On Thu, Aug 27, 2009 at 9:28 AM, Mrvka Andreas<mrv@xxxxxx> wrote: > Hi, > > Am Donnerstag, 27. August 2009 08:40:53 schrieb Jeremy Monnet: >> >> Would you have any clue to what the problem may be ? Should I try with >> the MIT libs instead ? >> > I use MIT libs... FYI Thanks for this piece of information, it helped very much (though the problem may not have been the library in itself). Now it works. Several pieces of information I think would be needed to be added to the wiki, mostly regarding windows configuration in fact. The squid/suid_kerb_auth/kerberos config was fine from the beginning I think (except maybe for the rights to the keytab file, but that was my mistake, and it is already written on the wiki). First, generating the keytab file on windows may be done with ktpass -out squidproxy.krb5.keytab -pass Password1 -princ HTTP/squidproxy.ad.simia.fr@xxxxxxxxxxx -mapuser host_squidproxy -ptype KRB5_NT_SRV_HST -crypto DES-CBC-MD5 +DesOnly (I said in a previous message I already had problems with the encryption stuff on a previous project ...). I think I read somewhere that RC4-HMAC (in the klaubert tutorial [1]) could be used, but it seems it can't ? Or maybe not with MIT libs, or maybe ... for some other reasons. Second, you have to log in to the windows client *after* having generated the keytab and transfered it to the linux box. And it seems that the lines from krb5.conf related to *enctypes* are useless also. I found useful information on a thread about apache mod_auth_kerb, using the error message from the MIT libraries, which was more useful than the one from the heimdal library. Some other stuff may be useful, such as "you need the support tools on windows to have the ktpass command" or "you need the ressource kit to use the kerbtrau command", but that is very windows-ish stuff, though that is very useful to have this in a single wiki page IMHO. Thanks very much for all your help ! Jeremy [1] http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ [2] http://osdir.com/ml/apache.mod-auth-kerb.general/2007-01/msg00057.html
