Hi, I´m trying to set up squid authentication with a Windows AD domain controller, and everything goes well until I try to check if the host account updates successfully, using the following commands:
msktutil --auto-update --verbose --dont-expire-password \ -b "CN=SQUIDPROXY,OU=OU_NAME,,DC=MYDOMAIN,DC=XX" \ --user-creds-only \ --computer-name SQUIDPROXY \ -k /etc/squid/squidproxy.keytab \ --server pdc1.mydomain.xx \ --no-reverse-lookups and I always end up with the same error: -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 93 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-atrIYH -- destroy_g_context: Destroying Kerberos Context -- initialize_g_context: Creating Kerberos Context -- finalize_exec: SAM Account Name is: SQUIDPROXY$ -- try_user_creds: Checking if default ticket cache has tickets -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: dc1.cip.cu SASL/GSSAPI authentication started SASL username: HTTP/squidproxy.mydomain...@mydomain.xx SASL SSF: 256 SASL data security layer installed. -- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN,dc=XX -- ldap_check_account: Checking that a computer account for SQUIDPROXY$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x11000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = squidproxy.mydomain.xx -- ldap_check_account: Found Principal: host/squidproxy.mydomain.xx -- ldap_check_account: Found Principal: HTTP/squidproxy.mydomain.xx -- ldap_check_account: Found User Principal: HTTP/squidproxy.mydomain.xx -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x10000 to 0x1 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x11000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 132929651811891069 Error: Unable to set machine password for SQUIDPROXY$: (5) Access denied Error: set_password failed The account I'm using for this procedure is the domain administrator account, so I don´t know why is giving me an access denied error. This is the procedure I´m using: 1 - start the session using the domain controller account <kinit mana...@mydomain.xx> 2 - created the ticket and host account in the domain controller, and everytihng went well msktutil -c -b "OU=OU_NAME" \ -s HTTP/squidproxy.mydomain.xx \ -h squidproxy.mydomain.xx \ -k /etc/squid/squidproxy.keytab \ --computer-name SQUIDPROXY \ --upn HTTP/squidproxy.mydomain.xx \ --server pdc1.mydomain.xx \ --verbose \ --dont-expire-password \ --no-reverse-lookups \ --enctypes 28 3 - checked if the previous procedure went well by typing the following and it returns nothing as it should kinit -k HTTP/squidproxy.mydomain.xx 4 - Checked the keytab with klist -k and then changed the permissions and owner to the keytab file (640 / proxy:proxy) Then the error when I try to check if the host account updates succesfuly as explained at the begining, any ideas why this is happening? I would appreciate the help!!
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
