No i de with the msktutil dev :) Thanks for your help
Le lundi 4 mai 2015, Markus Moeller <hua...@moeller.plus.com> a écrit : > So this worked ? > > Markus > > "Olivier CALVANO" <o.calv...@gmail.com > <javascript:_e(%7B%7D,'cvml','o.calv...@gmail.com');>> wrote in message > news:cajajpeddju9t4qaipsmt-5jusn4gf6nj0pff3jbj+bzxztx...@mail.gmail.com... > hoo i have deleted "--enctypes 28" > > and now: > > [root@gw msktutil-1.0rc1]# ./msktutil -c -b "CN=COMPUTERS" -s HTTP/ > ophtcysrv1v4.myaddomain.fr -k /etc/squid/PROXY.keytab --computer-name > OPHTCYSRV1V4-K --upn HTTP/ophtcysrv1v4.myaddomain.fr --server > myad.myaddomain.fr --verbose > -- init_password: Wiping the computer password structure > -- generate_new_password: Generating a new, random password for the > computer account > -- generate_new_password: Characters read from /dev/urandom = 94 > -- create_fake_krb5_conf: Created a fake krb5.conf file: > /tmp/.msktkrb5.conf-RyUQcT > -- reload: Reloading Kerberos Context > -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$ > -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ > from local keytab... > -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No > such file or directory) > -- try_machine_keytab_princ: Authentication with keytab failed > -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ > from local keytab... > -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No > such file or directory) > -- try_machine_keytab_princ: Authentication with keytab failed > -- try_machine_keytab_princ: Trying to authenticate for host/ > mydnshostname.fr from local keytab... > -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed > (Client not found in Kerberos database) > -- try_machine_keytab_princ: Authentication with keytab failed > -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with > password. > -- create_default_machine_password: Default machine password for > OPHTCYSRV1V4-K$ is ophtcysrv1v4-k > -- try_machine_password: Error: krb5_get_init_creds_keytab failed > (Preauthentication failed) > -- try_machine_password: Authentication with password failed > -- try_user_creds: Checking if default ticket cache has tickets... > -- finalize_exec: Authenticated using method 5 > -- LDAPConnection: Connecting to LDAP server: myad.myaddomain.fr > SASL/GSSAPI authentication started > SASL username: myusern...@myaddomain.fr > <javascript:_e(%7B%7D,'cvml','myusern...@myaddomain.fr');> > SASL SSF: 56 > SASL data security layer installed. > -- ldap_get_base_dn: Determining default LDAP base: dc=SODIAAL,dc=FR > -- ldap_check_account: Checking that a computer account for > OPHTCYSRV1V4-K$ exists > -- ldap_check_account: Checking computer account - found > -- ldap_check_account: Found userAccountControl = 0x1000 > -- ldap_check_account: Found supportedEncryptionTypes = 28 > -- ldap_check_account: Found dNSHostName = mydnshostname.fr > -- ldap_check_account: userPrincipal specified on command line > -- ldap_check_account_strings: Inspecting (and updating) computer account > attributes > -- ldap_check_account_strings: Found userPrincipalName = HTTP/ > ophtcysrv1v4.myaddomain...@myaddomain.fr > <javascript:_e(%7B%7D,'cvml','ophtcysrv1v4.myaddomain...@myaddomain.fr');> > -- ldap_check_account_strings: userPrincipalName should be HTTP/ > ophtcysrv1v4.myaddomain...@myaddomain.fr > <javascript:_e(%7B%7D,'cvml','ophtcysrv1v4.myaddomain...@myaddomain.fr');> > -- ldap_check_account_strings: Nothing to do > -- ldap_set_supportedEncryptionTypes: No need to change > msDs-supportedEncryptionTypes they are 28 > -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at > 0x200000 to 0x0 > -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x1000 > -- ldap_get_kvno: KVNO is 1 > -- set_password: Attempting to reset computer's password > -- set_password: Try change password using user's ticket cache > -- ldap_get_pwdLastSet: pwdLastSet is 130751472429170776 > -- set_password: Successfully set password. > -- ldap_add_principal: Checking that adding principal HTTP/ > ophtcysrv1v4.myaddomain.fr to OPHTCYSRV1V4-K$ won't cause a conflict > -- ldap_add_principal: Adding principal HTTP/ophtcysrv1v4.myaddomain.fr > to LDAP entry > -- ldap_add_principal: Checking that adding principal host/ > mydnshostname.fr to OPHTCYSRV1V4-K$ won't cause a conflict > -- ldap_add_principal: Adding principal host/mydnshostname.fr to LDAP > entry > -- execute: Updating all entries for mydnshostname.fr in the keytab > WRFILE:/etc/squid/PROXY.keytab > -- update_keytab: Updating all entries for OPHTCYSRV1V4-K$ > -- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$ > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x17 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x11 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x12 > -- add_principal_keytab: Adding principal to keytab: OPHTCYSRV1V4-K$ > -- add_principal_keytab: Removing entries with kvno < 0 > -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, > enctype=23 > -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, > enctype=17 > -- add_principal_keytab: Deleting OPHTCYSRV1V4-K$@myaddomain.fr kvno=2, > enctype=18 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x17 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x11 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x12 > -- add_principal_keytab: Adding principal to keytab: HTTP/ > ophtcysrv1v4.myaddomain.fr > -- add_principal_keytab: Removing entries with kvno < 0 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x17 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x11 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x12 > -- add_principal_keytab: Adding principal to keytab: host/OPHTCYSRV1V4-K > -- add_principal_keytab: Removing entries with kvno < 0 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x17 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x11 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x12 > -- update_keytab: Entries for SPN HTTP/ophtcysrv1v4.myaddomain.fr have > already been added. Skipping ... > -- add_principal_keytab: Adding principal to keytab: host/mydnshostname.fr > -- add_principal_keytab: Removing entries with kvno < 0 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x17 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x11 > -- add_principal_keytab: Using salt of > myaddomain.frhostophtcysrv1v4-k.myaddomain.fr > -- add_principal_keytab: Adding entry of enctype 0x12 > -- wait_for_new_kvno: Checking new kvno via ldap > -- ldap_get_kvno: KVNO is 1 > Waiting for account replication (0 seconds past) > -- ldap_get_kvno: KVNO is 2 > -- ~KRB5Context: Destroying Kerberos Context > > > > it's good for you ? > > regards > olivier > > > 2015-05-03 13:25 GMT+02:00 Markus Moeller <hua...@moeller.plus.com > <javascript:_e(%7B%7D,'cvml','hua...@moeller.plus.com');>>: > >> Did you compile msktutil or is it a package in centos ? >> >> Markus >> >> "Olivier CALVANO" <o.calv...@gmail.com >> <javascript:_e(%7B%7D,'cvml','o.calv...@gmail.com');>> wrote in message >> news:cajajpecqd+_1krufwa9eac4iyakapzblyg-9vuueklgwuec...@mail.gmail.com. >> .. >> Hi >> >> >> Thanks for your answer >> >> CentOS Linux release 7.1.1503 (Core) >> >> krb5-workstation-1.12.2-14.el7.x86_64 >> krb5-libs-1.12.2-14.el7.x86_64 >> >> regards >> olivier >> >> >> 2015-05-03 0:25 GMT+02:00 Markus Moeller <hua...@moeller.plus.com >> <javascript:_e(%7B%7D,'cvml','hua...@moeller.plus.com');>>: >> >>> Which OS and Kerberos version do you have ? There might be some >>> issue with the cache used KEYRING:persistent:0:0 >>> Markus >>> >>> "Olivier CALVANO" <o.calv...@gmail.com >>> <javascript:_e(%7B%7D,'cvml','o.calv...@gmail.com');>> wrote in message >>> news:CAJajPefo3t8b1=_v5pfj3h0gq4jk3oosutw8gnhy7z-gs21...@mail.gmail.com. >>> .. >>> Hi >>> >>> I request your help because i want use NTLM/Kerberos for authenticate my >>> user. >>> >>> For NTLM, i use Winbind, no problems, >>> >>> [root@gw]# wbinfo -t >>> checking the trust secret for domain MYADDOMAIN via RPC calls succeeded >>> >>> but for Kerberos, i can't create the .keytab >>> >>> >>> [root@gw]# kinit MYUSERNAME >>> Password for myusern...@myaddomain.fr >>> <javascript:_e(%7B%7D,'cvml','myusern...@myaddomain.fr');>: >>> >>> [root@gw]# klist >>> Ticket cache: KEYRING:persistent:0:0 >>> Default principal: myusern...@myaddomain.fr >>> <javascript:_e(%7B%7D,'cvml','myusern...@myaddomain.fr');> >>> >>> Valid starting Expires Service principal >>> 02/05/2015 04:51:25 02/05/2015 14:51:25 krbtgt/ >>> myaddomain...@myaddomain.fr >>> <javascript:_e(%7B%7D,'cvml','myaddomain...@myaddomain.fr');> >>> renew until 09/05/2015 04:51:07 >>> >>> MYUSERNAME is the same account that i join the domain (net join) with >>> winbind >>> >>> >>> after, i put: >>> >>> msktutil -c -b "CN=COMPUTERS" -s HTTP/ >>> gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab >>> --computer-name OPHTCYSRV1V4-K --upn HTTP/ >>> gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose >>> >>> and i have a error: >>> >>> [root@gw etc]# msktutil -c -b "CN=COMPUTERS" -s HTTP/ >>> gw.srv1-v4.tcy.myinternetdomain.org -k /etc/squid/PROXY.keytab >>> --computer-name OPHTCYSRV1V4-K --upn HTTP/ >>> gw.srv1-v4.tcy.myinternetdomain.org --server adserver1 --verbose >>> -- init_password: Wiping the computer password structure >>> -- generate_new_password: Generating a new, random password for the >>> computer account >>> -- generate_new_password: Characters read from /dev/udandom = 84 >>> -- create_fake_krb5_conf: Created a fake krb5.conf file: >>> /tmp/.msktkrb5.conf-jnxTuG >>> -- reload: Reloading Kerberos Context >>> -- finalize_exec: SAM Account Name is: OPHTCYSRV1V4-K$ >>> -- try_machine_keytab_princ: Trying to authenticate for OPHTCYSRV1V4-K$ >>> from local keytab... >>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >>> (Client not found in Kerberos database) >>> -- try_machine_keytab_princ: Authentication with keytab failed >>> -- try_machine_keytab_princ: Trying to authenticate for host/ >>> gw.srv1-v4.tcy.myinternetdomain.org from local keytab... >>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed >>> (Client not found in Kerberos database) >>> -- try_machine_keytab_princ: Authentication with keytab failed >>> -- try_machine_password: Trying to authenticate for OPHTCYSRV1V4-K$ with >>> password. >>> -- create_default_machine_password: Default machine password for >>> OPHTCYSRV1V4-K$ is ophtcysrv1v4-k >>> -- try_machine_password: Error: krb5_get_init_creds_keytab failed >>> (Client not found in Kerberos database) >>> -- try_machine_password: Authentication with password failed >>> -- try_user_creds: Checking if default ticket cache has tickets... >>> -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials >>> cache found) >>> -- try_user_creds: User ticket cache was not valid. >>> Error: could not find any credentials to authenticate with. Neither >>> keytab, >>> default machine password, nor calling user's tickets worked. Try >>> "kinit"ing yourself some tickets with permission to create computer >>> objects, or pre-creating the computer object in AD and selecting >>> 'reset account'. >>> -- ~KRB5Context: Destroying Kerberos Context >>> >>> >>> >>> same error if i change gw.srv1-v4.tcy.myinternetdomain.org to >>> ophtcysrv1v4.myaddomain.fr >>> >>> >>> anyone know the origin of this error ? >>> >>> thanks >>> Olivier >>> >>> >>> ------------------------------ >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> <javascript:_e(%7B%7D,'cvml','squid-users@lists.squid-cache.org');> >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> <javascript:_e(%7B%7D,'cvml','squid-users@lists.squid-cache.org');> >>> http://lists.squid-cache.org/listinfo/squid-users >>> >>> >> ------------------------------ >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> <javascript:_e(%7B%7D,'cvml','squid-users@lists.squid-cache.org');> >> http://lists.squid-cache.org/listinfo/squid-users >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> <javascript:_e(%7B%7D,'cvml','squid-users@lists.squid-cache.org');> >> http://lists.squid-cache.org/listinfo/squid-users >> >> > > ------------------------------ > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > <javascript:_e(%7B%7D,'cvml','squid-users@lists.squid-cache.org');> > http://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
