tacerus
Goto Top

Squid3 mit Domänen Authentifizierung - Client not found in Kerberos Database

Hallo,

Poste das mal unter Linux, auch wenn es teilweise Windows-bezogen ist.

Hoffe das mir jemand helfen kann, nachdem ich gute 6 Stunden mit Google nichts zusammengebracht habe.
Habe nach http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_P ... versucht Squid3 mit Domänenauthentifizierung auf Debian zu installieren. DC läuft mit Windows Server 2012 R2.

Es scheitert mit Kerberos und msktutil.

Hier meine krb5.conf:
[libdefaults]
        default_realm = SQUIRRELCUBE.COM
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid3/PROXY.keytab

[realms]
        SQUIRRELCUBE.COM = {
                kdc = e752.squirrelcube.com
                admin_server = e752.squirrelcube.com
                default_domain = squirrelcube.com
        }

[domain_realm]
        .squirrelcube.com = SQUIRRELCUBE.COM
        squirrelcube.com = SQUIRRELCUBE.COM

Nachdem ich mit kinit erfolgreich ein Ticket erstellt habe, welches laut klist richtigerweise 24 Stunden gültig ist, führe ich folgenden Command aus:
 msktutil -c -b "ou=Server" -s HTTP/deprox.squirrelcube.com -k /etc/squid3/PROXY.keytab \--computer-name deprox-http --upn HTTP/deprox.squirrelcube.com --server e752.squirrelcube.com --verbose  

deprox.squirrelcube.com ist der Hostname von meiner Debian Maschine, deprox-http der seperate Kerberos-Computerkontenname für den Eintrag im AD. e752.squirrelcube.com ist der (einzige) Domänencontroller.
Forward und Reverse DNS funktionieren ohne Probleme, sollte das hier von Bedeutung sein.

Und bekomme:
 -- init_password: Wiping the computer password structure
 -- generate_new_password: Generating a new, random password for the computer account
 -- generate_new_password:  Characters read from /dev/udandom = 86
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-vPLCyz
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: deprox-http$
 -- try_machine_keytab_princ: Trying to authenticate for deprox-http$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/deprox.squirrelcube.com from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for deprox-http$ with password.
 -- create_default_machine_password: Default machine password for deprox-http$ is deprox-http
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4

 -- ldap_connect: Connecting to LDAP server: e752.squirrelcube.com try_tls=YES
 -- ldap_connect: Connecting to LDAP server: e752.squirrelcube.com try_tls=NO
SASL/GSSAPI authentication started
SASL username: gp.pfuetzenreuter@SQUIRRELCUBE.COM
SASL SSF: 56
SASL data security layer installed.
 -- ldap_connect: LDAP_OPT_X_SASL_SSF=56

 -- ldap_get_base_dn: Determining default LDAP base: dc=SQUIRRELCUBE,dc=COM
 -- ldap_check_account: Checking that a computer account for deprox-http$ exists
 -- ldap_check_account: Computer account not found, create the account

No computer account for deprox-http found, creating a new one.
dn: cn=deprox-http,ou=Server,dc=SQUIRRELCUBE,dc=COM
 -- ldap_check_account_strings: Inspecting (and updating) computer account attributes
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set dNSHostName to deprox.squirrelcube.com
 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set userPrincipalName to HTTP/deprox.squirrelcube.com@SQUIRRELCUBE.COM
 -- ldap_set_supportedEncryptionTypes: DEE dn=cn=deprox-http,ou=Server,dc=SQUIRRELCUBE,dc=COM old=7 new=28

 -- ldap_simple_set_attr: Calling ldap_modify_ext_s to set msDs-supportedEncryptionTypes to 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag:  userAccountControl not changed 0x1000

 -- set_password: Attempting to reset computer's password  
 -- set_password: Try change password using user's ticket cache  

 -- ldap_get_pwdLastSet: pwdLastSet is 130999411078213749
 -- set_password: Successfully set password, waiting for it to be reflected in LDAP.
 -- ldap_get_pwdLastSet: pwdLastSet is 130999411078682497
 -- set_password: Successfully reset computer's password  
 -- ldap_add_principal: Checking that adding principal HTTP/deprox.squirrelcube.com to deprox-http$ won't cause a conflict  
 -- ldap_add_principal: Adding principal HTTP/deprox.squirrelcube.com to LDAP entry
 -- ldap_add_principal: Checking that adding principal host/deprox.squirrelcube.com to deprox-http$ won't cause a conflict  
 -- ldap_add_principal: Adding principal host/deprox.squirrelcube.com to LDAP entry
 -- execute: Updating all entries for deprox.squirrelcube.com in the keytab WRFILE:/etc/squid3/PROXY.keytab

 -- update_keytab: Updating all entires for deprox-http$
 -- ldap_get_kvno: KVNO is 2
 -- add_principal_keytab: Adding principal to keytab: deprox-http$
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: HTTP/deprox.squirrelcube.com
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: host/deprox.squirrelcube.com
 -- add_principal_keytab: Removing entries with kvno < 0
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:     Using salt of SQUIRRELCUBE.COMhostdeprox-http.squirrelcube.com
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- ~msktutil_exec: Destroying msktutil_exec
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure
 -- ~KRB5Context: Destroying Kerberos Context

Anscheinend hat es nur irgendwas mit meinem Keytab. Habe schon unzählige male das Computerkonto (welches er korrekt im AD anlegt) gelöscht, kdestroy gemacht, das Keytab-File gelöscht und msktutil erneut probiert. Habe auch meine Domäne von W2008 auf W2012 R2 heraufgestuft, auch wenn ich denke, dass dies keine Auswirkung auf Kerberos hat.

Danke schonmal für's lesen,
tacerus

Content-ID: 296225

Url: https://administrator.de/forum/squid3-mit-domaenen-authentifizierung-client-not-found-in-kerberos-database-296225.html

Ausgedruckt am: 26.12.2024 um 01:12 Uhr