For squid_kerb_ldap to work the AD entry must have a userprincipalname attribute set to one of the keytab entry names e.g. HTTP/ubuntu.pfsee....@pfsee.net
. This is one of the differences of msktutil with --upn to net ads join.

Markus


----- Original Message ----- From: "Rafal Zawierta" <zawie...@gmail.com>
To: <hua...@moeller.plus.com>
Sent: Wednesday, January 19, 2011 11:39 PM
Subject: squid_kerb_ldap question


Hello Markus!

If you don't mind I'd like to ask you for help with my squid_kerb_ldap problem.
After 2 long days I have squid_kerb_auth working.

I have ubuntu host, which was joined AD by net join command AND
krb5.keytab also was created in such way.

Now, when I start my squid with kerb_ldap helper I get:
2011/01/20 00:20:14| squid_kerb_ldap: Error while initialising
credentials from keytab : Client not found in Kerberos database
2011/01/20 00:20:14| squid_kerb_ldap: Error during setup of Kerberos
credential cache

AFAIK the problem is with my keytab - I'm right? Is it possible to fix
it whithout running msktutil? Or the only good way is to delete (?) my
keytab and create a new one with msktutil with --upn option?

ktutil on proxy server shows me:
ktutil:  rkt /etc/squid/HTTP.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
  1    2          host/ubuntu.pfsee....@pfsee.net
  2    2          host/ubuntu.pfsee....@pfsee.net
  3    2          host/ubuntu.pfsee....@pfsee.net
  4    2                    host/ubu...@pfsee.net
  5    2                    host/ubu...@pfsee.net
  6    2                    host/ubu...@pfsee.net
  7    2                        UBUNTU$@PFSEE.NET
  8    2                        UBUNTU$@PFSEE.NET
  9    2                        UBUNTU$@PFSEE.NET
 10    2          HTTP/ubuntu.pfsee....@pfsee.net
 11    2          HTTP/ubuntu.pfsee....@pfsee.net
 12    2          HTTP/ubuntu.pfsee....@pfsee.net
 13    2                    HTTP/ubu...@pfsee.net
 14    2                    HTTP/ubu...@pfsee.net
 15    2                    HTTP/ubu...@pfsee.net

But on AD server in AD users and computers there is NO http or
whatever entry in Users. Just ubuntu in Computers.

Regards
Rafal




Reply via email to