Dear Nick,
I was able to successfully create the keytab however i used the credentials of
the domainadmin instead of the squidadmin account.
Markus,
Please tell me what i am doing wrong that i am unable to create keytab with
squidadmin account though i tried to do according to your guidance. what i am
missing?
please guide
regards,
Bilal Aslam
----------------------------------------
> From: gi...@msn.com
> To: nick.cairncr...@condenast.co.uk; hua...@moeller.plus.com;
> squid-users@squid-cache.org
> Date: Thu, 15 Apr 2010 10:17:40 +0000
> Subject: RE: [squid-users] Re: Re: Creating a kerberos Service Principal.
>
>
> Nick,
>
> I tried but with not much success.
>
> .................
> No computer account for squid-http found, creating a new one.
> Error: ldap_add_ext_s failed (Insufficient access)
> Error: ldap_check_account failed (No CSI structure available)
> Error: set_password failed
> -- krb5_cleanup: Destroying Kerberos Context
> -- ldap_cleanup: Disconnecting from LDAP server
> -- init_password: Wiping the computer password structure
> ...............................
>
>
>
>
> regards,
>
>
> Bilal
> ----------------------------------------
>> From: nick.cairncr...@condenast.co.uk
>> To: gi...@msn.com; hua...@moeller.plus.com; squid-users@squid-cache.org
>> Date: Thu, 15 Apr 2010 09:31:40 +0100
>> Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal.
>>
>> Bilal,
>>
>> I think we're doing a similar thing here! See my post earlier about SPN. I
>> think you need to be using the fqdn of the machine in the HTTP/ spn & upn
>> and not just the domain. Also check your DNS and host local host entries.
>>
>> E.g.: msktutil -c -b "CN=COMPUTERS" -s HTTP/squid1.[mydomain] -k
>> /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1
>> -verbose
>>
>> Nick
>>
>>
>>
>> On 15/04/2010 07:22, "GIGO ." wrote:
>>
>>
>>
>> Dear Markus/all,
>>
>>
>> I am unable to create the keytab using mskutil please help me out i followed
>> the following steps:
>>
>> 1. I created a OU and named it UnixOU
>> 2. I created a group account in the UnixOU and named it as UnixAdmins
>> 3. I make my windows account bilal_admin part of UnixAdmins group.
>> 4. I set the settings of UnixOU to be managed by UnixAdmins.
>> 5. Then i synch time of Squid Machine and Active directory.
>> 6. My domain fully qualified domain name is v.local and netbios names is V.
>> 7. My domain controller name is vdc (fqdn=vdc.v.local)
>> 8. The following lines were changed in the krb5.conf while rest being
>> untouched.
>>
>> [libdefaults]
>> default_realm=V.LOCAL
>>
>>
>> [realms]
>>
>> V.LOCAL = {
>> kdc = vdc.v.local:88
>> admin_server = kerberos.example.com:749 (e.g this not changed does it matter
>> at the step of creation of keytab)
>> default_domain = example.com (unchanged)
>> }
>>
>>
>>
>>
>> The i run the following commands to create the keytab:
>>
>> kinit squidad...@v.local
>>
>>
>> msktutil -c -b "OU=unixPrincipals" -s HTTP/v.local -h squidLhrTest.v.local
>> -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local
>> --server vdc.v.local --verbose
>>
>> Output of the Command:
>>
>> -- init_password: Wiping the computer password structure
>> -- finalize_exec: Determining user principal name
>> -- finalize_exec: User Principal Name is: HTTP/v.lo...@v.local
>> -- create_fake_krb5_conf: Created a fake krb5.conf file:
>> /tmp/.mskt-3550krb5.conf
>> -- get_krb5_context: Creating Kerberos Context
>> -- try_machine_keytab: Using the local credential cache:
>> /tmp/.mskt-3550krb5_ccache
>> -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found
>> in Kerberos database)
>> -- try_machine_keytab: Unable to authenticate using the local keytab
>> -- try_ldap_connect: Connecting to LDAP server: vdc.v.local
>> -- try_ldap_connect: Connecting to LDAP server: vdc.v.local
>> SASL/GSSAPI authentication started
>> SASL username: squidad...@v.local
>> SASL SSF: 56
>> SASL installing layers
>> -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local
>> Warning: No DNS entry found for squidLhrTest.v.local
>> -- get_short_hostname: Determined short hostname: squidLhrTest-v-local
>> -- finalize_exec: SAM Account Name is: squid-http$
>> Updating all entries for squidLhrTest.v.local in the keytab
>> /etc/squid/HTTP.keytab
>> -- try_set_password: Attempting to reset computer's password
>> -- ldap_check_account: Checking that a computer account for squid-http$
>> exists
>> No computer account for squid-http found, creating a new one.
>> Error: ldap_add_ext_s failed (Insufficient access)
>> Error: ldap_check_account failed (No CSI structure available)
>> Error: set_password failed
>> -- krb5_cleanup: Destroying Kerberos Context
>> -- ldap_cleanup: Disconnecting from LDAP server
>> -- init_password: Wiping the computer password structure
>>
>>
>> please help me resolving the issue.
>>
>> regards,
>>
>> Bilal Aslam
>>
>>
>>
>>
>> ----------------------------------------
>>> To: squid-users@squid-cache.org
>>> From: hua...@moeller.plus.com
>>> Date: Fri, 9 Apr 2010 08:10:19 +0100
>>> Subject: [squid-users] Re: Re: Creating a kerberos Service Principal.
>>>
>>> Hi Bilal,
>>>
>>> I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I
>>> then create a Windows Group UnixAdministrators and add the Windows account
>>> of the UnixAdministrators to it. Finally I change the permissions on the
>>> OU=UnixPrincipals so that the members of the group UnixAdministrators have
>>> full rights (or limited rights ) for objects under this OU.
>>>
>>> Regards
>>> Markus
>>>
>>> "GIGO ." wrote in message
>>> news:snt134-w395b3433738667ded2186eb9...@phx.gbl...
>>>
>>> Markus could not get you please can you elaborate a bit.
>>>
>>>
>>> thank you all!
>>>
>>> regards,
>>>
>>> Bilal
>>>
>>> ----------------------------------------
>>>> To: squid-users@squid-cache.org
>>>> From: hua...@moeller.plus.com
>>>> Date: Thu, 8 Apr 2010 20:04:30 +0100
>>>> Subject: [squid-users] Re: Creating a kerberos Service Principal.
>>>>
>>>> BTW You do not need Administrator rights. You can set permission for
>>>> different Groups on OUs for example for Unix Kerberos Admins.
>>>>
>>>> Markus
>>>>
>>>> "Khaled Blah" wrote in message
>>>> news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com...
>>>> Hi Bilal,
>>>>
>>>> 1. ktpass and msktutil practically do the same, they create keytabs
>>>> which include the keys that squid will need to decrypt the ticket it
>>>> receives from the user. However ktpass only creates a file which you
>>>> will then have to securely transfer to your proxy server so that squid
>>>> can access it. Using msktutil on your proxy server, you can get the
>>>> same keytab without having to transfer it. Thus, msktutil saves you
>>>> some time and hassle. AFAIR both need "Administrator" rights, which
>>>> means the account used for ktpass/msktutil needs to be a member of the
>>>> Administrator group.
>>>>
>>>>
>>>> 2. To answer this question, one would need more information about your
>>>> network and your setup. Basically, mixing any other authentication
>>>> method with Kerberos is not a good idea. That's because if the other
>>>> method is insecure or less secure an attacker who gains access to a
>>>> user's credentials will be able to impersonate that user against
>>>> Kerberos and those be able to use ALL services that this user has
>>>> access to. In any case DO NOT use basic auth with Kerberos in a
>>>> public, set-up. That's a recipe for disaster. Digest auth and NTLM
>>>> (v2) might be suitable but these are in fact less secure than Kerberos
>>>> and thus not preferrable. One down-side to Kerberos is that it's an
>>>> "all-or-nothing" service, either you use Kerberos and only Kerberos or
>>>> you risk security breaches in any "mixed" situation.
>>>>
>>>> HTH
>>>>
>>>> Khaled
>>>>
>>>> 2010/4/6 GIGO . :
>>>>>
>>>>> Dear All,
>>>>>
>>>>> Please guide me in regard to SSO setup with Active Directory(No
>>>>> winbind/Samba). I have the following questions in this regard.
>>>>>
>>>>>
>>>>>
>>>>> 1. Creating a Kerberos service principal and keytab file that is used by
>>>>> the Squid what is the effective method? Difference between using Ktpass
>>>>> vs
>>>>> Msktutil package? What rights would i be required in Active Directory and
>>>>> if none then why so?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2. How to configure the fallback Authentication scheme if Kerberos fails?
>>>>> Ldap authentication using basic looks to be an option but isnt it less
>>>>> secure? is there a better approach possible.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> regards,
>>>>>
>>>>> Bilal Aslam
>>>>> _________________________________________________________________
>>>>> Hotmail: Powerful Free email with security by Microsoft.
>>>>> https://signup.live.com/signup.aspx?id=60969
>>>>
>>>>
>>> _________________________________________________________________
>>> Hotmail: Powerful Free email with security by Microsoft.
>>> https://signup.live.com/signup.aspx?id=60969
>>>
>>>
>> _________________________________________________________________
>> Hotmail: Powerful Free email with security by Microsoft.
>> https://signup.live.com/signup.aspx?id=60969
>>
>>
>> ** Please consider the environment before printing this e-mail **
>>
>> The information contained in this e-mail is of a confidential nature and is
>> intended only for the addressee. If you are not the intended addressee, any
>> disclosure, copying or distribution by you is prohibited and may be
>> unlawful. Disclosure to any party other than the addressee, whether
>> inadvertent or otherwise, is not intended to waive privilege or
>> confidentiality. Internet communications are not secure and therefore Conde
>> Nast does not accept legal responsibility for the contents of this message.
>> Any views or opinions expressed are those of the author.
>>
>> Company Registration details:
>> The Conde Nast Publications Ltd
>> Vogue House
>> Hanover Square
>> London W1S 1JU
>>
>> Registered in London No. 226900
> _________________________________________________________________
> Hotmail: Powerful Free email with security by Microsoft.
> https://signup.live.com/signup.aspx?id=60969
>
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
