Hi Ok. Did that now and I got: kvno HTTP/proxy1.domain.com HTTP/[email protected]: kvno = 5
This number is different from the the keytab number. How do I correct this? Yes I did use samba (net ads join -U adminuserid). Then I tried the msktutil. Then finally ktpass. During the net ads join I got: # net ads join -U userid userid's password: Using short domain name -- DOMAIN DNS update failed! Joined 'PROXY1' to realm 'DOMAIN.COM' Is the DNS update a problem? Regards Umesh 2010/1/15 Markus Moeller <[email protected]>: > Sorry I forgot to say that you have to do a kinit adu...@realm before you > issue the kvno command. Did you use the sambe netjoin command to create > the as account and the keytab ? > > Markus > > "Umesh Bodalina" <[email protected]> wrote in message > news:[email protected]... > Hi Markus > I've checked with ADSIEDIT and found a single entry for the linux > server named proxy1. > Clicking on it's properties I found the following entries for service > Principal Name: > > 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/PROXY1 > > 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HOST/proxy1.domain.com > 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1 > 28,LDAP://adserver/CN=proxy1,OU=Workstations,OU=ComputerAccounts,OU=name,DC=DOMAIN,DC=COM,servicePrincipalName,servicePrincipalName,HTTP/proxy1.domain.com > > On the linux box: > > # klist -ekt /etc/squid/HTTP.keytab > Keytab name: FILE:/etc/squid/HTTP.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 7 01/01/70 02:00:00 HTTP/[email protected] (ArcFour > with HMAC/md5) > > # kvno HTTP/proxy1.domain.com > kvno: Ticket expired while getting credentials for > HTTP/[email protected] > # kvno HTTP/proxy1 > kvno: Ticket expired while getting credentials for HTTP/[email protected] > > Should I remove the entry on AD, rejoin the pc to AD and create the > keytab again? > Which mechanism should I use to create the keytab? > Is my DNS correct if the pc came up on AD as proxy1 should it be the > fqdn (proxy1.domain.com)? > > Regards > Umesh > > > > > 2010/1/13 Markus Moeller <[email protected]>: >> >> On AD you can use ADSIEDIT ( >> http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx ) to >> search for entries and delete,modify them. The best instructions are >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >> >> Let me know what you get once you deleted the old entry. Another check is >> to use the kvno tool which you should have when you use MIT Kerberos. >> >> #kvno HTTP/f...@realm should give the same number as klist -ekt >> squid.keytab >> e.g. >> >> # klist -ekt /etc/squid/squid.keytab >> Keytab name: FILE:/etc/squid/squid.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 3 11/25/08 20:54:17 HTTP/[email protected] (ArcFour with >> HMAC/md5) >> 3 11/25/08 20:54:17 HTTP/[email protected] (Triple DES cbc >> mode with HMAC/sha1) >> 3 11/25/08 20:54:17 HTTP/[email protected] (DES cbc mode with >> CRC-32) >> >> #kvno HTTP/opensuse11.suse.home >> HTTP/[email protected]: kvno = 3 >> >> >> Regards >> Markus >> >> "Umesh Bodalina" <[email protected]> wrote in message >> news:[email protected]... >> Hi, >> I'm new to this. I've run the following command on the server: >> >> ldapsearch -L -x -D "aduser" -w "password" -h domainfqdn -p 389 -b >> "OU=name,DC=domain,DC=com" "serviceprincipalname=HTTP/f...@realm" >> >> and get >> # >> # LDAPv3 >> # base <OU=name,DC=domain,DC=com> with scope subtree >> # filter: serviceprincipalname=HTTP/f...@realm >> # requesting: ALL >> # >> >> # search result >> >> # numResponses: 1 >> >> Is it possible to check directly on AD if this service principal name >> exits? >> How else can I test if this keytab works? >> If I create a new keytab what is the procedure of getting rid of the >> old one and retesting (what should be done on AD and the linux box)? >> >> Are there any docs that will help me with this? >> >> Sorry for being a pain and thanks again. >> Regards >> Umesh >> >> >> >> >> 2010/1/13 Markus Moeller <[email protected]>: >>> >>> Can you check with an ldap query (e.g. with ldapadmin from sourceforge) >>> or >>> search with a filter "(serviceprincipalname=HTTP/f...@realm)" if you have >>> duplicate entries ? >>> >>> This kinit -k -t /etc/squid/squid.keytab HTTP/[email protected] will >>> only >>> work if the userprincipal name is HTTP/[email protected] which I think >>> is >>> not the case with ktpass. >>> >>> >>> Regards >>> Markus >>> >>> >>> "Umesh Bodalina" <[email protected]> wrote in message >>> news:[email protected]... >>>> >>>> Hi, >>>> >>>> I'm trying to get the squid helper squid_kerb_auth to work against our >>>> Active Directory (win 2003 sp2). >>>> >>>> I've compiled the latest squid version (squid-2.7.STABLE7)on CentOS 5.4 >>>> 64 bit. >>>> >>>> Squid Cache: Version 2.7.STABLE7 >>>> configure options: '--prefix=/usr/local/squid' '--disable-wccp' >>>> '--disable-wccpv2' '--enable-large-cache-files' '--with-large-files' >>>> '--enable-delay-pools' '--enable-cachemgr-hostname' '=fqdn' >>>> '--enable-ntlm-auth-helpers=SMB' '--enable-auth=basic,ntlm,negotiate' >>>> '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-snmp' >>>> >>>> >>>> A keytab file was create on AD for squid >>>> (HTTP/[email protected]) >>>> >>>> ktpass -princ HTTP/f...@realm -mapuser squiduser >>>> -pass password -out HTTP.keytab >>>> >>>> Transferred the file on the CentOS server and placed it >>>> in /etc/squid/HTTP.keytab >>>> >>>> >>>> kinit -k -t /etc/squid/squid.keytab HTTP/[email protected] >>>> >>>> I get the error message: >>>> kinit(v5): Client not found in Kerberos database while getting initial >>>> credentials >>>> >>>> >>>> I've also tried creating the keytab file using >>>> msktutil or samba according to the following doc: >>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>>> >>>> I get the same error. >>>> >>>> How do I sort out this problem? >>>> >>>> Thanks in advance. >>>> Regards >>>> Umesh >>>> >>> >>> >>> >> >> >> > > >
