<div dir="ltr"><div>Hi, I´m trying to set up squid authentication with a Windows AD domain controller, and everything goes well until I try to check if the host account updates successfully, using the following commands:</div><div><br></div><div>msktutil --auto-update --verbose --dont-expire-password \</div>-b "CN=SQUIDPROXY,OU=OU_NAME,,DC=MYDOMAIN,DC=XX" \<br>--user-creds-only \<br>--computer-name SQUIDPROXY \<br>-k /etc/squid/squidproxy.keytab \<br>--server pdc1.mydomain.xx \<br><div>--no-reverse-lookups</div><div><br></div><div>and I always end up with the same error:</div><div> -- init_password: Wiping the computer password structure<br> -- generate_new_password: Generating a new, random password for the computer account<br> -- generate_new_password: Characters read from /dev/urandom = 93<br> -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-atrIYH<br> -- destroy_g_context: Destroying Kerberos Context<br> -- initialize_g_context: Creating Kerberos Context<br> -- finalize_exec: SAM Account Name is: SQUIDPROXY$<br> -- try_user_creds: Checking if default ticket cache has tickets<br> -- finalize_exec: Authenticated using method 5<br> -- LDAPConnection: Connecting to LDAP server: <a href="http://dc1.cip.cu">dc1.cip.cu</a><br>SASL/GSSAPI authentication started<br>SASL username: HTTP/squidproxy.mydomain.xx@MYDOMAIN.XX<br>SASL SSF: 256<br>SASL data security layer installed.<br> -- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN,dc=XX<br> -- ldap_check_account: Checking that a computer account for SQUIDPROXY$ exists<br> -- ldap_check_account: Checking computer account - found<br> -- ldap_check_account: Found userAccountControl = 0x11000<br> -- ldap_check_account: Found supportedEncryptionTypes = 28<br> -- ldap_check_account: Found dNSHostName = squidproxy.mydomain.xx
<br> -- ldap_check_account: Found Principal: host/squidproxy.mydomain.xx
<br> -- ldap_check_account: Found Principal: HTTP/squidproxy.mydomain.xx
<br> -- ldap_check_account: Found User Principal: HTTP/squidproxy.mydomain.xx
<br> -- ldap_check_account_strings: Inspecting (and updating) computer account attributes<br> -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28<br> -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0<br> -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000<br> -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1<br> -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000<br> -- ldap_get_kvno: KVNO is 1<br> -- set_password: Attempting to reset computer's password<br> -- set_password: Try change password using user's ticket cache<br> -- ldap_get_pwdLastSet: pwdLastSet is 132929651811891069<br>Error: Unable to set machine password for SQUIDPROXY$: (5) Access denied<br>Error: set_password failed</div><div><br></div><div>The account I'm using for this procedure is the domain administrator account, so I don´t know why is giving me an access denied error. This is the procedure I´m using:</div><div>1 - start the session using the domain controller account <kinit manager@MYDOMAIN.XX></div><div><br></div><div>2 - created the ticket and host account in the domain controller, and everytihng went well<br></div><div>msktutil -c -b "OU=OU_NAME" \<br>-s HTTP/squidproxy.mydomain.xx
\<br>-h squidproxy.mydomain.xx
\<br>-k /etc/squid/squidproxy.keytab \<br>--computer-name SQUIDPROXY \<br>--upn HTTP/squidproxy.mydomain.xx
\<br>--server pdc1.mydomain.xx
\<br>--verbose \<br>--dont-expire-password \<br>--no-reverse-lookups \</div><div>
<div class="gmail-crayon-line" id="gmail-urvanov-syntax-highlighter-623ca42d06d74317003577-11"><span class="gmail-crayon-o">--</span><span class="gmail-crayon-i">enctypes</span><span class="gmail-crayon-h"> </span><span class="gmail-crayon-cn">28</span></div><div class="gmail-crayon-line"><span class="gmail-crayon-cn"><br></span></div>
</div><div>3 - checked if the previous procedure went well by typing the following and it returns nothing as it should<br></div><div>kinit -k HTTP/squidproxy.mydomain.xx</div><div><br></div><div>4 - Checked the keytab with klist -k and then changed the permissions and owner to the keytab file (640 / proxy:proxy)</div><div><br></div><div>Then the error when I try to check if the host account updates succesfuly as explained at the begining, any ideas why this is happening? I would appreciate the help!!<br>
</div></div>