<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Hi Olivier,</DIV>
<DIV> </DIV>
<DIV> You may need to check with the msktutil authors as this is not
directly related to squid. </DIV>
<DIV> </DIV>
<DIV>Regards</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>"Olivier CALVANO" <o.calvano@gmail.com> wrote in message
news:CAJajPecBcrbW+jtiwF2J=ujZ4KwDTWF6oPzJF56pVz+-gfNfLw@mail.gmail.com...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV dir=ltr>
<DIV>Hi<BR><BR></DIV>i have compiled the 1.0rc version :<BR><BR><BR><BR>[root@gw
msktutil-1.0rc1]# ./msktutil -c -b "CN=COMPUTERS" -s HTTP/<A
href="http://ophtcysrv1v4.myaddomain.fr">ophtcysrv1v4.myaddomain.fr</A> -k
/etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/<A
href="http://ophtcysrv1v4.myasdomain.fr">ophtcysrv1v4.myasdomain.fr</A> --server
<A href="http://myad.myaddomain.fr">myad.myaddomain.fr</A> --verbose --enctypes
28<BR>-- init_password: Wiping the computer password structure<BR>--
generate_new_password: Generating a new, random password for the computer
account<BR>-- generate_new_password: Characters read from /dev/urandom =
93<BR>-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-jPXQHu<BR>-- reload: Reloading Kerberos Context<BR>--
finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$<BR>--
try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local
keytab...<BR>-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab
failed (Client not found in Kerberos database)<BR>-- try_machine_keytab_princ:
Authentication with keytab failed<BR>-- try_machine_keytab_princ: Trying to
authenticate for OPHTCYSRV1V4-K$ from local keytab...<BR>--
try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not
found in Kerberos database)<BR>-- try_machine_keytab_princ: Authentication with
keytab failed<BR>-- try_machine_keytab_princ: Trying to authenticate for host/<A
href="http://gw.srv1-v4.tcy.sodiaal.ophelys.org">gw.srv1-v4.tcy.sodiaal.ophelys.org</A>
from local keytab...<BR>-- try_machine_keytab_princ: Error:
krb5_get_init_creds_keytab failed (Client not found in Kerberos database)<BR>--
try_machine_keytab_princ: Authentication with keytab failed<BR>--
try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with
password.<BR>-- create_default_machine_password: Default machine password for
OPHTCYSRV1V4-K$ is ophtcysrv1v4-k<BR>-- try_machine_password: Error:
krb5_get_init_creds_keytab failed (Client not found in Kerberos database)<BR>--
try_machine_password: Authentication with password failed<BR>-- try_user_creds:
Checking if default ticket cache has tickets...<BR>-- finalize_exec:
Authenticated using method 5<BR>-- LDAPConnection: Connecting to LDAP server: <A
href="http://myad.myaddomain.fr">myad.myaddomain.fr</A><BR>SASL/GSSAPI
authentication started<BR>SASL username: <A
href="mailto:Myusername@MYADDOMAIN.FR">Myusername@MYADDOMAIN.FR</A><BR>SASL SSF:
56<BR>SASL data security layer installed.<BR>-- ldap_get_base_dn: Determining
default LDAP base: dc=MYDOMAIN,dc=FR<BR>-- ldap_check_account: Checking that a
computer account for OPHTCYSRV1V4-K$ exists<BR>-- ldap_check_account: Computer
account not found, create the account<BR>No computer account for OPHTCYSRV1V4-K
found, creating a new one.<BR>-- ldap_check_account_strings: Inspecting (and
updating) computer account attributes<BR>-- ldap_check_account_strings: Found
userPrincipalName =<BR>-- ldap_check_account_strings: userPrincipalName should
be HTTP/<A
href="mailto:ophtcysrv1v4.myaddomain.fr@MYADDOMAIN.FR">ophtcysrv1v4.myaddomain.fr@MYADDOMAIN.FR</A><BR>--
ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to
0x0<BR>-- ldap_set_userAccountControl_flag: userAccountControl not changed
0x1000<BR>-- ldap_get_kvno: KVNO is 1<BR>-- set_password: Attempting to reset
computer's password<BR>-- set_password: Try change password using user's ticket
cache<BR>-- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776<BR>Error:
Unable to set machine password for OPHTCYSRV1V4-K$: (3) Authentication
error<BR>Error: set_password failed<BR>-- ~KRB5Context: Destroying Kerberos
Context<BR><BR><BR><BR><BR><BR></DIV>
<DIV class=gmail_extra>
<DIV> </DIV>
<DIV class=gmail_quote>2015-05-03 13:25 GMT+02:00 Markus Moeller <SPAN
dir=ltr><<A href="mailto:huaraz@moeller.plus.com"
target=_blank>huaraz@moeller.plus.com</A>></SPAN>:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Did you compile msktutil or is it a package in centos ? </DIV>
<DIV> </DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>"Olivier CALVANO" <<A href="mailto:o.calvano@gmail.com"
target=_blank>o.calvano@gmail.com</A>> wrote in message
news:CAJajPecQD+_1KRUfwa9eAC4iYAKapZBLyg-9vuueKLGWUecopQ@mail.gmail.com...</DIV></DIV></DIV>
<DIV>
<DIV class=h5>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV dir=ltr>
<DIV>
<DIV>
<DIV>Hi<BR><BR><BR></DIV>Thanks for your answer<BR><BR>CentOS Linux release
7.1.1503
(Core)<BR><BR>krb5-workstation-1.12.2-14.el7.x86_64<BR>krb5-libs-1.12.2-14.el7.x86_64<BR><BR></DIV>regards<BR></DIV>olivier<BR><BR></DIV>
<DIV class=gmail_extra>
<DIV> </DIV>
<DIV class=gmail_quote>2015-05-03 0:25 GMT+02:00 Markus Moeller <SPAN
dir=ltr><<A href="mailto:huaraz@moeller.plus.com"
target=_blank>huaraz@moeller.plus.com</A>></SPAN>:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Which OS and Kerberos version do you have ? There might be some
issue with the cache used KEYRING:persistent:0:0<BR></DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>"Olivier CALVANO" <<A href="mailto:o.calvano@gmail.com"
target=_blank>o.calvano@gmail.com</A>> wrote in message
news:CAJajPefo3t8b1=_v5PFj3H0gq4Jk3OosuTW8gNHY7Z-Gs21qLg@mail.gmail.com...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style="FONT-SIZE: small; FONT-FAMILY: 'Calibri'; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; TEXT-DECORATION: none; DISPLAY: inline">
<DIV>
<DIV>
<DIV dir=ltr>
<DIV>
<DIV>
<DIV>
<DIV>
<DIV>Hi<BR><BR></DIV>I request your help because i want use NTLM/Kerberos
for authenticate my user.<BR><BR></DIV>For NTLM, i use Winbind, no problems,
<BR><BR>[root@gw]# wbinfo -t<BR>checking the trust secret for domain
MYADDOMAIN via RPC calls succeeded<BR><BR></DIV>but for Kerberos, i can't
create the .keytab<BR><BR><BR>[root@gw]# kinit MYUSERNAME<BR>Password for <A
href="mailto:MYUSERNAME@MYADDOMAIN.FR"
target=_blank>MYUSERNAME@MYADDOMAIN.FR</A>:<BR><BR>[root@gw]#
klist<BR>Ticket cache: KEYRING:persistent:0:0<BR>Default principal: <A
href="mailto:MYUSERNAME@MYADDOMAIN.FR"
target=_blank>MYUSERNAME@MYADDOMAIN.FR</A><BR><BR>Valid
starting
Expires
Service principal<BR>02/05/2015 04:51:25 02/05/2015 14:51:25
krbtgt/<A href="mailto:MYADDOMAIN.FR@MYADDOMAIN.FR"
target=_blank>MYADDOMAIN.FR@MYADDOMAIN.FR</A><BR>
renew until 09/05/2015 04:51:07<BR><BR></DIV>MYUSERNAME is the same account
that i join the domain (net join) with winbind<BR><BR><BR></DIV>after, i
put:<BR><BR>msktutil -c -b "CN=COMPUTERS" -s HTTP/<A
href="http://gw.srv1-v4.tcy.myinternetdomain.org"
target=_blank>gw.srv1-v4.tcy.myinternetdomain.org</A> -k
/etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/<A
href="http://gw.srv1-v4.tcy.myinternetdomain.org"
target=_blank>gw.srv1-v4.tcy.myinternetdomain.org</A> --server adserver1
--verbose<BR>
<DIV> </DIV>
<DIV>and i have a error:<BR><BR>[root@gw etc]# msktutil -c -b "CN=COMPUTERS"
-s HTTP/<A href="http://gw.srv1-v4.tcy.myinternetdomain.org"
target=_blank>gw.srv1-v4.tcy.myinternetdomain.org</A> -k
/etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/<A
href="http://gw.srv1-v4.tcy.myinternetdomain.org"
target=_blank>gw.srv1-v4.tcy.myinternetdomain.org</A> --server adserver1
--verbose<BR>-- init_password: Wiping the computer password structure<BR>--
generate_new_password: Generating a new, random password for the computer
account<BR>-- generate_new_password: Characters read from /dev/udandom
= 84<BR>-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-jnxTuG<BR>-- reload: Reloading Kerberos Context<BR>--
finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$<BR>--
try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from
local keytab...<BR>-- try_machine_keytab_princ: Error:
krb5_get_init_creds_keytab failed (Client not found in Kerberos
database)<BR>-- try_machine_keytab_princ: Authentication with keytab
failed<BR>-- try_machine_keytab_princ: Trying to authenticate for host/<A
href="http://gw.srv1-v4.tcy.myinternetdomain.org"
target=_blank>gw.srv1-v4.tcy.myinternetdomain.org</A> from local
keytab...<BR>-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab
failed (Client not found in Kerberos database)<BR>--
try_machine_keytab_princ: Authentication with keytab failed<BR>--
try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with
password.<BR>-- create_default_machine_password: Default machine password
for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k<BR>-- try_machine_password: Error:
krb5_get_init_creds_keytab failed (Client not found in Kerberos
database)<BR>-- try_machine_password: Authentication with password
failed<BR>-- try_user_creds: Checking if default ticket cache has
tickets...<BR>-- try_user_creds: Error: krb5_cc_get_principal failed (No
credentials cache found)<BR>-- try_user_creds: User ticket cache was not
valid.<BR>Error: could not find any credentials to authenticate with.
Neither keytab,<BR> default machine password, nor
calling user's tickets worked. Try<BR> "kinit"ing
yourself some tickets with permission to create
computer<BR> objects, or pre-creating the computer
object in AD and selecting<BR> 'reset
account'.<BR>-- ~KRB5Context: Destroying Kerberos
Context<BR><BR><BR><BR></DIV>
<DIV>same error if i change <A
href="http://gw.srv1-v4.tcy.myinternetdomain.org"
target=_blank>gw.srv1-v4.tcy.myinternetdomain.org</A> to <A
href="http://ophtcysrv1v4.myaddomain.fr"
target=_blank>ophtcysrv1v4.myaddomain.fr</A><BR></DIV>
<DIV>
<DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>anyone know the origin of this error ?<BR><BR></DIV>
<DIV>thanks<BR></DIV>
<DIV>Olivier<BR><BR></DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></DIV>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR><A href="mailto:squid-users@lists.squid-cache.org"
target=_blank>squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users"
target=_blank>http://lists.squid-cache.org/listinfo/squid-users</A><BR></DIV></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>squid-users
mailing list<BR><A href="mailto:squid-users@lists.squid-cache.org"
target=_blank>squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users"
target=_blank>http://lists.squid-cache.org/listinfo/squid-users</A><BR><BR></BLOCKQUOTE></DIV>
<DIV> </DIV></DIV>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR><A href="mailto:squid-users@lists.squid-cache.org"
target=_blank>squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users"
target=_blank>http://lists.squid-cache.org/listinfo/squid-users</A><BR></DIV></DIV></DIV></DIV></DIV></DIV></DIV><BR>_______________________________________________<BR>squid-users
mailing list<BR><A
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</A><BR><A
href="http://lists.squid-cache.org/listinfo/squid-users"
target=_blank>http://lists.squid-cache.org/listinfo/squid-users</A><BR><BR></BLOCKQUOTE></DIV>
<DIV> </DIV></DIV>
<P>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR>squid-users@lists.squid-cache.org<BR>http://lists.squid-cache.org/listinfo/squid-users<BR></DIV></DIV></DIV></DIV></BODY></HTML>