Hello All.
I am using Samba AD DC and Linux server with Squid, and
I try to configure kerberos authentication for proxy server users.
I need to add SPN for user and then export keytab with it to file.
I am add user with RSAT and add SPN for it with samba-tool (like
https://wiki.samba.org/index.php/Generating_Keytabs):
--------------------
root at ad41:/# samba-tool spn list proxy
proxy
User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following
servicePrincipalName:
HTTP/proxy.S****.ru at DC.S****.RU
host/proxy.S****.ru at DC.S****.RU
------------------
But I cannot export exactly this SPN, in exported file I have other record:
------------------------
samba-tool domain exportkeytab /root/squid.keytab
--principal=HTTP/proxy.S****.ru at DC.S****.RU
ERROR(runtime): uncaught exception - Key table entry not found
---------------------------
samba-tool domain exportkeytab /root/squid.keytab --principal=proxy
root at ad41:/# klist -ke /root/squid.keytab
Keytab name: FILE:/root/squid.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 proxy at DC.S****.RU (des-cbc-crc)
1 proxy at DC.S****.RU (des-cbc-md5)
1 proxy at DC.S****.RU (arcfour-hmac)
This keytab don't have record needed for using at proxy server
------------------
[root at proxy squid]# kinit -kV -p HTTP/proxy.S****.ru at DC.S****.RU -t
/etc/squid/squid.keytab
kinit: Keytab contains no suitable keys for
HTTP/proxy.S****.ru at DC.S****.RU while getting initial credentials
----------------
Where I am wrong, or it is "samba-tool domain exportkeytab" problem?
I found letter than it was fixes in Apr 2016, this for example
https://lists.samba.org/archive/samba-technical/2016-April/113598.html
From what samba version it work correctly?
I try to create keytab from proxy server with ktutil:
-----------
[root at proxy squid]# ktutil
ktutil: addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e
des-cbc-crc
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil: addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e
des-cbc-md5
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil: addent -password -p HTTP/proxy.S****.ru at DC.S****.RU -k 1 -e
arcfour-hmac
Password for HTTP/proxy.S****.ru at DC.S****.RU:
ktutil: wkt /etc/squid/squid.keytab
------------------
[root at proxy squid]# klist -ket /etc/squid/squid.keytab
Keytab name: FILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- -----------------
1 11/30/17 10:52:15 HTTP/proxy.S****.ru at DC.S****.RU (des-cbc-crc)
1 11/30/17 10:58:23 HTTP/proxy.S****.ru at DC.S****.RU (des-cbc-md5)
1 11/30/17 10:58:23 HTTP/proxy.S****.ru at DC.S****.RU (arcfour-hmac)
------------------
[root at proxy squid]# kinit -kV -p HTTP/proxy.S****.ru at DC.S****.RU -t
/etc/squid/squid.keytab
Using default cache: persistent:0:0
Using principal: HTTP/proxy.S****.ru at DC.S****.RU
Using keytab: /etc/squid/squid.keytab
kinit: Client 'HTTP/proxy.S****.ru at DC.S****.RU' not found in Kerberos
database while getting initial credentials
I cannot guess why, anybody knows kerberos too good, please?
--
Administrator
On Thu, 30 Nov 2017 11:11:27 +0400 Mike Lykov via samba <samba at lists.samba.org> wrote:> Hello All. > > I am using Samba AD DC and Linux server with Squid, and > I try to configure kerberos authentication for proxy server users. > I need to add SPN for user and then export keytab with it to file. > > I am add user with RSAT and add SPN for it with samba-tool (like > https://wiki.samba.org/index.php/Generating_Keytabs): > -------------------- > root at ad41:/# samba-tool spn list proxy > proxy > User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following > servicePrincipalName: > HTTP/proxy.S****.ru at DC.S****.RU > host/proxy.S****.ru at DC.S****.RUI am not an expert on squid by any means, but you seem to be adding SPNs meant for a computer account to a user account i.e. 'proxy.S****.ru' would be a FQDN. Also, the 'S****.ru' should 'dc.s****.ru' I think you are going to have to wait until Louis gets over the flu, he is the expert on squid ;-) Rowland
30.11.2017 14:00, Rowland Penny via samba пишет:>> I am add user with RSAT and add SPN for it with samba-tool (like >> https://wiki.samba.org/index.php/Generating_Keytabs): >> -------------------- >> root at ad41:/# samba-tool spn list proxy >> proxy >> User CN=proxy,CN=Users,DC=dc,DC=S****,DC=ru has the following >> servicePrincipalName: >> HTTP/proxy.S****.ru at DC.S****.RU >> host/proxy.S****.ru at DC.S****.RU > > I am not an expert on squid by any means, but you seem to be adding > SPNs meant for a computer account to a user account i.e. > 'proxy.S****.ru' would be a FQDN. > Also, the 'S****.ru' should 'dc.s****.ru'Thanks for the idea. Here: DC.S****.RU is a kerberos realm and domain name proxy.s***.ru is a hostname of proxy server with squid it is NOT joined to domain hostname is a FQDN, but not in dc.s****.ru zone (there is some servers not joined to domain and have FQDN in s****.ru zone, and some workstations and servers joined to domain in dc.s****.ru zone) on servers not joined to domain configured own, not ADDC dns servers Are there possibility to configure kerberos auth without joining server to domain and use ADDC dns servers?> I think you are going to have to wait until Louis gets over the flu, he > is the expert on squid ;-)I saw this sadly news and best wishes to him too ;) -- Mike