[squid-users] Access denied using mskutil
Alberto Montes de Oca
snip3rmh at gmail.com
Tue Mar 29 13:17:11 UTC 2022
Hi, I´m trying to set up squid authentication with a Windows AD domain
controller, and everything goes well until I try to check if the host
account updates successfully, using the following commands:
msktutil --auto-update --verbose --dont-expire-password \
-b "CN=SQUIDPROXY,OU=OU_NAME,,DC=MYDOMAIN,DC=XX" \
--user-creds-only \
--computer-name SQUIDPROXY \
-k /etc/squid/squidproxy.keytab \
--server pdc1.mydomain.xx \
--no-reverse-lookups
and I always end up with the same error:
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the
computer account
-- generate_new_password: Characters read from /dev/urandom = 93
-- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-atrIYH
-- destroy_g_context: Destroying Kerberos Context
-- initialize_g_context: Creating Kerberos Context
-- finalize_exec: SAM Account Name is: SQUIDPROXY$
-- try_user_creds: Checking if default ticket cache has tickets
-- finalize_exec: Authenticated using method 5
-- LDAPConnection: Connecting to LDAP server: dc1.cip.cu
SASL/GSSAPI authentication started
SASL username: HTTP/squidproxy.mydomain.xx at MYDOMAIN.XX
SASL SSF: 256
SASL data security layer installed.
-- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN,dc=XX
-- ldap_check_account: Checking that a computer account for SQUIDPROXY$
exists
-- ldap_check_account: Checking computer account - found
-- ldap_check_account: Found userAccountControl = 0x11000
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found dNSHostName = squidproxy.mydomain.xx
-- ldap_check_account: Found Principal: host/squidproxy.mydomain.xx
-- ldap_check_account: Found Principal: HTTP/squidproxy.mydomain.xx
-- ldap_check_account: Found User Principal: HTTP/squidproxy.mydomain.xx
-- ldap_check_account_strings: Inspecting (and updating) computer account
attributes
-- ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x10000 to 0x1
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000
-- ldap_get_kvno: KVNO is 1
-- set_password: Attempting to reset computer's password
-- set_password: Try change password using user's ticket cache
-- ldap_get_pwdLastSet: pwdLastSet is 132929651811891069
Error: Unable to set machine password for SQUIDPROXY$: (5) Access denied
Error: set_password failed
The account I'm using for this procedure is the domain administrator
account, so I don´t know why is giving me an access denied error. This is
the procedure I´m using:
1 - start the session using the domain controller account <kinit
manager at MYDOMAIN.XX>
2 - created the ticket and host account in the domain controller, and
everytihng went well
msktutil -c -b "OU=OU_NAME" \
-s HTTP/squidproxy.mydomain.xx \
-h squidproxy.mydomain.xx \
-k /etc/squid/squidproxy.keytab \
--computer-name SQUIDPROXY \
--upn HTTP/squidproxy.mydomain.xx \
--server pdc1.mydomain.xx \
--verbose \
--dont-expire-password \
--no-reverse-lookups \
--enctypes 28
3 - checked if the previous procedure went well by typing the following and
it returns nothing as it should
kinit -k HTTP/squidproxy.mydomain.xx
4 - Checked the keytab with klist -k and then changed the permissions and
owner to the keytab file (640 / proxy:proxy)
Then the error when I try to check if the host account updates succesfuly
as explained at the begining, any ideas why this is happening? I would
appreciate the help!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220329/66e50ebc/attachment.htm>
More information about the squid-users
mailing list