Squid mit Single Sign On (Kerberos) gegen samba4 domain authentifizieren
Hallo,
wir arbeiten nun schon seit ca. einem Jahr mit einem Samba4 Active Directory.
Wir möchten nun eine SQUID Proxy aufsetzen, der die User anhand Ihrer Gruppen berechtigt.
Passende Anleitung gibt es hier: http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
Leider scheitere ich genau an gleichem Problem:
msktutil -c -b "CN=Computers" -s HTTP/workgroup.testdomain.local -k /etc/squid.keytab --computer-name WORKGROUP-PROXY --upn HTTP/workgroup.testdomain.local --server testdomain.local --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/udandom = 76
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-oOBYsY
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: WORKGROUP-PROXY$
-- try_machine_keytab_princ: Trying to authenticate for WORKGROUP-PROXY$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Cannot contact any KDC for requested realm)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/testdomain.local from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Cannot contact any KDC for requested realm)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for WORKGROUP-PROXY$ with password.
-- create_default_machine_password: Default machine password for WORKGROUP-PROXY$ is workgroup-prox
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Cannot contact any KDC for requested realm)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: testdomain.local try_tls=YES
-- ldap_connect: Connecting to LDAP server: testdomain.local try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
-- ~KRB5Context: Destroying Kerberos Context
das heisst ich kann kein keytab erzeugen...
Google spuckt leider auch keine Lösungsansätze aus.
Könnt Ihr mir helfen?
Gruss!
Erik
wir arbeiten nun schon seit ca. einem Jahr mit einem Samba4 Active Directory.
Wir möchten nun eine SQUID Proxy aufsetzen, der die User anhand Ihrer Gruppen berechtigt.
Passende Anleitung gibt es hier: http://roshan-g.blogspot.de/2014/05/squid-with-kerberos-and-ldap.html
Leider scheitere ich genau an gleichem Problem:
msktutil -c -b "CN=Computers" -s HTTP/workgroup.testdomain.local -k /etc/squid.keytab --computer-name WORKGROUP-PROXY --upn HTTP/workgroup.testdomain.local --server testdomain.local --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/udandom = 76
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-oOBYsY
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: WORKGROUP-PROXY$
-- try_machine_keytab_princ: Trying to authenticate for WORKGROUP-PROXY$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Cannot contact any KDC for requested realm)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/testdomain.local from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Cannot contact any KDC for requested realm)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for WORKGROUP-PROXY$ with password.
-- create_default_machine_password: Default machine password for WORKGROUP-PROXY$ is workgroup-prox
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Cannot contact any KDC for requested realm)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 4
-- ldap_connect: Connecting to LDAP server: testdomain.local try_tls=YES
-- ldap_connect: Connecting to LDAP server: testdomain.local try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
-- ~KRB5Context: Destroying Kerberos Context
das heisst ich kann kein keytab erzeugen...
Google spuckt leider auch keine Lösungsansätze aus.
Könnt Ihr mir helfen?
Gruss!
Erik
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 270593
Url: https://administrator.de/contentid/270593
Ausgedruckt am: 24.11.2024 um 05:11 Uhr