[squid-users] Re: Keytab client not found in kerberos database

2014-01-03 Thread Markus Moeller

Hi Sarfraz,

 Which helpers do you run ?  The message you see is most probably from the 
kerberos_ldap_group helper and means that when the helper tries to 
authenticate to AD the AD entry with an attribute 
userprincipalname=HTTP/squid-fqdn can not be found.


squid-fqdn  being the name you have in your squid keytab ( You can check 
with klist -kt squid.keytab if you use MIT or ktutil -k  squid.keytab 
list for Heimdal).


Markus


***some text missing***  wrote in message 
news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com...


Hi,

Today i am having error in squid cache.log error while initialising 
credentials from keytab client not found in kerberos database squid.. My 
clients that are authenticating through Active Directory fails to browse 
internet on other hand IP Based access is working fine. Please help to 
resolve this error. Thanks.



Regards,
Sarfraz




Re: [squid-users] Re: Keytab client not found in kerberos database

2014-01-03 Thread ***some text missing***
Hello Markus,
 
Thank you for your reply. As suggest below are result of klist -kt.
 
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
 - 
   2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
   2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
   2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk

one thing to be add, may be it helps!! i am facing this problem after raising 
Forest and Domain functional level to 2008, before this user authentication was 
working fine.
 
Regards,
Sarfraz
 


- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc: 
Sent: Friday, January 3, 2014 5:35 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

  Which helpers do you run ?  The message you see is most probably from the 
kerberos_ldap_group helper and means that when the helper tries to 
authenticate to AD the AD entry with an attribute 
userprincipalname=HTTP/squid-fqdn can not be found.

squid-fqdn  being the name you have in your squid keytab ( You can check 
with klist -kt squid.keytab if you use MIT or ktutil -k  squid.keytab 
list for Heimdal).

Markus


***some text missing***  wrote in message 
news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com... 


Hi,

Today i am having error in squid cache.log error while initialising 
credentials from keytab client not found in kerberos database squid.. My 
clients that are authenticating through Active Directory fails to browse 
internet on other hand IP Based access is working fine. Please help to 
resolve this error. Thanks.


Regards,
Sarfraz


[squid-users] Re: Keytab client not found in kerberos database

2014-01-03 Thread Markus Moeller

Hi Sarfraz,

   You didn't say which helper you are running and with which options. The 
message you get should have nothing to do with authentication but with 
authorisation (if you use kerberos_ldap_group).  You may get a similar 
message on the Windows client as part of the Kerberos exchange in the TGS 
reply.


 Can you do an AD search for an entry with 
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ?


 What encryption types you get when running klist -ekt squid.keytab ? 
2008 may require AES ( If you check the wiki 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos you will 
see how to create a keytab for 2008 )


Regards
Markus

***some text missing***  wrote in message 
news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com...


Hello Markus,

Thank you for your reply. As suggest below are result of klist -kt.

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
 - 
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk


one thing to be add, may be it helps!! i am facing this problem after 
raising Forest and Domain functional level to 2008, before this user 
authentication was working fine.


Regards,
Sarfraz



- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc:
Sent: Friday, January 3, 2014 5:35 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

 Which helpers do you run ?  The message you see is most probably from the
kerberos_ldap_group helper and means that when the helper tries to
authenticate to AD the AD entry with an attribute
userprincipalname=HTTP/squid-fqdn can not be found.

squid-fqdn  being the name you have in your squid keytab ( You can check
with klist -kt squid.keytab if you use MIT or ktutil -k  squid.keytab
list for Heimdal).

Markus


***some text missing***  wrote in message
news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com...


Hi,

Today i am having error in squid cache.log error while initialising
credentials from keytab client not found in kerberos database squid.. My
clients that are authenticating through Active Directory fails to browse
internet on other hand IP Based access is working fine. Please help to
resolve this error. Thanks.


Regards,
Sarfraz 





Re: [squid-users] Re: Keytab client not found in kerberos database

2014-01-03 Thread ***some text missing***
here is the helper lines
 
external_acl_type squid_kerb_ldap_msgroup1 ttl=3600  negative_ttl=3600  %LOGIN 
/usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk 
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600  negative_ttl=3600  %LOGIN 
/usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk 

Below entry exists in AD
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk 
 
klist -ekt
 
[root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
 - 
   2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with 
CRC-32)
   2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode with 
RSA-MD5)
   2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (ArcFour with 
HMAC/md5)


Regards,
Sarfraz Aslam 

- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc: 
Sent: Friday, January 3, 2014 6:31 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

    You didn't say which helper you are running and with which options. The 
message you get should have nothing to do with authentication but with 
authorisation (if you use kerberos_ldap_group).  You may get a similar 
message on the Windows client as part of the Kerberos exchange in the TGS 
reply.

  Can you do an AD search for an entry with 
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ?

  What encryption types you get when running klist -ekt squid.keytab ? 
2008 may require AES ( If you check the wiki 
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyou will 
see how to create a keytab for 2008 )

Regards
Markus

***some text missing***  wrote in message 
news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com... 


Hello Markus,

Thank you for your reply. As suggest below are result of klist -kt.

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp        Principal
 - 
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk

one thing to be add, may be it helps!! i am facing this problem after 
raising Forest and Domain functional level to 2008, before this user 
authentication was working fine.

Regards,
Sarfraz



- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc:
Sent: Friday, January 3, 2014 5:35 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

  Which helpers do you run ?  The message you see is most probably from the
kerberos_ldap_group helper and means that when the helper tries to
authenticate to AD the AD entry with an attribute
userprincipalname=HTTP/squid-fqdn can not be found.

squid-fqdn  being the name you have in your squid keytab ( You can check
with klist -kt squid.keytab if you use MIT or ktutil -k  squid.keytab
list for Heimdal).

Markus


***some text missing***  wrote in message
news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com...


Hi,

Today i am having error in squid cache.log error while initialising
credentials from keytab client not found in kerberos database squid.. My
clients that are authenticating through Active Directory fails to browse
internet on other hand IP Based access is working fine. Please help to
resolve this error. Thanks.


Regards,
Sarfraz


[squid-users] Re: Keytab client not found in kerberos database

2014-01-03 Thread Markus Moeller

Hi Sarfraz,

  I suggest you re-create the keytab as mentioned on the wiki for a 2008 AD 
server ( i.e.  use --enctypes 28 with msktutil )


Markus

***some text missing***  wrote in message 
news:1388756850.35698.yahoomail...@web162401.mail.bf1.yahoo.com...


here is the helper lines

external_acl_type squid_kerb_ldap_msgroup1 ttl=3600  negative_ttl=3600 
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600  negative_ttl=3600 
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk


Below entry exists in AD
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk

klist -ekt

[root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp Principal
 - 
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode 
with CRC-32)
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode 
with RSA-MD5)
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (ArcFour with 
HMAC/md5)



Regards,
Sarfraz Aslam

- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc:
Sent: Friday, January 3, 2014 6:31 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

   You didn't say which helper you are running and with which options. The
message you get should have nothing to do with authentication but with
authorisation (if you use kerberos_ldap_group).  You may get a similar
message on the Windows client as part of the Kerberos exchange in the TGS
reply.

 Can you do an AD search for an entry with
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ?

 What encryption types you get when running klist -ekt squid.keytab ?
2008 may require AES ( If you check the wiki
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyou will
see how to create a keytab for 2008 )

Regards
Markus

***some text missing***  wrote in message
news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com...


Hello Markus,

Thank you for your reply. As suggest below are result of klist -kt.

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO TimestampPrincipal
 - 
 2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
 2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
 2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk

one thing to be add, may be it helps!! i am facing this problem after
raising Forest and Domain functional level to 2008, before this user
authentication was working fine.

Regards,
Sarfraz



- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc:
Sent: Friday, January 3, 2014 5:35 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

 Which helpers do you run ?  The message you see is most probably from the
kerberos_ldap_group helper and means that when the helper tries to
authenticate to AD the AD entry with an attribute
userprincipalname=HTTP/squid-fqdn can not be found.

squid-fqdn  being the name you have in your squid keytab ( You can check
with klist -kt squid.keytab if you use MIT or ktutil -k  squid.keytab
list for Heimdal).

Markus


***some text missing***  wrote in message
news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com...


Hi,

Today i am having error in squid cache.log error while initialising
credentials from keytab client not found in kerberos database squid.. My
clients that are authenticating through Active Directory fails to browse
internet on other hand IP Based access is working fine. Please help to
resolve this error. Thanks.


Regards,
Sarfraz 





Re: [squid-users] Re: Keytab client not found in kerberos database

2014-01-03 Thread ***some text missing***
I really appreciate your support Markus. Thanks
 
Regards,
Sarfraz


- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc: 
Sent: Friday, January 3, 2014 7:03 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

  I suggest you re-create the keytab as mentioned on the wiki for a 2008 AD 
server ( i.e.  use --enctypes 28 with msktutil )

Markus

***some text missing***  wrote in message 
news:1388756850.35698.yahoomail...@web162401.mail.bf1.yahoo.com... 


here is the helper lines

external_acl_type squid_kerb_ldap_msgroup1 ttl=3600  negative_ttl=3600 
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk
external_acl_type squid_kerb_ldap_msgroup3 ttl=3600  negative_ttl=3600 
%LOGIN /usr/libexec/squid/squid_kerb_ldap -g inetg...@mailserver.mcb.com.pk

Below entry exists in AD
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk

klist -ekt

[root@squidkhi1 ~]# klist -ekt /etc/squid/HTTP.keytab
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp        Principal
 - 
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode 
with CRC-32)
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (DES cbc mode 
with RSA-MD5)
  2 10/26/10 17:44:45 
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk (ArcFour with 
HMAC/md5)


Regards,
Sarfraz Aslam

- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc:
Sent: Friday, January 3, 2014 6:31 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

    You didn't say which helper you are running and with which options. The
message you get should have nothing to do with authentication but with
authorisation (if you use kerberos_ldap_group).  You may get a similar
message on the Windows client as part of the Kerberos exchange in the TGS
reply.

  Can you do an AD search for an entry with
userprincipalname=HTTP/squidkhi1.mailserver.mcb.com.pk ?

  What encryption types you get when running klist -ekt squid.keytab ?
2008 may require AES ( If you check the wiki
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberosyouwill
see how to create a keytab for 2008 )

Regards
Markus

***some text missing***  wrote in message
news:1388753727.91771.yahoomail...@web162406.mail.bf1.yahoo.com...


Hello Markus,

Thank you for your reply. As suggest below are result of klist -kt.

Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Timestamp        Principal
 - 
  2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
  2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk
  2 10/26/10 17:44:45
HTTP/squidkhi1.mailserver.mcb.com...@mailserver.mcb.com.pk

one thing to be add, may be it helps!! i am facing this problem after
raising Forest and Domain functional level to 2008, before this user
authentication was working fine.

Regards,
Sarfraz



- Original Message -
From: Markus Moeller hua...@moeller.plus.com
To: squid-users@squid-cache.org
Cc:
Sent: Friday, January 3, 2014 5:35 PM
Subject: [squid-users] Re: Keytab client not found in kerberos database

Hi Sarfraz,

  Which helpers do you run ?  The message you see is most probably from the
kerberos_ldap_group helper and means that when the helper tries to
authenticate to AD the AD entry with an attribute
userprincipalname=HTTP/squid-fqdn can not be found.

squid-fqdn  being the name you have in your squid keytab ( You can check
with klist -kt squid.keytab if you use MIT or ktutil -k  squid.keytab
list for Heimdal).

Markus


***some text missing***  wrote in message
news:1388733659.571.yahoomail...@web162403.mail.bf1.yahoo.com...


Hi,

Today i am having error in squid cache.log error while initialising
credentials from keytab client not found in kerberos database squid.. My
clients that are authenticating through Active Directory fails to browse
internet on other hand IP Based access is working fine. Please help to
resolve this error. Thanks.


Regards,
Sarfraz