[squid-users] Kerberos: Problems for generate the keytab file

From: Fran Márquez <informatica.comunicaciones_1_at_chguadalquivir.es>
Date: Wed, 29 Feb 2012 00:50:10 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi friends,

I have a problem for implement kerberos authentication on my squid
server. I'm using this article of the squid wiki:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

My server is Red Hat Enterprise Linux (minimal) 6.2 (all package
updated), with the official RH squid package (3.1.10).

I launch the kinit without problems:
-
----------------------------------------------------------------------------------------------------
[root_at_proxy01 ~]# kinit administrator_at_MYDOMAIN
Password for administrator_at_MYDOMAIN:
[root_at_proxy01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator_at_MYDOMAIN

Valid starting Expires Service principal
02/24/12 08:46:05 02/24/12 18:46:09 krbtgt/MYDOMAIN_at_MYDOMAIN
        renew until 02/25/12 08:46:05
-
---------------------------------------------------------------------------------------------------

The problem appear when I launch msktutil for build the keytab file:
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root_at_hostname ~]# msktutil -c -b "CN=COMPUTERS" -s
HTTP/hostname.mydomain -k /etc/squid/PROXY.keytab \
- --computer-name PROXY01KRB --upn HTTP/hostname.mydomain --server
dc1.mydomain --verbose

  -- init_password: Wiping the computer password structure
 -- create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-XbERrw
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: PROXY01KRB$
 -- try_machine_keytab_princ: Trying to authenticate for PROXY01KRB$
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Unsupported key table format version number)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/proxy01
from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
(Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for PROXY01KRB$ with
password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed
(Preauthentication failed)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: dc1.mydomain try_tls=YES
 -- ldap_connect: Connecting to LDAP server: dc1.mydomain try_tls=NO
SASL/GSSAPI authentication started
SASL username: administrator_at_MYDOMAIN
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=MYDOMAIN
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the
computer account
 -- generate_new_password: Characters read from /dev/udandom = 82
 -- ldap_check_account: Checking that a computer account for PROXY01KRB$
exists
 -- ldap_check_account: Checking computer account - found
 -- ldap_check_account: Found userAccountControl = 0x1000

 -- ldap_check_account: Found default supportedEncryptionTypes = 7

 -- ldap_check_account: Found dNSHostName = proxy01

 -- ldap_check_account: Found User Principal: HTTP/proxy01.mydomain
 -- ldap_check_account_strings: Inspecting (and updating) computer
account attributes
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
userPrincipalName to HTTP/proxy01.mydomain_at_MYDOMAIN
 -- ldap_set_supportedEncryptionTypes: DEE
dn=CN=PROXY01KRB,CN=Computers,DC=mydomain old=7 new=28

 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set
msDs-supportedEncryptionTypes to 28
 -- ldap_simple_set_attr: ldap_modify_ext_s failed (No such attribute)
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000

 -- set_password: Attempting to reset computer's password
 -- set_password: Try change password using user's ticket cache

 -- ldap_get_pwdLastSet: pwdLastSet is 0
Error: krb5_set_password_using_ccache failed (Cannot contact any KDC for
requested realm)
Error: set_password failed
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context

-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

My /etc/krb5.conf
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 #renew_lifetime = 7d
 #forwardable = true
 default_keytab_name = /etc/squid/PROXY.keytab

; for Windows 2003
    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md

[realms]
 MYDOMAIN = {
  kdc = dc1.mydomain
  kdc = dc2.mydomain
  admin_server = dc1.mydomain
  default_domain = MYDOMAIN
 }

[domain_realm]
 .MYDOMAIN = MYDOMAIN
 MYDOMAIN = MYDOMAIN
-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

All DNS stuffs all correctly configured, resolve without problem, also
the inverse pointers. The NTP sync is enabled and I forced a ntpdate
before start the process for get the time synced with the domain controller.

The really weird is that yesterday, after many test changing the
hostname, the --computer-name parameter of msktutil, all work fine and
keytab file was generated. Today, I wanted create a new keytab file with
definitive names (yesterday I has been doing some test), and problem
appear again. I don't know the cause. Yesterday, I also tried generate
the keytab using this articles, without success:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

so I don't know if some of this steps were the cause of the keytab was
generated correctly later.

I hope you can help me.

Thank you very much in advance,
Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iQGcBAEBAgAGBQJPTWgyAAoJEIpX8BNkVPVbeTEL/3oNIzrqIzL05s4sDwAWpMCk
GT3LYCy0oF/q9OykoCXcKJZbODeKOY/lsWfYYgFf8/9cjYPoM/t03rSTxMz4jDYZ
bvVdKLxkqWHhb+MdDhrqnhYFyakq+N9ap9MiuQYiKPm+pjXojnRGuFhW0hTR6hVI
rnxHbFO7DmcyUzJvMhl85o7eE7NC70uPfq7K5jntVzTi5IWVEYM1X8Tt9SgFWZ44
TuCGKNZOs4/e3qbFnyByCUtypme9ANfSFi3dIhkFmeuoe9e9nBUKEsH90fXRWgad
6b5SO3B9ysYxXg1usphode4P82O6miW5ToUfPfMJms0L0yDytkyJ6Tv4raPVfoaF
brAyhGSS/Q9+PYK03to5CNeN1j+8egjtgt5isZFBm1cmybHq+VlDgKUaw864byK7
RiPCw6RMZMaM00qJTQbA8UWIhrsBRMytrwlb/jcqFGMSgvywB74NQlsExsDuLTTy
AnS18wgTkc8wTBWGWBYrWETR8pgj1KKLYm5n9FzLrw==
=4M0g
-----END PGP SIGNATURE-----
Received on Tue Feb 28 2012 - 23:50:21 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 29 2012 - 12:00:06 MST