我试图将鱿鱼作为我的用户在活动目录中的Web代理。 我在这里跟着鱿鱼网站的教程。 当我运行命令:
msktutil -c -b "CN=Administrator" -s HTTP/proxy.example.com -k /etc/squid3/PROXY.keytab \ --computer-name SQUIDPROXY-K --upn HTTP/proxy.example.com --server acdc.example.com --enctypes 28 --verbose 我得到了错误:
SASL / GSSAPI身份validation已启动 错误:ldap_sasl_interactive_bind_s失败(本地错误) 附加信息:SASL(-1):通用失败:GSSAPI错误:未指定的GSS失败。 次要代码可能提供更多信息(在Kerberos数据库中找不到服务器) 错误:ldap_connect失败。
文件/etc/squid3/PROXY.tab也没有被填充。 我在互联网上search,但我无法find任何有关这个问题。
这是我的configuration文件:
的/etc/krb5.conf
[logging] default = FILE kdc = FILE admin_server = FILE [libdefaults] default_realm = DOMAIN.COM dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] DOMAIN.COM = { default_domain = domain.com kdc = acdc.domain.com kdc = acdc2.domain.com admin_server = acdc.domain.com } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM
这是错误输出:
-- init_password: Wiping the computer password structure -- generate_new_password: Generating a new, random password for the computer account -- generate_new_password: Characters read from /dev/urandom = 84 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-RoP6Kh -- reload: Reloading Kerberos Context -- finalize_exec: SAM Account Name is: SQUIDPROXY-K$ -- try_machine_keytab_princ: Trying to authenticate for SQUIDPROXY-K$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unsupported key table format version number) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/routerdr from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos database) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_password: Trying to authenticate for SQUIDPROXY-K$ with password. -- create_default_machine_password: Default machine password for SQUIDPROXY-K$ is squidproxy-k -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Preauthentication failed) -- try_machine_password: Authentication with password failed -- try_user_creds: Checking if default ticket cache has tickets... -- finalize_exec: Authenticated using method 4 -- ldap_connect: Connecting to LDAP server: acdc.progresscall.al try_tls=YES -- ldap_connect: Connecting to LDAP server: acdc.progresscall.al try_tls=NO SASL/GSSAPI authentication started Error: ldap_sasl_interactive_bind_s failed (Local error) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Error: ldap_connect failed --> Is your kerberos ticket expired? You might try re-"kinit"ing. --> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups". -- ~KRB5Context: Destroying Kerberos Context
还有另外一种方法可以让Squid与AD集成 – 通过不将机器join到AD中,而是通过将AD用户映射到Squid的主体名称。 这似乎更简单 – 请参阅http://docs.diladele.com/administrator_guide_4_3/active_directory/install_prerequisites_for_kerberos_authentication.html#prepare-a-user-in-example-lan-domain-to-be-used-by-squid-for -kerberosauthentication