Hi Tom,
The important ticket is the one on the client (I assume a XP PC). Windows
will usually renew the ticket automatically every 10 hours for 7 days. The
proxy will request new tickets for the ldap authentication, but uses a
memory cache which you can not access.
Regards
Markus
"Tom Tux" <tomtu...@gmail.com> wrote in message
news:aanlktikqgflht3qy1hpgplvk7z5jueutwdk-bod0f...@mail.gmail.com...
Hi Markus
Is it necessary to renew periodically the kerberos-ticket? I've
defined a a ticket_lifetime for 24h.
I've now the following output:
proxy-test-01:~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: u...@xx.yy
Valid starting Expires Service principal
07/01/10 08:47:31 07/01/10 18:47:33 krbtgt/xx...@xx.yy
renew until 07/02/10 07:34:41
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Now, the ticket seems to be expired. But I'm still able to
authenticate. Why? What is the behavior, if the kerberos-ticket is
expired? If I try to renew with "kinit -R", I got the following error:
proxy-test-01:~ # kinit -R
kinit(v5): Ticket expired while renewing credentials
Is this normal? How can I solve this behavior?
Thanks you.
Regards,
Tom
2010/7/1 Markus Moeller <hua...@moeller.plus.com>:
You could have used a tool like kerbtray or just lock and unlock the PC
which would have refreshed the cache.
Regards
Markus
"Tom Tux" <tomtu...@gmail.com> wrote in message
news:aanlktiljgrnzru9wxivap0tj22onxaknjanbczlvs...@mail.gmail.com...
Hi Markus
This problem is solved now. I rebootet the client, which results in
clearing the client-kerberos cache. Now I'm able to authenticate and I
can use the squid_kerb_ldap-helper.
Thanks a lot for your hints.
Regards
Tom
2010/7/1 Tom Tux <tomtu...@gmail.com>:
Hi Markus
Thank you.
So, I made my kerberos-configuration from scratch. This will mean:
- Delete computer-account in AD
- Remove /etc/krb5.keytab
- Check with "setspn -L proxy-test-01" if there were no SPN's -> OK.
Then I created the account again with the following command:
./msktutil -c -s HTTP/proxy-test-01.xx.yy -h proxy-test-01.xx.yy -k
/etc/krb5.keytab --computer-name proxy-test-01 --upn
HTTP/proxy-test-01.xx.yy --server dc 1.xx.yy --verbose
The computer-account was created successfully. In the msktutil-output,
I can see, that the KVNO is set to "2".
On the Domain-Controller, I can also see, that the
"msDS-KeyVersionNumber" is also set to "2".
But I'm not able to authenticate. I got the following squid-cache-error:
2010/07/01 07:37:04| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
may provide more information. Key version number for principal in key
table is incorrect'
What's wrong here? I tried with "kinit" and "kinit -R" again -> no
success. How can I fix this problem?
Regards
Tom
2010/6/30 Markus Moeller <hua...@moeller.plus.com>:
Hi Tom
squid_kerb_ldap tries to use the keytab to authenticate squid against
AD.
The keytab contains basically the password for the "user" http/<fqdn>
which
maps in AD to the userprincipalname attribute. In your case
squid_kerb_ldap
tries to use host/proxy-test-01.xx...@xx.yy but does not find in AD an
entry
which has the userprincipalname attribute with that value and therfore
can
not check group memberships. msktutil has the option --upn which will
set
the AD attribute accordingly (see
alsohttp://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos).
2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
host/proxy-test-01.xx...@xx.yy
2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
credentials
from keytab : Client not found in Kerberos database
Regards
Markus
"Tom Tux" <tomtu...@gmail.com> wrote in message
news:aanlktilz_wefjeu1bmnpsgvnhahte6rjmr6bja-uu...@mail.gmail.com...
Hi
I'm trying to authenticate our clients with squid_kerb_ldap against
our ad. There exists a global-group called "Internet". My squid.conf
looks like this:
auth_param negotiate program
/usr/local/squid/libexec/squid_kerb_auth -i
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type SQUID_KERB_LDAP ttl=3600 negative_ttl=3600 %LOGIN
/usr/local/squid_kerb_ldap/bin/squid_kerb_ldap -d -g Internet
acl inetAccess external SQUID_KERB_LDAP
http_access allow inetAccess
My "klist -k" looks like this:
proxy-test-01:/usr/local/squid_kerb_ldap/bin # klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 host/proxy-test-01.xx...@xx.yy
4 host/proxy-test-01.xx...@xx.yy
4 host/proxy-test-01.xx...@xx.yy
4 host/proxy-test...@xx.yy
4 host/proxy-test...@xx.yy
4 host/proxy-test...@xx.yy
4 proxy-test-...@xx.yy
4 proxy-test-...@xx.yy
4 proxy-test-...@xx.yy
4 HTTP/proxy-test-01.xx...@xx.yy
4 HTTP/proxy-test-01.xx...@xx.yy
4 HTTP/proxy-test-01.xx...@xx.yy
4 HTTP/proxy-test...@xx.yy
4 HTTP/proxy-test...@xx.yy
4 HTTP/proxy-test...@xx.yy
5 proxy-test-...@xx.yy
5 proxy-test-...@xx.yy
5 proxy-test-...@xx.yy
5 HTTP/proxy-test-01.xx...@xx.yy
5 HTTP/proxy-test-01.xx...@xx.yy
5 HTTP/proxy-test-01.xx...@xx.yy
5 HTTP/proxy-test...@xx.yy
5 HTTP/proxy-test...@xx.yy
5 HTTP/proxy-test...@xx.yy
5 host/proxy-test-01.xx...@xx.yy
5 host/proxy-test-01.xx...@xx.yy
5 host/proxy-test-01.xx...@xx.yy
Without squid_kerb_ldap, the internet-access is working fine. With the
helper, I got the following errors in the cache.log:
2010/06/30 09:45:48| squid_kerb_auth: INFO: User testu...@xx.yy
authenticated
2010/06/30 09:45:48| squid_kerb_ldap: Got User: TESTUSER Domain: XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: User domain loop: gr...@domain
inter...@null
2010/06/30 09:45:48| squid_kerb_ldap: Default domain loop:
gr...@domain inter...@null
2010/06/30 09:45:48| squid_kerb_ldap: Default group loop: gr...@domain
inter...@null
2010/06/30 09:45:48| squid_kerb_ldap: Found gr...@domain inter...@null
2010/06/30 09:45:48| squid_kerb_ldap: Setup Kerberos credential cache
2010/06/30 09:45:48| squid_kerb_ldap: Get default keytab file name
2010/06/30 09:45:48| squid_kerb_ldap: Got default keytab file name
/etc/krb5.keytab
2010/06/30 09:45:48| squid_kerb_ldap: Get principal name from keytab
/etc/krb5.keytab
2010/06/30 09:45:48| squid_kerb_ldap: Keytab entry has realm name:
XX.YY
2010/06/30 09:45:48| squid_kerb_ldap: Found principal name:
host/proxy-test-01.xx...@xx.yy
2010/06/30 09:45:48| squid_kerb_ldap: Set credential cache to
MEMORY:squid_ldap_22001
2010/06/30 09:45:48| squid_kerb_ldap: Got principal name
host/proxy-test-01.xx...@xx.yy
2010/06/30 09:45:48| squid_kerb_ldap: Error while initialising
credentials from keytab : Client not found in Kerberos database
2010/06/30 09:45:48| squid_kerb_ldap: Error during setup of Kerberos
credential cache
2010/06/30 09:45:48| squid_kerb_ldap: User TESTUSER is not member of
gr...@domain inter...@null
2010/06/30 09:45:48| squid_kerb_ldap: ERR
2010/06/30 09:45:48| squid_kerb_auth: INFO: User testu...@xx.yy
authenticated
What could this be? The user "testuser" is member of the ad-group
"Internet".
Thanks a lot.
Tom
