So this worked ? Markus
"Olivier CALVANO" <o.calv...@gmail.com> wrote in message news:cajajpeddju9t4qaipsmt-5jusn4gf6nj0pff3jbj+bzxztx...@mail.gmail.com... hoo i have deleted "--enctypes 28" and now: [root@gw msktutil-1.0rc1]# ./msktutil -c -b "CN=COMPUTERS" -s HTTP/ophtcysrv1v4.myaddomain.fr -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/ophtcysrv1v4.myaddomain.fr --server myad.myaddomain.fr --verbose -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 94 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-RyUQcT -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$ -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/mydnshostname.fr from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password. -- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 5 -- LDAPConnection: Connecting to LDAP server: myad.myaddomain.fr SASL/GSSAPI authentication started SASL username: myusern...@myaddomain.fr SASL SSF: 56 SASL data security layer installed. -- ldap_get_base_dn: Determining default LDAP base: dc=SODIAAL,dc=FR -- ldap_check_account: Checking that a computer account for OPHTCYSRV1V4-K$ exists -- ldap_check_account: Checking computer account - found -- ldap_check_account: Found userAccountControl = 0x1000 -- ldap_check_account: Found supportedEncryptionTypes = 28 -- ldap_check_account: Found dNSHostName = mydnshostname.fr -- ldap_check_account: userPrincipal specified on command line -- ldap_check_account_strings: Inspecting (and updating) computer account attributes -- ldap_check_account_strings: Found userPrincipalName = HTTP/ophtcysrv1v4.myaddomain...@myaddomain.fr -- ldap_check_account_strings: userPrincipalName should be HTTP/ophtcysrv1v4.myaddomain...@myaddomain.fr -- ldap_check_account_strings: Nothing to do -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to reset computer's password -- set_password: Try change password using user's ticket cache -- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776 -- set_password: Successfully set password. -- ldap_add_principal: Checking that adding principal HTTP/ophtcysrv1v4.myaddomain.fr to OPHTCYSRV1V4-K$ won't cause a conflict -- ldap_add_principal: Adding principal HTTP/ophtcysrv1v4.myaddomain.fr to LDAP entry -- ldap_add_principal: Checking that adding principal host/mydnshostname.fr to OPHTCYSRV1V4-K$ won't cause a conflict -- ldap_add_principal: Adding principal host/mydnshostname.fr to LDAP entry -- execute: Updating all entries for mydnshostname.fr in the keytab WRFILE:/etc/squid/PROXY.keytab -- update_keytab: Updating all entries for OPHTCYSRV1V4-K$ -- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$ -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$ -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, enctype=23 -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, enctype=17 -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, enctype=18 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: HTTP/ophtcysrv1v4.myaddomain.fr -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x12 -- add_principal_keytab: Adding principal to keytab: host/OPHTCYSRV1V4-K -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x12 -- update_keytab: Entries for SPN HTTP/ophtcysrv1v4.myaddomain.fr have already been added. Skipping ... -- add_principal_keytab: Adding principal to keytab: host/mydnshostname.fr -- add_principal_keytab: Removing entries with kvno < 0 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x17 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x11 -- add_principal_keytab: Using salt of myaddomain.frhostophtcysrv1v4-k.myaddomain.fr -- add_principal_keytab: Adding entry of enctype 0x12 -- wait_for_new_kvno: Checking new kvno via ldap -- ldap_get_kvno: KVNO is 1 Waiting for account replication (0 seconds past) -- ldap_get_kvno: KVNO is 2 -- ~KRB5Context: Destroying Kerberos Context it's good for you ? regards olivier 2015-05-03 13:25 GMT+02:00 Markus Moeller <hua...@moeller.plus.com>: Did you compile msktutil or is it a package in centos ? Markus "Olivier CALVANO" <o.calv...@gmail.com> wrote in message news:cajajpecqd+_1krufwa9eac4iyakapzblyg-9vuueklgwuec...@mail.gmail.com... Hi Thanks for your answer CentOS Linux release 7.1.1503 (Core) krb5-workstation-1.12.2-14.el7.x86_64 krb5-libs-1.12.2-14.el7.x86_64 regards olivier 2015-05-03 0:25 GMT+02:00 Markus Moeller <hua...@moeller.plus.com>: Which OS and Kerberos version do you have ? There might be some issue with the cache used KEYRING:persistent:0:0 Markus "Olivier CALVANO" <o.calv...@gmail.com> wrote in message news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com... Hi I request your help because i want use NTLM/Kerberos for authenticate my user. For NTLM, i use Winbind, no problems, [root@gw]# wbinfo -t checking the trust secret for domain MYADDOMAIN via RPC calls succeeded but for Kerberos, i can't create the .keytab [root@gw]# kinit MYUSERNAME Password for myusern...@myaddomain.fr: [root@gw]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: myusern...@myaddomain.fr Valid starting Expires Service principal 02/05/2015 04:51:25 02/05/2015 14:51:25 krbtgt/myaddomain...@myaddomain.fr renew until 09/05/2015 04:51:07 MYUSERNAME is the same account that i join the domain (net join) with winbind after, i put: msktutil -c -b "CN=COMPUTERS" -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose and i have a error: [root@gw etc]# msktutil -c -b "CN=COMPUTERS" -s HTTP/gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab --computer-name OPHTCYSRV1V4-K --upn HTTP/gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose -- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/udandom = 84 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-jnxTuG -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$ -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/gw.srv1-v4.tcy.myinternetdomain.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with password. -- create_default_machine_password: Default machine password for OPHTCYSRV1V4-K$ is ophtcysrv1v4-k -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found) -- try_user_creds: User ticket cache was not valid. Error: could not find any credentials to authenticate with. Neither keytab, default machine password, nor calling user's tickets worked. Try "kinit"ing yourself some tickets with permission to create computer objects, or pre-creating the computer object in AD and selecting 'reset account'. -- ~KRB5Context: Destroying Kerberos Context same error if i change gw.srv1-v4.tcy.myinternetdomain.org to ophtcysrv1v4.myaddomain.fr anyone know the origin of this error ? thanks Olivier ---------------------------------------------------------------------------- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ------------------------------------------------------------------------------ _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users -------------------------------------------------------------------------------- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
