<div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">hello,<br><br>Switching from NTLM certification to Kerberos certification.<br>Sure enough, I'm in trouble.<br><br>Kerberos authentication doesn't work.<br>Please let me know if there is a mistake in the settings.<br><br><br>SPN creation<br>WINTEST(Active Directory)<br>ktpass.exe /princ HTTP/<a href="mailto:c0528004l.wintest.example.co.jp@WINTEST.EXAMPLE.CO.JP">c0528004l.wintest.example.co.jp@WINTEST.EXAMPLE.CO.JP</a> /mapuser <a href="mailto:S139821admin@WINTEST.EXAMPLE.CO.JP">S139821admin@WINTEST.EXAMPLE.CO.JP</a> /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab<br><br><br>PTR record setting<br># nslookup 10.217.192.22<br>22.192.217.10.in-addr.arpa name = <a href="http://c0528004l.wintest.example.co.jp">c0528004l.wintest.example.co.jp</a>.<br><br><br># klist<br>Ticket cache: KCM:1001<br>Default principal: <a href="mailto:lx17070028admin@WIN.EXAMPLE.CO.JP">lx17070028admin@WIN.EXAMPLE.CO.JP</a><br><br>Valid starting Expires Service principal<br>10/12/2020 16:05:10 10/13/2020 02:04:04 ldap/<a href="mailto:a9413001l.win.example.co.jp@WIN.EXAMPLE.CO.JP">a9413001l.win.example.co.jp@WIN.EXAMPLE.CO.JP</a><br> renew until 10/13/2020 02:04:04<br>10/12/2020 16:04:04 10/13/2020 02:04:04 krbtgt/<a href="mailto:WIN.EXAMPLE.CO.JP@WIN.EXAMPLE.CO.JP">WIN.EXAMPLE.CO.JP@WIN.EXAMPLE.CO.JP</a><br> renew until 10/13/2020 02:04:04<br>10/12/2020 16:07:21 10/13/2020 02:04:04 ldap/<a href="mailto:a9401002l.win.example.co.jp@WIN.EXAMPLE.CO.JP">a9401002l.win.example.co.jp@WIN.EXAMPLE.CO.JP</a><br> renew until 10/13/2020 02:04:04<br><br><br>config setting<br>/etc/squid/squid.conf<br># Kerberos Auth<br>auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/<a href="mailto:c0528004l.wintest.example.co.jp@WINTEST.EXAMPLE.CO.JP">c0528004l.wintest.example.co.jp@WINTEST.EXAMPLE.CO.JP</a><br>auth_param negotiate children 20<br>auth_param negotiate keep_alive on<br>acl kerb-auth proxy_auth REQUIRED<br>http_access allow kerb-auth<br><br>--->I get a windows security pop-up in IE.<br><br><br>error message<br>/var/log/squid/cache.log<br>2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Service key not available; }}<br><br><br>Create SPN from server<br>c0528004l(CentOS8.1)<br># net ads keytab create -U <a href="mailto:S139821admin@WINTEST.EXAMPLE.CO.JP">S139821admin@WINTEST.EXAMPLE.CO.JP</a><br>Warning: "kerberos method" must be set to a keytab method to use keytab functions.<br>Enter <a href="mailto:S139821admin@WINTEST.EXAMPLE.CO.JP">S139821admin@WINTEST.EXAMPLE.CO.JP</a>'s password:<br>ads_keytab_open: Invalid kerberos method set (0)<br><br>---> An error occurs and keytab cannot be created.<br><br><br>Please let me know if you have any other information you need.<br><br>Hi Eliezer,<br><br>docker is already installed.<br>We are considering a configuration of at least 6 servers.<br>Whether it will be 8 or 10 has not been verified.<br><br><br>thank you,<br>kitamura<br><br><br>
</blockquote></div></div>