On 1 May 2011 00:00, Markus Moeller <hua...@moeller.plus.com> wrote:
> Hi Go,
>
> For Windows 2008 the wiki says "use --enctypes 28". Did you use it ?
Yes I used --enctypes 28
>
> what does klist -e show and what does
> kinit <user>
> kvno HTTP/proxyserver.orangegroup.com
>
> show (<user> being your userid ) ?
Here is the complete output
root@proxyserver:/home/owner# whoami
root
root@proxyserver:/home/owner# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@proxyserver:/home/owner# klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@proxyserver:/home/owner# kinit Administrator
Password for administra...@orangegroup.com:
root@proxyserver:/home/owner# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@orangegroup.com
Valid starting Expires Service principal
05/01/11 09:36:33 05/01/11 19:36:38 krbtgt/orangegroup....@orangegroup.com
renew until 05/02/11 09:36:33, Etype (skey, tkt): ArcFour with
HMAC/md5,ArcFour with HMAC/md5
root@proxyserver:/home/owner# kvno http/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for http/proxyserver.orangegroup....@orangegroup.com
root@proxyserver:/home/owner# kvno HTTP/proxyserver.orangegroup.com
kvno: Server not found in Kerberos database while getting credentials
for HTTP/proxyserver.orangegroup....@orangegroup.com
> When you purge tickets (with kerbtray) , start wireshark with a filter on
> port 88 and access a webpage via the proxy do you see any errors in
> wireshark ? Can you send me the capture ?
I will email you the port 88 capture in a sec.
Thanks for your help.
> Markus
>
>
> "Go Wow" <gow...@gmail.com> wrote in message
> news:banlktinski+d9qe6nxrfglxjjkad2gn...@mail.gmail.com...
> I tried with msktutil version 0.4 but same thing is happening.
>
> I followed your guide, firstly with samba/winbind, I created the
> keytab and configure negotiate parameters in squid.conf but when I
> open browser pointing to squid3 as proxy server (with fqdn not IP) it
> prompts for username/password. This system is Windows 7 64 Bit.
>
> Then I tried msktutil. The command I used is same as I mentioned below.
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
> ad01.orangegroup.com --verbose
>
> The output of the command gives me one error saying but creates the keytab
> file
> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
> (Client not found in Kerberos database)
>
> I have kerbtray installed on client system and I can see my domains
> krtgt/domain.com listed. As a matter of fact I'm using sharepoint
> server which uses the same method to authenticate and im able to login
> to it without entering username/password. I tried with purging tickets
> but no change.
>
> Regards
>
>
> On 30 April 2011 16:17, Markus Moeller <hua...@moeller.plus.com> wrote:
>>
>> Hi Go,
>>
>> Can you describe in detail what you did ( e.g. exact msktutil command).
>> BTW
>> I updated yesterday the wiki pointing to a newer msktutil (version 0.4)
>> which you should try in the case you use an older version.
>>
>> It looks to me that your client is not able to get the Kerberos ticket
>> from
>> AD why the client falls back to NTLM and the negotiate wrapper deals now
>> with these case.
>>
>> To find out why the client does not get the ticket you can run wireshark
>> and look for traffic on port 88.
>>
>> Markus
>>
>>
>> "Go Wow" <gow...@gmail.com> wrote in message
>> news:banlktinqnrms5t2tq7frn+-noezsmy5...@mail.gmail.com...
>> When I run msktutil I get this line in the output.
>>
>> krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
>>
>> I did kinit before issuing msktutil and it ran successfully. I can see
>> tickets when I issue klist.
>>
>>
>>
>> On 30 April 2011 10:43, Go Wow <gow...@gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> I'm trying to configure Kerberos Authentication for squid. I'm
>>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
>>> kerberos authentication guide on squid-cache and many other guides, I
>>> always end up with these logs in my cache.log. My client browser keeps
>>> prompting for username/password. Even a valid set of credentials are
>>> not accepted.
>>>
>>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token
>>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>> token'
>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>> (length: 59).
>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>> length: 40).
>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token
>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>> token'
>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>>> (length: 59).
>>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>>> length: 40).
>>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token
>>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>>> token'
>>>
>>>
>>> I want to check and make sure my keytab entries are good. How do I do
>>> that? My client System can list the tickets for client principal.
>>>
>>> Please have a look at my krb5.conf & keytab file here
>>> http://pastebin.com/vTBr3r5D
>>>
>>> I'm using this command to create the keytab file.
>>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>>> ad01.orangegroup.com --verbose
>>>
>>> All the domains are resolving properly to IPs.
>>>
>>> Thanks for your help.
>>>
>>
>>
>>
>
>
>
