Dear Nick, I was able to successfully create the keytab however i used the credentials of the domainadmin instead of the squidadmin account. Markus, Please tell me what i am doing wrong that i am unable to create keytab with squidadmin account though i tried to do according to your guidance. what i am missing? please guide regards, Bilal Aslam
---------------------------------------- > From: gi...@msn.com > To: nick.cairncr...@condenast.co.uk; hua...@moeller.plus.com; > squid-users@squid-cache.org > Date: Thu, 15 Apr 2010 10:17:40 +0000 > Subject: RE: [squid-users] Re: Re: Creating a kerberos Service Principal. > > > Nick, > > I tried but with not much success. > > ................. > No computer account for squid-http found, creating a new one. > Error: ldap_add_ext_s failed (Insufficient access) > Error: ldap_check_account failed (No CSI structure available) > Error: set_password failed > -- krb5_cleanup: Destroying Kerberos Context > -- ldap_cleanup: Disconnecting from LDAP server > -- init_password: Wiping the computer password structure > ............................... > > > > > regards, > > > Bilal > ---------------------------------------- >> From: nick.cairncr...@condenast.co.uk >> To: gi...@msn.com; hua...@moeller.plus.com; squid-users@squid-cache.org >> Date: Thu, 15 Apr 2010 09:31:40 +0100 >> Subject: Re: [squid-users] Re: Re: Creating a kerberos Service Principal. >> >> Bilal, >> >> I think we're doing a similar thing here! See my post earlier about SPN. I >> think you need to be using the fqdn of the machine in the HTTP/ spn & upn >> and not just the domain. Also check your DNS and host local host entries. >> >> E.g.: msktutil -c -b "CN=COMPUTERS" -s HTTP/squid1.[mydomain] -k >> /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 >> -verbose >> >> Nick >> >> >> >> On 15/04/2010 07:22, "GIGO ." wrote: >> >> >> >> Dear Markus/all, >> >> >> I am unable to create the keytab using mskutil please help me out i followed >> the following steps: >> >> 1. I created a OU and named it UnixOU >> 2. I created a group account in the UnixOU and named it as UnixAdmins >> 3. I make my windows account bilal_admin part of UnixAdmins group. >> 4. I set the settings of UnixOU to be managed by UnixAdmins. >> 5. Then i synch time of Squid Machine and Active directory. >> 6. My domain fully qualified domain name is v.local and netbios names is V. >> 7. My domain controller name is vdc (fqdn=vdc.v.local) >> 8. The following lines were changed in the krb5.conf while rest being >> untouched. >> >> [libdefaults] >> default_realm=V.LOCAL >> >> >> [realms] >> >> V.LOCAL = { >> kdc = vdc.v.local:88 >> admin_server = kerberos.example.com:749 (e.g this not changed does it matter >> at the step of creation of keytab) >> default_domain = example.com (unchanged) >> } >> >> >> >> >> The i run the following commands to create the keytab: >> >> kinit squidad...@v.local >> >> >> msktutil -c -b "OU=unixPrincipals" -s HTTP/v.local -h squidLhrTest.v.local >> -k /etc/squid/HTTP.keytab --computer-name squid-http --upn HTTP/v.local >> --server vdc.v.local --verbose >> >> Output of the Command: >> >> -- init_password: Wiping the computer password structure >> -- finalize_exec: Determining user principal name >> -- finalize_exec: User Principal Name is: HTTP/v.lo...@v.local >> -- create_fake_krb5_conf: Created a fake krb5.conf file: >> /tmp/.mskt-3550krb5.conf >> -- get_krb5_context: Creating Kerberos Context >> -- try_machine_keytab: Using the local credential cache: >> /tmp/.mskt-3550krb5_ccache >> -- try_machine_keytab: krb5_get_init_creds_keytab failed (Client not found >> in Kerberos database) >> -- try_machine_keytab: Unable to authenticate using the local keytab >> -- try_ldap_connect: Connecting to LDAP server: vdc.v.local >> -- try_ldap_connect: Connecting to LDAP server: vdc.v.local >> SASL/GSSAPI authentication started >> SASL username: squidad...@v.local >> SASL SSF: 56 >> SASL installing layers >> -- ldap_get_base_dn: Determining default LDAP base: dc=v,dc=local >> Warning: No DNS entry found for squidLhrTest.v.local >> -- get_short_hostname: Determined short hostname: squidLhrTest-v-local >> -- finalize_exec: SAM Account Name is: squid-http$ >> Updating all entries for squidLhrTest.v.local in the keytab >> /etc/squid/HTTP.keytab >> -- try_set_password: Attempting to reset computer's password >> -- ldap_check_account: Checking that a computer account for squid-http$ >> exists >> No computer account for squid-http found, creating a new one. >> Error: ldap_add_ext_s failed (Insufficient access) >> Error: ldap_check_account failed (No CSI structure available) >> Error: set_password failed >> -- krb5_cleanup: Destroying Kerberos Context >> -- ldap_cleanup: Disconnecting from LDAP server >> -- init_password: Wiping the computer password structure >> >> >> please help me resolving the issue. >> >> regards, >> >> Bilal Aslam >> >> >> >> >> ---------------------------------------- >>> To: squid-users@squid-cache.org >>> From: hua...@moeller.plus.com >>> Date: Fri, 9 Apr 2010 08:10:19 +0100 >>> Subject: [squid-users] Re: Re: Creating a kerberos Service Principal. >>> >>> Hi Bilal, >>> >>> I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I >>> then create a Windows Group UnixAdministrators and add the Windows account >>> of the UnixAdministrators to it. Finally I change the permissions on the >>> OU=UnixPrincipals so that the members of the group UnixAdministrators have >>> full rights (or limited rights ) for objects under this OU. >>> >>> Regards >>> Markus >>> >>> "GIGO ." wrote in message >>> news:snt134-w395b3433738667ded2186eb9...@phx.gbl... >>> >>> Markus could not get you please can you elaborate a bit. >>> >>> >>> thank you all! >>> >>> regards, >>> >>> Bilal >>> >>> ---------------------------------------- >>>> To: squid-users@squid-cache.org >>>> From: hua...@moeller.plus.com >>>> Date: Thu, 8 Apr 2010 20:04:30 +0100 >>>> Subject: [squid-users] Re: Creating a kerberos Service Principal. >>>> >>>> BTW You do not need Administrator rights. You can set permission for >>>> different Groups on OUs for example for Unix Kerberos Admins. >>>> >>>> Markus >>>> >>>> "Khaled Blah" wrote in message >>>> news:n2j4a3250ab1004080957id2f4a051xb31445428c62b...@mail.gmail.com... >>>> Hi Bilal, >>>> >>>> 1. ktpass and msktutil practically do the same, they create keytabs >>>> which include the keys that squid will need to decrypt the ticket it >>>> receives from the user. However ktpass only creates a file which you >>>> will then have to securely transfer to your proxy server so that squid >>>> can access it. Using msktutil on your proxy server, you can get the >>>> same keytab without having to transfer it. Thus, msktutil saves you >>>> some time and hassle. AFAIR both need "Administrator" rights, which >>>> means the account used for ktpass/msktutil needs to be a member of the >>>> Administrator group. >>>> >>>> >>>> 2. To answer this question, one would need more information about your >>>> network and your setup. Basically, mixing any other authentication >>>> method with Kerberos is not a good idea. That's because if the other >>>> method is insecure or less secure an attacker who gains access to a >>>> user's credentials will be able to impersonate that user against >>>> Kerberos and those be able to use ALL services that this user has >>>> access to. In any case DO NOT use basic auth with Kerberos in a >>>> public, set-up. That's a recipe for disaster. Digest auth and NTLM >>>> (v2) might be suitable but these are in fact less secure than Kerberos >>>> and thus not preferrable. One down-side to Kerberos is that it's an >>>> "all-or-nothing" service, either you use Kerberos and only Kerberos or >>>> you risk security breaches in any "mixed" situation. >>>> >>>> HTH >>>> >>>> Khaled >>>> >>>> 2010/4/6 GIGO . : >>>>> >>>>> Dear All, >>>>> >>>>> Please guide me in regard to SSO setup with Active Directory(No >>>>> winbind/Samba). I have the following questions in this regard. >>>>> >>>>> >>>>> >>>>> 1. Creating a Kerberos service principal and keytab file that is used by >>>>> the Squid what is the effective method? Difference between using Ktpass >>>>> vs >>>>> Msktutil package? What rights would i be required in Active Directory and >>>>> if none then why so? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> 2. How to configure the fallback Authentication scheme if Kerberos fails? >>>>> Ldap authentication using basic looks to be an option but isnt it less >>>>> secure? is there a better approach possible. >>>>> >>>>> >>>>> >>>>> >>>>> regards, >>>>> >>>>> Bilal Aslam >>>>> _________________________________________________________________ >>>>> Hotmail: Powerful Free email with security by Microsoft. >>>>> https://signup.live.com/signup.aspx?id=60969 >>>> >>>> >>> _________________________________________________________________ >>> Hotmail: Powerful Free email with security by Microsoft. >>> https://signup.live.com/signup.aspx?id=60969 >>> >>> >> _________________________________________________________________ >> Hotmail: Powerful Free email with security by Microsoft. >> https://signup.live.com/signup.aspx?id=60969 >> >> >> ** Please consider the environment before printing this e-mail ** >> >> The information contained in this e-mail is of a confidential nature and is >> intended only for the addressee. If you are not the intended addressee, any >> disclosure, copying or distribution by you is prohibited and may be >> unlawful. Disclosure to any party other than the addressee, whether >> inadvertent or otherwise, is not intended to waive privilege or >> confidentiality. Internet communications are not secure and therefore Conde >> Nast does not accept legal responsibility for the contents of this message. >> Any views or opinions expressed are those of the author. >> >> Company Registration details: >> The Conde Nast Publications Ltd >> Vogue House >> Hanover Square >> London W1S 1JU >> >> Registered in London No. 226900 > _________________________________________________________________ > Hotmail: Powerful Free email with security by Microsoft. > https://signup.live.com/signup.aspx?id=60969 > _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969