Hi Markus
Thank you.
So, I made my kerberos-configuration from scratch. This will mean:
- Delete computer-account in AD
- Remove /etc/krb5.keytab
- Check with "setspn -L proxy-test-01" if there were no SPN's -> OK.
Then I created the account again with the following command:
./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k
/etc/krb5.keytab --computer-name proxy-test-01 --upn
HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose
The computer-account was created successfully. In the msktutil-output,
I can see, that the KVNO is set to "2".
On the Domain-Controller, I can also see, that the
"msDS-KeyVersionNumber" is also set to "2".
But I'm not able to authenticate. I got the following squid-cache-error:
2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information. Key version number for principal in key
table is incorrect'
What's wrong here? I tried with "kinit" and "kinit -R" again -> no
success. How can I fix this problem?
Regards
Tom
2010/6/30 Markus Moeller <huaraz_at_moeller.plus.com>:
> Hi Tom
>
> squid_kerb_ldap tries to use the keytab to authenticate squid against AD.
> The keytab contains basically the password for the "user" http/<fqdn> which
> maps in AD to the userprincipalname attribute. In your case squid_kerb_ldap
> tries to use host/proxy-test-01.xx.yy_at_XX.YY but does not find in AD an entry
> which has the userprincipalname attribute with that value and therfore can
> not check group memberships. msktutil has the option --upn � which will set
> the AD attribute accordingly (see
> alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos).
>
>
> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
> host/proxy-test-01.xx.yy_at_XX.YY
> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising credentials
> from keytab : Client not found in Kerberos database
>
> Regards
> Markus
>
> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
> news:AANLkTilZ_WeFjeU1bMnPSgvnhAhTe6RJMr6bjA-uuQ_m_at_mail.gmail.com...
>>
>> Hi
>>
>> I'm trying to authenticate our clients with squid_kerb_ldap against
>> our ad. There exists a global-group called "Internet". My squid.conf
>> looks like this:
>>
>> auth_param negotiate program /usr/local/squid/libexec/squid_kerb_auth -i
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>> external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
>> /usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet
>> acl inetAccess external SQUID_KERB_LDAP
>> http_access allow inetAccess
>>
>>
>> My "klist -k" looks like this:
>> proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> �4 host/proxy-test-01.xx.yy_at_XX.YY
>> �4 host/proxy-test-01.xx.yy_at_XX.YY
>> �4 host/proxy-test-01.xx.yy_at_XX.YY
>> �4 host/proxy-test-01_at_XX.YY
>> �4 host/proxy-test-01_at_XX.YY
>> �4 host/proxy-test-01_at_XX.YY
>> �4 PROXY-TEST-01$@XX.YY
>> �4 PROXY-TEST-01$@XX.YY
>> �4 PROXY-TEST-01$@XX.YY
>> �4 HTTP/proxy-test-01.xx.yy_at_XX.YY
>> �4 HTTP/proxy-test-01.xx.yy_at_XX.YY
>> �4 HTTP/proxy-test-01.xx.yy_at_XX.YY
>> �4 HTTP/proxy-test-01_at_XX.YY
>> �4 HTTP/proxy-test-01_at_XX.YY
>> �4 HTTP/proxy-test-01_at_XX.YY
>> �5 proxy-test-01$@XX.YY
>> �5 proxy-test-01$@XX.YY
>> �5 proxy-test-01$@XX.YY
>> �5 HTTP/proxy-test-01.xx.yy_at_XX.YY
>> �5 HTTP/proxy-test-01.xx.yy_at_XX.YY
>> �5 HTTP/proxy-test-01.xx.yy_at_XX.YY
>> �5 HTTP/proxy-test-01_at_XX.YY
>> �5 HTTP/proxy-test-01_at_XX.YY
>> �5 HTTP/proxy-test-01_at_XX.YY
>> �5 host/proxy-test-01.xx.yy_at_XX.YY
>> �5 host/proxy-test-01.xx.yy_at_XX.YY
>> �5 host/proxy-test-01.xx.yy_at_XX.YY
>>
>>
>> Without squid_kerb_ldap, the internet-access is working fine. With the
>> helper, I got the following errors in the cache.log:
>> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER_at_XX.YY
>> authenticated
>> 2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY
>> 2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: group_at_domain
>> Internet_at_NULL
>> 2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop:
>> group_at_domain Internet_at_NULL
>> 2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: group_at_domain
>> Internet_at_NULL
>> 2010/06/30 09:45:48| squid_kerb_ldap: Found group_at_domain Internet_at_NULL
>> 2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache
>> 2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name
>> 2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name
>> /etc/krb5.keytab
>> 2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab
>> /etc/krb5.keytab
>> 2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name: XX.YY
>> 2010/06/30 09:45:48| squid_kerb_ldap: Found principal name:
>> host/proxy-test-01.xx.yy_at_XX.YY
>> 2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to
>> MEMORY:squid_ldap_22001
>> 2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
>> host/proxy-test-01.xx.yy_at_XX.YY
>> 2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
>> credentials from keytab : Client not found in Kerberos database
>> 2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos
>> credential cache
>> 2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of
>> group_at_domain Internet_at_NULL
>> 2010/06/30 09:45:48| squid_kerb_ldap: ERR
>> 2010/06/30 09:45:48| squid_kerb_auth: INFO: User TESTUSER_at_XX.YY
>> authenticated
>>
>> What could this be? The user "testuser" is member of the ad-group
>> "Internet".
>> Thanks a lot.
>> Tom
>>
>
>
>
Received on Thu Jul 01 2010 - 05:42:18 MDT
This archive was generated by hypermail 2.2.0 : Thu Jul 01 2010 - 12:00:04 MDT