinternetdomain.org</a> to <a href="http://ophtcysrv1v4.myaddomain.fr" target="_blank">ophtcysrv1v4.myaddomain.fr</a><br></div>
<div>
<div>
<div> </div>
<div> </div>
<div>anyone know the origin of this error ?<br><br></div>
<div>thanks<br></div>
<div>Olivier<br><br></div>
<div> </div></div></div></div></div></div>
<hr>
_______________________________________________<br>squid-users mailing
list<br><a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br></div></div></div></div></div><br>_______________________________________________<br>squid-users
mailing list<br><a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br><br></blockquote></div>
<div> </div></div>
<p>
</p><hr>
_______________________________________________<br>squid-users mailing
list<br><a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br><a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br><p></p></div></div></div></div></div></div></div>
<br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>