Nick, I tried but with not much success. ................. No computer account for squid-http found, creating a new one. Error: ldap_add_ext_s failed (Insufficient access) Error: ldap_check_account failed (No CSI structure available) Error: set_password failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure ...............................
regards, Bilal ---------------------------------------- > From: [email protected] > To: [email protected]; [email protected]; [email protected] > Date: Thu, 15 Apr 2010 09:31:40 +0100 > Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal. > > Bilal, > > I think we're doing a similar thing here! See my post earlier about SPN. I > think you need to be using the fqdn of the machine in the HTTP/ spn & upn and > not just the domain. Also check your DNS and host local host entries. > > E.g.: msktutil -c -b "CN=COMPUTERS" -s HTTP/squid1.[mydomain] -k > /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 > -verbose > > Nick > > > > On 15/04/2010 07:22, "GIGO ." wrote: > > > > Dear Markus/all, > > > I am unable to create the keytab using mskutil please help me out i followed > the following steps: > > 1. I created a OU and named it UnixOU > 2. I created a group account in the UnixOU and named it as UnixAdmins > 3. I make my windows account bilal_admin part of UnixAdmins group. > 4. I set the settings of UnixOU to be managed by UnixAdmins. > 5. Then i synch time of Squid Machine and Active directory. > 6. My domain fully qualified domain name is v.local and netbios names is V. > 7. My domain controller name is vdc (fqdn=vdc.v.local) > 8. The following lines were changed in the krb5.conf while rest being > untouched. > > [libdefaults] > default_realm=V.LOCAL > > > [realms] > > V.LOCAL = { > kdc = vdc.v.local:88 > admin_server = kerberos.example.com:749 (e.g this not changed does it matter > at the step of creation of keytab) > default_domain = example.com (unchanged) > } > > > > > The i run the following commands to create the keytab: > > kinit [email protected] > > > msktutil -c -b "OU=unixPrincipals" -s HTTP/v.local -h squidLhrTest.v.local -k > /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local --server > vdc.v.local --verbose > > Output of the Command: > > -- init_password: Wiping the computer password structure > -- finalize_exec: Determining user principal name > -- finalize_exec: User Principal Name is: HTTP/[email protected] > -- create_fake_krb5_conf: Created a fake krb5.conf file: > /tmp/.mskt-3550krb5.conf > -- get_krb5_context: Creating Kerberos Context > -- try_machine_keytab: Using the local credential cache: > /tmp/.mskt-3550krb5_ccache > -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found in > Kerberos database) > -- try_machine_keytab: Unable to authenticate using the local keytab > -- try_ldap_connect: Connecting to LDAP server: vdc.v.local > -- try_ldap_connect: Connecting to LDAP server: vdc.v.local > SASL/GSSAPI authentication started > SASL username: [email protected] > SASL SSF: 56 > SASL installing layers > -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local > Warning: No DNS entry found for squidLhrTest.v.local > -- get_short_hostname: Determined short hostname: squidLhrTest-v-local > -- finalize_exec: SAM Account Name is: squid-http$ > Updating all entries for squidLhrTest.v.local in the keytab > /etc/squid/HTTP.keytab > -- try_set_password: Attempting to reset computer's password > -- ldap_check_account: Checking that a computer account for squid-http$ exists > No computer account for squid-http found, creating a new one. > Error: ldap_add_ext_s failed (Insufficient access) > Error: ldap_check_account failed (No CSI structure available) > Error: set_password failed > -- krb5_cleanup: Destroying Kerberos Context > -- ldap_cleanup: Disconnecting from LDAP server > -- init_password: Wiping the computer password structure > > > please help me resolving the issue. > > regards, > > Bilal Aslam > > > > > ---------------------------------------- >> To: [email protected] >> From: [email protected] >> Date: Fri, 9 Apr 2010 08:10:19 +0100 >> Subject: [squid-users] Re: Re: Creating a kerberos Service Principal. >> >> Hi Bilal, >> >> I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I >> then create a Windows Group UnixAdministrators and add the Windows account >> of the UnixAdministrators to it. Finally I change the permissions on the >> OU=UnixPrincipals so that the members of the group UnixAdministrators have >> full rights (or limited rights ) for objects under this OU. >> >> Regards >> Markus >> >> "GIGO ." wrote in message >> news:[email protected]... >> >> Markus could not get you please can you elaborate a bit. >> >> >> thank you all! >> >> regards, >> >> Bilal >> >> ---------------------------------------- >>> To: [email protected] >>> From: [email protected] >>> Date: Thu, 8 Apr 2010 20:04:30 +0100 >>> Subject: [squid-users] Re: Creating a kerberos Service Principal. >>> >>> BTW You do not need Administrator rights. You can set permission for >>> different Groups on OUs for example for Unix Kerberos Admins. >>> >>> Markus >>> >>> "Khaled Blah" wrote in message >>> news:[email protected]... >>> Hi Bilal, >>> >>> 1. ktpass and msktutil practically do the same, they create keytabs >>> which include the keys that squid will need to decrypt the ticket it >>> receives from the user. However ktpass only creates a file which you >>> will then have to securely transfer to your proxy server so that squid >>> can access it. Using msktutil on your proxy server, you can get the >>> same keytab without having to transfer it. Thus, msktutil saves you >>> some time and hassle. AFAIR both need "Administrator" rights, which >>> means the account used for ktpass/msktutil needs to be a member of the >>> Administrator group. >>> >>> >>> 2. To answer this question, one would need more information about your >>> network and your setup. Basically, mixing any other authentication >>> method with Kerberos is not a good idea. That's because if the other >>> method is insecure or less secure an attacker who gains access to a >>> user's credentials will be able to impersonate that user against >>> Kerberos and those be able to use ALL services that this user has >>> access to. In any case DO NOT use basic auth with Kerberos in a >>> public, set-up. That's a recipe for disaster. Digest auth and NTLM >>> (v2) might be suitable but these are in fact less secure than Kerberos >>> and thus not preferrable. One down-side to Kerberos is that it's an >>> "all-or-nothing" service, either you use Kerberos and only Kerberos or >>> you risk security breaches in any "mixed" situation. >>> >>> HTH >>> >>> Khaled >>> >>> 2010/4/6 GIGO . : >>>> >>>> Dear All, >>>> >>>> Please guide me in regard to SSO setup with Active Directory(No >>>> winbind/Samba). I have the following questions in this regard. >>>> >>>> >>>> >>>> 1. Creating a Kerberos service principal and keytab file that is used by >>>> the Squid what is the effective method? Difference between using Ktpass >>>> vs >>>> Msktutil package? What rights would i be required in Active Directory and >>>> if none then why so? >>>> >>>> >>>> >>>> >>>> >>>> >>>> 2. How to configure the fallback Authentication scheme if Kerberos fails? >>>> Ldap authentication using basic looks to be an option but isnt it less >>>> secure? is there a better approach possible. >>>> >>>> >>>> >>>> >>>> regards, >>>> >>>> Bilal Aslam >>>> _________________________________________________________________ >>>> Hotmail: Powerful Free email with security by Microsoft. >>>> https://signup.live.com/signup.aspx?id=60969 >>> >>> >> _________________________________________________________________ >> Hotmail: Powerful Free email with security by Microsoft. >> https://signup.live.com/signup.aspx?id=60969 >> >> > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > https://signup.live.com/signup.aspx?id=60969 > > > ** Please consider the environment before printing this e-mail ** > > The information contained in this e-mail is of a confidential nature and is > intended only for the addressee. If you are not the intended addressee, any > disclosure, copying or distribution by you is prohibited and may be unlawful. > Disclosure to any party other than the addressee, whether inadvertent or > otherwise, is not intended to waive privilege or confidentiality. Internet > communications are not secure and therefore Conde Nast does not accept legal > responsibility for the contents of this message. Any views or opinions > expressed are those of the author. > > Company Registration details: > The Conde Nast Publications Ltd > Vogue House > Hanover Square > London W1S 1JU > > Registered in London No. 226900 _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
