Hi Markus I've checked with ADSIEDIT and found a single entry for the linux server named proxy1. Clicking on it's properties I found the following entries for service Principal Name:
28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com On the linux box: # klist -ekt /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 7 01/01/70 02:00:00 HTTP/[email protected] (ArcFour with HMAC/md5) # kvno HTTP/proxy1.domain.com kvno: Ticket expired while getting credentials for HTTP/[email protected] # kvno HTTP/proxy1 kvno: Ticket expired while getting credentials for HTTP/[email protected] Should I remove the entry on AD, rejoin the pc to AD and create the keytab again? Which mechanism should I use to create the keytab? Is my DNS correct if the pc came up on AD as proxy1 should it be the fqdn (proxy1.domain.com)? Regards Umesh 2010/1/13 Markus Moeller <[email protected]>: > On AD you can use ADSIEDIT ( > http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to > search for entries and delete,modify them. The best instructions are > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos > > Let me know what you get once you deleted the old entry. Another check is > to use the kvno tool which you should have when you use MIT Kerberos. > > #kvno HTTP/f...@realm should give the same number as klist -ekt squid.keytab > e.g. > > # klist -ekt /etc/squid/squid.keytab > Keytab name: FILE:/etc/squid/squid.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 3 11/25/08 20:54:17 HTTP/[email protected] (ArcFour with > HMAC/md5) > 3 11/25/08 20:54:17 HTTP/[email protected] (Triple DES cbc > mode with HMAC/sha1) > 3 11/25/08 20:54:17 HTTP/[email protected] (DES cbc mode with > CRC-32) > > #kvno HTTP/opensuse11.suse.home > HTTP/[email protected]: kvno = 3 > > > Regards > Markus > > "Umesh Bodalina" <[email protected]> wrote in message > news:[email protected]... > Hi, > I'm new to this. I've run the following command on the server: > > ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b > "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/f...@realm" > > and get > # > # LDAPv3 > # base <OU=name,DC=domain,DC=com> with scope subtree > # filter: serviceprincipalname=HTTP/f...@realm > # requesting: ALL > # > > # search result > > # numResponses: 1 > > Is it possible to check directly on AD if this service principal name exits? > How else can I test if this keytab works? > If I create a new keytab what is the procedure of getting rid of the > old one and retesting (what should be done on AD and the linux box)? > > Are there any docs that will help me with this? > > Sorry for being a pain and thanks again. > Regards > Umesh > > > > > 2010/1/13 Markus Moeller <[email protected]>: >> >> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) or >> search with a filter "(serviceprincipalname=HTTP/f...@realm)" if you have >> duplicate entries ? >> >> This kinit -k -t /etc/squid/squid.keytab HTTP/[email protected] will >> only >> work if the userprincipal name is HTTP/[email protected] which I think >> is >> not the case with ktpass. >> >> >> Regards >> Markus >> >> >> "Umesh Bodalina" <[email protected]> wrote in message >> news:[email protected]... >>> >>> Hi, >>> >>> I'm trying to get the squid helper squid_kerb_auth to work against our >>> Active Directory (win 2003 sp2). >>> >>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4 >>> 64 bit. >>> >>> Squid Cache: Version 2.7.STABLE7 >>> configure options: '--prefix=/usr/local/squid' '--disable-wccp' >>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files' >>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' >>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate' >>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' >>> >>> >>> A keytab file was create on AD for squid >>> (HTTP/[email protected]) >>> >>> ktpass -princ HTTP/f...@realm -mapuser squiduser >>> -pass password -out HTTP.keytab >>> >>> Transferred the file on the CentOS server and placed it >>> in /etc/squid/HTTP.keytab >>> >>> >>> kinit -k -t /etc/squid/squid.keytab HTTP/[email protected] >>> >>> I get the error message: >>> kinit(v5): Client not found in Kerberos database while getting initial >>> credentials >>> >>> >>> I've also tried creating the keytab file using >>> msktutil or samba according to the following doc: >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>> >>> I get the same error. >>> >>> How do I sort out this problem? >>> >>> Thanks in advance. >>> Regards >>> Umesh >>> >> >> >> > > >
