For squid_kerb_ldap to work the AD entry must have a userprincipalname
attribute set to one of the keytab entry names e.g.
HTTP/[email protected]
. This is one of the differences of msktutil with --upn to net ads join.
Markus
----- Original Message -----
From: "Rafal Zawierta" <[email protected]>
To: <[email protected]>
Sent: Wednesday, January 19, 2011 11:39 PM
Subject: squid_kerb_ldap question
Hello Markus!
If you don't mind I'd like to ask you for help with my squid_kerb_ldap
problem.
After 2 long days I have squid_kerb_auth working.
I have ubuntu host, which was joined AD by net join command AND
krb5.keytab also was created in such way.
Now, when I start my squid with kerb_ldap helper I get:
2011/01/20 00:20:14| squid_kerb_ldap: Error while initialising
credentials from keytab : Client not found in Kerberos database
2011/01/20 00:20:14| squid_kerb_ldap: Error during setup of Kerberos
credential cache
AFAIK the problem is with my keytab - I'm right? Is it possible to fix
it whithout running msktutil? Or the only good way is to delete (?) my
keytab and create a new one with msktutil with --upn option?
ktutil on proxy server shows me:
ktutil: rkt /etc/squid/HTTP.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/[email protected]
2 2 host/[email protected]
3 2 host/[email protected]
4 2 host/[email protected]
5 2 host/[email protected]
6 2 host/[email protected]
7 2 [email protected]
8 2 [email protected]
9 2 [email protected]
10 2 HTTP/[email protected]
11 2 HTTP/[email protected]
12 2 HTTP/[email protected]
13 2 HTTP/[email protected]
14 2 HTTP/[email protected]
15 2 HTTP/[email protected]
But on AD server in AD users and computers there is NO http or
whatever entry in Users. Just ubuntu in Computers.
Regards
Rafal
