Client not found in kerberos database while getting initial

Question

I am installing Squid3 on Ubuntu 14.10 and I want to integrate it ADDS on windows server 2012 using kerberos 5. My infrastructure are as follows:

Default Gateway:

192.168.1.1

DNS & Domain Controller(Windows Server 2012 ):

dc.mydomain.com

 address   192.168.1.250
 netmask 255.255.255.0
 gateway 192.168.1.1

Proxy(Ubuntu Desktop 14.10) vmproxy

address 192.168.1.251
netmask 255.255.255.0
gateway 192.168.1.1
dns-search mydomain.com
dns-nameservers 192.168.1.2

---

Steps are as follows

Step 1: Check DNS Lookup: its working fine both forward and reverse lookup.

Step 2:Configure correct time zone on your proxy server:

  $ sudo service ntp stop
  $ sudo ntpdate -b dc.mydomain.com
  $ sudo service ntp start

Step 3:Install Kerberos Client Libraries and set Kerberos realm name, to MYDOMAIN.COM

$ sudo apt-get install krb5-user

Step 4:Edit Kerberos configuration file /etc/krb5.conf.

[libdefaults]
default_realm = MYDOMAIN.COM    
default_tgs_enctypes = rc4-hmac des3-hmac-sha1    
default_tkt_enctypes = rc4-hmac des3-hmac-sha1

Check Kerberos configuration is correct. by

$ kinit Administrator@mydomain.com
$ klist

Step:5 creating a specialized user in Active Directory and mapping this user onto Kerberos principal name

c:/> ktpass -princ HTTP/vmproxy.mydomain.com@MYDOMAIN.COM -mapuser squid@MYDOMAIN.COM -crypto rc4-hmac-nt -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

Step:6 Copy keytab file to /etc/krb5.keytab on vmproxy

---

My /etc/krb5.conf are as follows:-

[libdefaults]
default_realm= MYDOMAIN.COM
default_tgs_enctypes=rc4.hmac des3-hmac.sha1
default_tkt_enctypes=rc4.hmac des3-hmac.sha1

[realms]
MYDOMAIN.COM={

kdc=dc.mydomain.com
admin_server=dc.mydomain.com
default_domain=mydomain.com

}

[domain_realm]
.mydomain.com=  MYDOMAIN.COM
mydomain.com=MYDOMAIN.COM

now when i testing the TGT from dc.mydomain.com as :

$ kinit -V -k -t /etc/krb5.keytab HTTP/vmproxy.mydomain.com@MYDOMAIN.COM

it says:

Using default cache: /tmp/krb5cc_0
Using principal: HTTP/vmproxy.mydomain.com@MYDOMAIN.COM
Using Keytab: /etc/krb5.keytab
kinit:Client 'HTTP/vmproxy.mydomain.com@MYDOMAIN.COM' not found in kerberos database while getting initial credentials

While using

$ kinit -k

it says

kinit:Cannot determine realm for host (principal host/vmproxy@)

Answer 1

This command:

c:/> ktpass -princ HTTP/vmproxy.mydomain.com@MYDOMAIN.COM -mapuser squid@MYDOMAIN.COM -crypto rc4-hmac-nt -pass P@ssw0rd -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

I believe sets HTTP/vmproxy.mydomain.com@MYDOMAIN.COM to be a service principal associated with the squid@MYDOMAIN.COM user in AD. Active Directory does not typically allow you to authenticate as a service principal (specifically, does not let it acquire a TGT via an AS_REQ); in theory, service principals are supposed to be for accepting user credentials, not for authenticating to your kerberos realm.

This is different from Unix KDCs, which typically do not distinguish between "service principals" and "user principals" by default, allowing either to authenticate via kinit. In Active Directory, instead the KDC pretends that the principal doesn't exist when you try to kinit as it, which tends to be rather confusing.

If you can successfully authenticate as any other user, I would try testing if the service principal is functional by instead running:

$ kinit some_other_user
$ kvno HTTP/vmproxy.mydomain.com@MYDOMAIN.COM

Which just acquires a service ticket for HTTP/vmproxy.mydomain.com@MYDOMAIN.COM. Or, you may be able to authenticate as squid@MYDOMAIN.COM instead of the service principal you set up.

If you need to be able to kinit as HTTP/vmproxy.mydomain.com@MYDOMAIN.COM directly, I think that is possible, but you need to change the userPrincipalName attribute on the relevant AD account. I can't remember at the moment how to achieve that, but if I recall correctly, you can only have one such UPN; you can't have multiple different principal names you can kinit as for the same account.