Squid服务器和Active Directory上的Kerberos

时间:2014-12-18 05:44:20

标签: active-directory kerberos squid

我已在网络上成功运行Active Directory和Squid Proxy(v.2.7)。我想给不同部门的用户提供统一的访问权限,所以我想利用Kerberos for Squid来了解它应该向知道该组分配给AD的用户提供哪些权限。

在Squid代理服务器(VM)中安装Kerberos的过程中,当我尝试运行msktutil时,我遇到了错误。见下文。

有人可以向我解释一下这个问题是什么?我该如何开始排除故障。我在Google上研究了这个问题,但得到了模糊的回答。

root@debian:~# msktutil -c -b "CN-COMPUTERS" -s HTTP/debian.internal.local -k /etc/squid/PROXY.keytab --computer-name SQUIDPROXY --upn HTTP/debian.internal.local --server internal.servers.com.com --verbose
 -- init_password: Wiping the computer password structure
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-oyfv6j
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: SQUIDPROXY$
 -- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY$ from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_keytab_princ: Trying to authenticate for host/debian.internal from local keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_keytab_princ: Authentication with keytab failed
 -- try_machine_password: Trying to authenticate for SQUIDPROXY$ with password.
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database)
 -- try_machine_password: Authentication with password failed
 -- try_user_creds: Checking if default ticket cache has tickets...
 -- finalize_exec: Authenticated using method 4
 -- ldap_connect: Connecting to LDAP server: internal.servers.com.com try_tls=YES
 -- ldap_connect: Connecting to LDAP server: internal.servers.com.com try_tls=NO
SASL/GSSAPI authentication started
Error: ldap_sasl_interactive_bind_s failed (Local error)
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
 -- ~KRB5Context: Destroying Kerberos Context

此外,这可能会为您提供更多信息。

root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@INTERNAL.SERVERS.COM.COM

Valid starting    Expires           Service principal
18/12/2014 00:23  18/12/2014 10:23  krbtgt/INTERNAL.SERVERS.COM.COM@INTERNAL.SERVERS.COM.COM
        renew until 19/12/2014 00:23

1 个答案:

答案 0 :(得分:0)

经过长时间的研究。我发现此错误有2点失败。

  1. 在主机文件上,指定了领域,但kerberos不打算解决它。 添加领域的另一个值(dc1.myexchange.com)(myexchange.com)似乎启用了AD和Squid服务器之间的连接(运行kerberos的地方)。

  2. 设想。因为我能够kinit我假设AD可以看到来自squid服务器的查询。所以,我无法检查两台服务器之间的DNS。

相关问题
最新问题