Re: [squid-users] Re: Re: Re: msktutil: Error: ldap_set_option (option=) failed (Can't contact LDAP server)

From: Tom Tux <tomtux80_at_gmail.com>
Date: Thu, 1 Jul 2010 06:34:29 +0200

Hi Markus

I tried with version 0.4. With this release, I got errors. But as I
wrote in one post before...I got a fixed version from git...and with
this, it works now.

Thank you.
Regards,
Tom

2010/6/30 Markus Moeller <huaraz_at_moeller.plus.com>:
> Hi Tom,
>
>  My msktutil version 0.3.16-7 worked fine on SLES11 (against Windows 2003 R2
> Active Directory).
>
> Regards
> Markus
>
>
> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
> news:AANLkTikv8UVkdZ0KYUaF_T2ybGrI9YCROl4DMf6MVv-z_at_mail.gmail.com...
> Hi Markus
>
> I took a new version of msktutil from their git-repository
> (http://repo.or.cz/w/msktutil.git).
>
> Now, I was able to create a computer-account in the ad with the same
> msktutil-command as I used before. Corresponding a statement from the
> msktutil-developer there were some bug fixed (which solved my
> problems) in the git-version.
>
> Thanks a lot for your help.
> Tom
>
>
> 2010/6/30 Markus Moeller <huaraz_at_moeller.plus.com>:
>>
>> Hi Tom,
>>
>> I have a SLES 11 system I can test tomorrow. It looks like an option is
>> not available.
>>
>> Error: ldap_set_option (option=) failed (Can't contact LDAP server)
>>
>>
>> Markus
>>
>> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
>> news:AANLkTimytN03x2ZOV8aFj4_3plnUQ9feA0iWwWddHddx_at_mail.gmail.com...
>>>
>>> Hi Markus
>>>
>>> Here is the output:
>>> ------------------ snip -----------------------
>>> proxy-test-01:/usr/local/mskutil-0.4/sbin # ./msktutil -c -s
>>> HTTP/proxy-test-01.xx.yy -h proxy-test-01 -k /etc/krb5.keytab
>>> --computer-name proxy-test-01 --upn HTTP/proxy-test-01.xx.yy --server
>>> dc1.xx.yy --verbose
>>> -- init_password: Wiping the computer password structure
>>> -- create_fake_krb5_conf: Created a fake krb5.conf file:
>>> /tmp/.msktkrb5.conf-OINkN1
>>> -- reload: Reloading Kerberos Context
>>> -- finalize_exec: SAM Account Name is: proxy-test-01$
>>> -- try_machine_keytab_princ: Trying to authenticate for
>>> proxy-test-01$ from local keytab...
>>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>>> (Key table entry not found)
>>> -- try_machine_keytab_princ: Authentication with keytab failed
>>> -- try_machine_keytab_princ: Trying to authenticate for
>>> host/proxy-test-01.xx.yy from local keytab...
>>> -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed
>>> (Client not found in Kerberos database)
>>> -- try_machine_keytab_princ: Authentication with keytab failed
>>> -- try_machine_password: Trying to authenticate for proxy-test-01$
>>> with password.
>>> -- try_machine_password: Error: krb5_get_init_creds_keytab failed
>>> (Preauthentication failed)
>>> -- try_machine_password: Authentication with password failed
>>> -- try_user_creds: Checking if default ticket cache has tickets...
>>> -- finalize_exec: Authenticated using method 4
>>>
>>> -- ldap_connect: Connecting to LDAP server: dc1.xx.yy try_tls=YES
>>> SASL/GSSAPI authentication started
>>> SASL username: administrator_at_xx.yy
>>> SASL SSF: 0
>>> Error: ldap_set_option (option=) failed (Can't contact LDAP server)
>>> -- ~KRB5Context: Destroying Kerberos Context
>>> ------------------ snap -----------------------
>>>
>>> The computer-account already exists in the ad (joined with "net ads
>>> join").
>>> The ktutil gives me no principals back:
>>>
>>> proxy-test-01:/usr/local/mskutil-0.4/sbin # ktutil
>>> ktutil: rkt /etc/krb5.keytab
>>> ktutil: l
>>> slot KVNO Principal
>>> ---- ----
>>> ---------------------------------------------------------------------
>>> ktutil:
>>>
>>>
>>> Thanks a lot.
>>> Kind regards
>>> Tom
>>>
>>> 2010/6/29 Markus Moeller <huaraz_at_moeller.plus.com>:
>>>>
>>>> Can you post the whole output of msktutil with --verbose please. If
>>>> msktutil
>>>> fails with TLS on port 389 it will try again without TLS.
>>>>
>>>> Regards
>>>> Markus
>>>>
>>>> "Tom Tux" <tomtux80_at_gmail.com> wrote in message
>>>> news:AANLkTil1Fhq5Ks3NX8MoSTKIC2qOACz1xpMp6wH6RpkD_at_mail.gmail.com...
>>>> this works. I'm also able to telnet with tcp 636 (ldaps).
>>>>
>>>> I'm just searching for a solution to kerberise squid without the need
>>>> of winbind/smb.
>>>>
>>>>
>>>> 2010/6/28 Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>:
>>>>>
>>>>> They seem ok.
>>>>>
>>>>> Telnet to your dc on 389?
>>>>>
>>>>>
>>>>> On 28/06/2010 14:40, "Tom Tux" <tomtux80_at_gmail.com> wrote:
>>>>>
>>>>> which ldap-libraries should be installed?
>>>>> The following devel-packages are installed (SLES11-System):
>>>>> - openldap2-devel
>>>>> - cyrus-sasl-devel
>>>>>
>>>>>
>>>>>
>>>>> 2010/6/28 Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>:
>>>>>>
>>>>>> Missing ldap libraries maybe?
>>>>>>
>>>>>>
>>>>>> On 28/06/2010 12:32, "Tom Tux" <tomtux80_at_gmail.com> wrote:
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> I'm trying to generate a computer-account with msktutil:
>>>>>>
>>>>>> I got the following error:
>>>>>> ...
>>>>>> ...
>>>>>> - ldap_connect: Connecting to LDAP server: dc1.domain.com try_tls=YES
>>>>>> SASL/GSSAPI authentication started
>>>>>> SASL username: admin_at_DOMAIN.COM
>>>>>> SASL SSF: 0
>>>>>> Error: ldap_set_option (option=) failed (Can't contact LDAP server)
>>>>>> -- ~KRB5Context: Destroying Kerberos Context
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have a valid ticket (klist), initiated with adminuser_at_DOMAIN.COM.
>>>>>> Have someone any hints? I see, that the msktutil tries with tls
>>>>>> (encrypted) on port 389 (ldap) on the domain-controller. Can I use
>>>>>> native (unencrypted) ldap?
>>>>>>
>>>>>> Thanks a lot.
>>>>>> Tom
>>>>>>
>>>>>>
>>>>>> ** Please consider the environment before printing this e-mail **
>>>>>>
>>>>>> The information contained in this e-mail is of a confidential nature
>>>>>> and
>>>>>> is intended only for the addressee. If you are not the intended
>>>>>> addressee,
>>>>>> any disclosure, copying or distribution by you is prohibited and may
>>>>>> be
>>>>>> unlawful. Disclosure to any party other than the addressee, whether
>>>>>> inadvertent or otherwise, is not intended to waive privilege or
>>>>>> confidentiality. Internet communications are not secure and therefore
>>>>>> Conde
>>>>>> Nast does not accept legal responsibility for the contents of this
>>>>>> message.
>>>>>> Any views or opinions expressed are those of the author.
>>>>>>
>>>>>> Company Registration details:
>>>>>> The Conde Nast Publications Ltd
>>>>>> Vogue House
>>>>>> Hanover Square
>>>>>> London W1S 1JU
>>>>>>
>>>>>> Registered in London No. 226900
>>>>>>
>>>>>
>>>>>
>>>>> The information contained in this e-mail is of a confidential nature
>>>>> and
>>>>> is intended only for the addressee. If you are not the intended
>>>>> addressee,
>>>>> any disclosure, copying or distribution by you is prohibited and may be
>>>>> unlawful. Disclosure to any party other than the addressee, whether
>>>>> inadvertent or otherwise, is not intended to waive privilege or
>>>>> confidentiality. Internet communications are not secure and therefore
>>>>> Conde
>>>>> Nast does not accept legal responsibility for the contents of this
>>>>> message.
>>>>> Any views or opinions expressed are those of the author.
>>>>>
>>>>> The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover
>>>>> Square,
>>>>> London W1S 1JU
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>
>
>
Received on Thu Jul 01 2010 - 04:34:37 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 01 2010 - 12:00:04 MDT