Hi Go,
For Windows 2008 the wiki says "use --enctypes 28". Did you use it ?
hat does klist -e show and what does
kinit <user>
kvno HTTP/proxyserver.orangegroup.com
show (<user> being your userid ) ?
When you purge tickets (with kerbtray) , start wireshark with a filter on
port 88 and access a webpage via the proxy do you see any errors in
wireshark ? Can you send me the capture ?
Markus
"Go Wow" <gowows_at_gmail.com> wrote in message
news:BANLkTinSki+D9qe6nxRfgLXJJkaD2GNoEw_at_mail.gmail.com...
I tried with msktutil version 0.4 but same thing is happening.
I followed your guide, firstly with samba/winbind, I created the
keytab and configure negotiate parameters in squid.conf but when I
open browser pointing to squid3 as proxy server (with fqdn not IP) it
prompts for username/password. This system is Windows 7 64 Bit.
Then I tried msktutil. The command I used is same as I mentioned below.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
ad01.orangegroup.com --verbose
The output of the command gives me one error saying but creates the keytab
file
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
I have kerbtray installed on client system and I can see my domains
krtgt/domain.com listed. As a matter of fact I'm using sharepoint
server which uses the same method to authenticate and im able to login
to it without entering username/password. I tried with purging tickets
but no change.
Regards
On 30 April 2011 16:17, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Hi Go,
>
> Can you describe in detail what you did ( e.g. exact msktutil command).
> BTW
> I updated yesterday the wiki pointing to a newer msktutil (version 0.4)
> which you should try in the case you use an older version.
>
> It looks to me that your client is not able to get the Kerberos ticket
> from
> AD why the client falls back to NTLM and the negotiate wrapper deals now
> with these case.
>
> To find out why the client does not get the ticket you can run wireshark
> and look for traffic on port 88.
>
> Markus
>
>
> "Go Wow" <gowows_at_gmail.com> wrote in message
> news:BANLkTinqnrMS5t2tq7FRN+-NOeZsMy5GOQ_at_mail.gmail.com...
> When I run msktutil I get this line in the output.
>
> krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
>
> I did kinit before issuing msktutil and it ran successfully. I can see
> tickets when I issue klist.
>
>
>
> On 30 April 2011 10:43, Go Wow <gowows_at_gmail.com> wrote:
>>
>> Hi,
>>
>> I'm trying to configure Kerberos Authentication for squid. I'm
>> running Squid 3.1.12 and Windows 2008 R2 SP2. I have followed the
>> kerberos authentication guide on squid-cache and many other guides, I
>> always end up with these logs in my cache.log. My client browser keeps
>> prompting for username/password. Even a valid set of credentials are
>> not accepted.
>>
>> 2011/04/30 10:24:32| squid_kerb_auth: WARNING: received type 1 NTLM token
>> 2011/04/30 10:24:32| authenticateNegotiateHandleReply: Error
>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>> token'
>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>> (length: 59).
>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>> length: 40).
>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token
>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>> token'
>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Got 'YR
>> TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
>> (length: 59).
>> 2011/04/30 10:24:36| squid_kerb_auth: DEBUG: Decode
>> 'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' (decoded
>> length: 40).
>> 2011/04/30 10:24:36| squid_kerb_auth: WARNING: received type 1 NTLM token
>> 2011/04/30 10:24:36| authenticateNegotiateHandleReply: Error
>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>> token'
>>
>>
>> I want to check and make sure my keytab entries are good. How do I do
>> that? My client System can list the tickets for client principal.
>>
>> Please have a look at my krb5.conf & keytab file here
>> http://pastebin.com/vTBr3r5D
>>
>> I'm using this command to create the keytab file.
>> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxyserver.orangegroup.com -h
>> proxyserver.orangegroup.com -k /etc/krb5.keytab --computer-name
>> proxyserver-http --upn HTTP/proxyserver.orangegroup.com --server
>> ad01.orangegroup.com --verbose
>>
>> All the domains are resolving properly to IPs.
>>
>> Thanks for your help.
>>
>
>
>
Received on Sat Apr 30 2011 - 20:02:43 MDT
This archive was generated by hypermail 2.2.0 : Sun May 01 2011 - 12:00:05 MDT