[squid-users] Re: Keytab client not found in kerberos database
Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
Re: [squid-users] Re: Keytab client not found in kerberos database
Hello Markus, Thank you for your reply. As suggest below are result of klist -kt. Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk one thing to be add, may be it helps!! i am facing this problem after raising Forest and Domain functional level to 2008, before this user authentication was working fine. Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 5:35 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
[squid-users] Re: Keytab client not found in kerberos database
Hi Sarfraz, You didn't say which helper you are running and with which options. The message you get should have nothing to do with authentication but with authorisation (if you use kerberos_ldap_group). You may get a similar message on the Windows client as part of the Kerberos exchange in the TGS reply. Can you do an AD search for an entry with userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ? What encryption types you get when running klist -ekt squid.keytab ? 2008 may require AES ( If you check the wiki http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos you will see how to create a keytab for 2008 ) Regards Markus ***some text missing*** wrote in message news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com... Hello Markus, Thank you for your reply. As suggest below are result of klist -kt. Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk one thing to be add, may be it helps!! i am facing this problem after raising Forest and Domain functional level to 2008, before this user authentication was working fine. Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 5:35 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
Re: [squid-users] Re: Keytab client not found in kerberos database
here is the helper lines external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk Below entry exists in AD userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk klist -ekt [root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with CRC-32) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with RSA-MD5) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (ArcFour with HMAC/md5) Regards, Sarfraz Aslam - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 6:31 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, You didn't say which helper you are running and with which options. The message you get should have nothing to do with authentication but with authorisation (if you use kerberos_ldap_group). You may get a similar message on the Windows client as part of the Kerberos exchange in the TGS reply. Can you do an AD search for an entry with userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ? What encryption types you get when running klist -ekt squid.keytab ? 2008 may require AES ( If you check the wiki http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyou will see how to create a keytab for 2008 ) Regards Markus ***some text missing*** wrote in message news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com... Hello Markus, Thank you for your reply. As suggest below are result of klist -kt. Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk one thing to be add, may be it helps!! i am facing this problem after raising Forest and Domain functional level to 2008, before this user authentication was working fine. Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 5:35 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
[squid-users] Re: Keytab client not found in kerberos database
Hi Sarfraz, I suggest you re-create the keytab as mentioned on the wiki for a 2008 AD server ( i.e. use --enctypes 28 with msktutil ) Markus ***some text missing*** wrote in message news:1388756850.35698.yahoomail...@web162401.mail.bf1.yahoo.com... here is the helper lines external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk Below entry exists in AD userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk klist -ekt [root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with CRC-32) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with RSA-MD5) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (ArcFour with HMAC/md5) Regards, Sarfraz Aslam - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 6:31 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, You didn't say which helper you are running and with which options. The message you get should have nothing to do with authentication but with authorisation (if you use kerberos_ldap_group). You may get a similar message on the Windows client as part of the Kerberos exchange in the TGS reply. Can you do an AD search for an entry with userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ? What encryption types you get when running klist -ekt squid.keytab ? 2008 may require AES ( If you check the wiki http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyou will see how to create a keytab for 2008 ) Regards Markus ***some text missing*** wrote in message news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com... Hello Markus, Thank you for your reply. As suggest below are result of klist -kt. Keytab name: FILE:/etc/squid/HTTP.keytab KVNO TimestampPrincipal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk one thing to be add, may be it helps!! i am facing this problem after raising Forest and Domain functional level to 2008, before this user authentication was working fine. Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 5:35 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
Re: [squid-users] Re: Keytab client not found in kerberos database
I really appreciate your support Markus. Thanks Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 7:03 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, I suggest you re-create the keytab as mentioned on the wiki for a 2008 AD server ( i.e. use --enctypes 28 with msktutil ) Markus ***some text missing*** wrote in message news:1388756850.35698.yahoomail...@web162401.mail.bf1.yahoo.com... here is the helper lines external_acl_type squid_kerb_ldap_msgroup1 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk external_acl_type squid_kerb_ldap_msgroup3 ttl=3600 negative_ttl=3600 %LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk Below entry exists in AD userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk klist -ekt [root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with CRC-32) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with RSA-MD5) 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (ArcFour with HMAC/md5) Regards, Sarfraz Aslam - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 6:31 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, You didn't say which helper you are running and with which options. The message you get should have nothing to do with authentication but with authorisation (if you use kerberos_ldap_group). You may get a similar message on the Windows client as part of the Kerberos exchange in the TGS reply. Can you do an AD search for an entry with userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ? What encryption types you get when running klist -ekt squid.keytab ? 2008 may require AES ( If you check the wiki http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyouwill see how to create a keytab for 2008 ) Regards Markus ***some text missing*** wrote in message news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com... Hello Markus, Thank you for your reply. As suggest below are result of klist -kt. Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Timestamp Principal - 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk 2 10/26/10 17:44:45 HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk one thing to be add, may be it helps!! i am facing this problem after raising Forest and Domain functional level to 2008, before this user authentication was working fine. Regards, Sarfraz - Original Message - From: Markus Moeller hua...@moeller.plus.com To: squid-users@squid-cache.org Cc: Sent: Friday, January 3, 2014 5:35 PM Subject: [squid-users] Re: Keytab client not found in kerberos database Hi Sarfraz, Which helpers do you run ? The message you see is most probably from the kerberos_ldap_group helper and means that when the helper tries to authenticate to AD the AD entry with an attribute userprincipalname=HTTP/squid-fqdn can not be found. squid-fqdn being the name you have in your squid keytab ( You can check with klist -kt squid.keytab if you use MIT or ktutil -k squid.keytab list for Heimdal). Markus ***some text missing*** wrote in message news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... Hi, Today i am having error in squid cache.log error while initialising credentials from keytab client not found in kerberos database squid.. My clients that are authenticating through Active Directory fails to browse internet on other hand IP Based access is working fine. Please help to resolve this error. Thanks. Regards, Sarfraz
