<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.10570.1001"></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>I also had problems with msktutil.. so i suggest you
try this, see below.. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>Im using it for few years and it always works (for me
offcourse).. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT><FONT color=#0000ff size=2
face=Arial><SPAN class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>It should be pretty simple, but the site
squid-cache (wiki) is in my opinion a bit outdated. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>And its for Amos to adapt it on the
site.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>Amos or Alex, please review below, you might want to
add it. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>And add your parts to it, like running this without a
correct spn. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>Its tested in use and and working since squid 3.1
upto 4.8. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>Tested on debian Wheezy (7) upto Buster
(10)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>Below assumes the server your setting up, does have an
A and PTR record. </SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>(note, which should be added at the domain join of
winbind, as of samba4.x )</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>This is my howto. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>A Debian based, with Kerberos Auth against an
Samba Active Directory</SPAN></FONT><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019><BR>Should be adaptable for any OS, should also work
with MS Active Directory. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>But since i dont have any, im not testing it.
</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># Install a minimal OS, at install only choose base +
ssh server. </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019>#
Setup these variable for a copy/past, might be handy, and then "it just
works" </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019>#
Obligated to set. </SPAN></FONT><FONT color=#0000ff size=2
face=Arial><SPAN class=631144413-25092019># ADDOM; </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019># This
should match the netbios (NT4) domain name in caps, per example from a login:
NTDOM\username </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>ADDOM="NTDOM" </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019>#
These should be fine, but if you have multiple ipnumbers and hostnames, you
might want to adjust these. </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>FQDN="$(hostname -f)"<BR>HOSTN="$(hostname
-s)"<BR><BR></SPAN></FONT><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># Requirements before you start installing the sofrware
like: squid winbind krb5-user</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2 face=Arial>#
Login, sudo to root.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># /etc/resolv.conf, set as followed. <BR>#search
must.match.your.primarydnsdomain.tld<BR># nameserver
ip_of_AD_DC</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># Verify it: </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>grep search /etc/resolv.conf</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>grep nameserver
/etc/resolv.conf</SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019># If
ok, then run : </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019>apt
update </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019>apt
install squid winbind krb5-user -y</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019># Just
hit enter on every question, the defaults are fine. (verified in
Debian).</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># And now verify /etc/krb5.conf<BR>less
/etc/krb5.conf</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># It should look like this :
<BR>#[libdefaults]<BR># default_realm
= YOUR.Detected_REALM.TLD </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>#</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># The following krb5.conf variables are only for MIT
Kerberos.<BR># kdc_timesync =
1<BR># ccache_type =
4<BR># forwardable =
true<BR># proxiable =
true</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># ... and more.. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019><BR># >> P.s. i never touch
krb5.conf, never needed, it "just works" << </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2 face=Arial># Set
REALM Variable now, default should be ok. dont touch it. </FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial>REALM="$(grep default_realm
/etc/krb5.conf |awk {' print $NF '}) "</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019># It's
used for smb.conf and the auth part of squid. </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT></SPAN></FONT><FONT color=#0000ff size=2
face=Arial></FONT> </DIV></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># then stop squid and samba and configure
it.<BR>systemctl stop squid winbind</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># flush the log, so if you start it you start with
a clean log. </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019><FONT
color=#0000ff size=2
face=Arial>> /var/log/squid/cache.log</FONT></SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># Configure smb.conf and join the AD domain,
the minimal setting for smb.conf.<BR>cp
/etc/samba/smb.conf{,.original}</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>echo "# Auth-Only setup with winbind. ( no Shares
)</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019> workgroup =
${ADDOM}<BR> security = ADS<BR> realm =
${REALM}<BR> netbios name = $(echo
${HOSTN^^})</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019> ## make sure the below number never
overlap system ranges, see /etc/adduser.conf <BR> ## map id's
outside to domain to tdb files.<BR> idmap config *: backend =
tdb<BR> idmap config *: range = 2000-9999</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019> ## map ids from the domain and (*)
the range may not overlap !<BR> idmap config ${ADDOM} :
backend = rid<BR> idmap config ${ADDOM} : range =
10000-3999999</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019> kerberos method = secrets and
keytab<BR> dedicated keytab file =
/etc/krb5.keytab</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019> # renew the kerberos
ticket<BR> winbind refresh tickets = yes<BR>" >
/etc/samba/smb.conf</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># And verify it.<BR>less
/etc/samba/smb.conf</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># Next step, join the AD domain. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># Login/auth with kerberos. <BR>kinit
Administrator</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># and join the domain.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>net ads join -k</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># Creating the squid keytab file.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019>export
KRB5_KTNAME=FILE:/etc/squid/squid-HTTP-${HOSTN}.keytab<BR>net ads keytab ADD
HTTP/${FQDN}</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019><BR>#Verify the keytab file : <BR>klist -ke
/etc/squid/squid-HTTP-${HOSTN}.keytab</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2 face=Arial>#
destroy you authentication ticket for Administrator. </FONT></SPAN></DIV>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2
face=Arial>kdestroy </FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># set correct rights. <BR>chmod 640
/etc/squid/squid-HTTP-${HOSTN}.keytab<BR>chown root:proxy
/etc/squid/squid-HTTP-${HOSTN}.keytab<BR># Note, you might need to change the
"proxy" group name here. </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019># and setup you squid auth. <BR>echo "auth_param
negotiate program /usr/lib/squid/negotiate_wrapper_auth \\<BR>
--kerberos /usr/lib/squid/negotiate_kerberos_auth
\\<BR> -k etc/squid/squid-HTTP-${HOSTN}.keytab"
\\<BR> -s HTTP/"${FQDN}"@"${REALM}"
\\<BR> --ntlm /usr/bin/ntlm_auth
\\<BR> --helper-protocol=gss-spnego
--domain="${ADDOM}"</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>auth_param negotiate children 30 startup=5
idle=5<BR>auth_param negotiate children 10<BR>auth_param negotiate keep_alive
on" > /etc/squid/conf.d/auth.conf</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2
face=Arial>systemctl start winbind squid </FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2 face=Arial># Done
</FONT></SPAN></DIV>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2 face=Arial># And
check squid log how it started. </FONT></SPAN></DIV>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2 face=Arial>cat
/var/log/squid/cache.log<BR></FONT></SPAN><SPAN class=631144413-25092019><FONT
color=#0000ff size=2 face=Arial></DIV></FONT></SPAN>
<DIV><SPAN class=631144413-25092019><FONT color=#0000ff size=2 face=Arial>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019>Now go
configure the other parts you need of squid.
</SPAN></FONT></DIV></DIV></FONT></SPAN>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN class=631144413-25092019>And
enjoy.. :-) </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT><FONT color=#0000ff size=2
face=Arial></FONT> </DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>Greetz, </SPAN></FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019>Louis</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial><SPAN
class=631144413-25092019></SPAN></FONT> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>Van:</B> squid-users
[mailto:squid-users-bounces@lists.squid-cache.org] <B>Namens </B>Tevfik
Ceydeliler<BR><B>Verzonden:</B> woensdag 25 september 2019
13:59<BR><B>Aan:</B> squid-users@lists.squid-cache.org<BR><B>Onderwerp:</B>
[squid-users] Kerberos nad keytab problem<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">Hi, I try to use
kerberos in my squid. Nut I get an error message :</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">############################33</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">msktutil --auto-update
--verbose --computer-name suqidpnb1 --server dctoyo1.toyo.grp -k
/etc/squid/PROXY.keytab <BR> -- init_password: Wiping the computer
password structure<BR> -- generate_new_password: Generating a new, random
password for the computer account<BR> -- generate_new_password:
Characters read from /dev/urandom = 95<BR> --
create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-QCbGC5<BR> -- destroy_g_context: Destroying Kerberos
Context<BR> -- initialize_g_context: Creating Kerberos
Context<BR> -- finalize_exec: SAM Account Name is: suqidpnb1$<BR> --
try_machine_keytab_princ: Trying to authenticate for suqidpnb1$ from local
keytab<BR> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab
failed (Key table entry not found)<BR> -- try_machine_keytab_princ:
Authentication with keytab failed<BR> -- try_machine_keytab_princ: Trying
to authenticate for SUQIDPNB1$ from local keytab<BR> --
try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Key table
entry not found)<BR> -- try_machine_keytab_princ: Authentication with
keytab failed<BR> -- try_machine_keytab_princ: Trying to authenticate for
host/localhost from local keytab<BR> -- try_machine_keytab_princ: Error:
krb5_get_init_creds_keytab failed (Key table entry not found)<BR> --
try_machine_keytab_princ: Authentication with keytab failed<BR> --
try_machine_password: Trying to authenticate for suqidpnb1$ with
password<BR> -- create_default_machine_password: Default machine password
for suqidpnb1$ is suqidpnb1<BR> -- try_machine_password: Error:
krb5_get_init_creds_keytab failed (Client not found in Kerberos
database)<BR> -- try_machine_password: Authentication with password
failed<BR> -- try_user_creds: Checking if default ticket cache has
tickets<BR> -- try_user_creds: Error: krb5_cc_get_principal failed (No
credentials cache found)<BR> -- try_user_creds: User ticket cache was not
valid<BR>Error: could not find any credentials to authenticate with. Neither
keytab,<BR>default machine password, nor calling user's tickets worked.
Try<BR>"kinit"ing yourself some tickets with permission to create
computer<BR>objects, or pre-creating the computer object in AD and
selecting<BR>'reset account'.<BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">#############################33</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">Can't find why this
happen:</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">My AD is 2012R2
function level</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">I create keytab with
this:</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">msktutil -c -b
"OU=Servers,DC=toyo,DC=grp" -s HTTP/squidtoyopnb1.toyo.grp -k
/etc/squid/PROXY.keytab --computer-name SQUIDPNB1 --upn
HTTP/squidtoyopnb1.toyo.grp --server dctoyo1.toyo.grp --verbose --enctypes
28<BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">Keytab file permission
is:</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">-rw-r----- 1 root
squid 933 Sep 25 13:37 PROXY.keytab<BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">and keytab file (klist
-k output):</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"> 3
SQUIDPNB1$@TOYO.GRP<BR> 3 SQUIDPNB1$@TOYO.GRP<BR> 3
SQUIDPNB1$@TOYO.GRP<BR> 3
HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP<BR> 3
HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP<BR> 3
HTTP/squidtoyopnb1.toyo.grp@TOYO.GRP<BR> 3
host/squidtoyopnb1@TOYO.GRP<BR> 3
host/squidtoyopnb1@TOYO.GRP<BR> 3
host/squidtoyopnb1@TOYO.GRP<BR> 3
host/squidtoyopnb1.toyo.grp@TOYO.GRP<BR> 3
host/squidtoyopnb1.toyo.grp@TOYO.GRP<BR> 3
host/squidtoyopnb1.toyo.grp@TOYO.GRP<BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">krb5.conf:</DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066">[libdefaults]<BR>default_realm
= TOYO.GRP<BR> dns_lookup_kdc = no<BR>
dns_lookup_realm = no<BR>
ticket_lifetime = 24h<BR> default_keytab_name =
/etc/squid/PROXY.keytab<BR><BR> ; for Windows 2008 with
AES<BR> default_tgs_enctypes =
aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5<BR>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
des-cbc-crc des-cbc-md5<BR>
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5<BR><BR> [realms]<BR>TOYO.GRP = {<BR>
kdc = dctoyo1.toyo.grp<BR>
kdc =
DCTOYO2.toyo.grp<BR>
admin_server = 10.65.12.254<BR>
default_domain = toyo.grp<BR> }<BR><BR>
[domain_realm]<BR> toyo.grp = TOYO.GRP<BR>
.toyo.grp = TOYO.GRP<BR><BR> [logging]<BR>
kdc = FILE:/var/log/kdc.log<BR> admin_server
= FILE:/var/log/kadmin.log<BR> default =
FILE:/var/log/krb5lib.log<BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV class=gmail_default
style="FONT-FAMILY: verdana,sans-serif; COLOR: #000066"><BR></DIV>
<DIV><BR></DIV>-- <BR>
<DIV class=gmail_signature dir=ltr data-smartmail="gmail_signature">Tevfik
Ceydeliler</DIV></DIV></BLOCKQUOTE></BODY></HTML>