Hi again, now I created the HTTP.keytab file on Win2k8 server and actually the apps "klist -ke" and kvno say the key versions are VALID. but squid is of the opion that they differ. # klist -ke Keytab name: FILE:/etc/squid/HTTP.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 HTTP/fqdn@DOMAIN (DES cbc mode with CRC-32) 5 HTTP/fqdn@DOMAIN (DES cbc mode with RSA-MD5) 5 HTTP/fqdn@DOMAIN (ArcFour with HMAC/md5) 5 HTTP/fqdn@DOMAIN (AES-256 CTS mode with 96-bit SHA-1 HMAC) 5 HTTP/fqdn@DOMAIN (AES-128 CTS mode with 96-bit SHA-1 HMAC) # kvno -k /etc/squid/HTTP.keytab HTTP/fqdn@DOMAIN HTTP/fqdn@DOMAIN: kvno = 5, keytab entry valid >From where does squid get his wrong impression? My squid.conf auth_param negotiate program squid_kerb_auth -d -s HTTP/fqdn@DOMAIN Maybe I can support anyone by my detailed described errors. :-) Regards Andrew Am Dienstag, 22. September 2009 08:48:28 schrieb Mrvka Andreas: > Hello, > > on the next day, I also get my "Key Version number"-problem on the same > domain > > What is the best way to keep the versions in sync? > I already erased the computer account and did msktutil again. > I believe that for a short time the versions were correct (said klist and > kvno) but during tests with squid they differed.!? > > I only use one KDC Win2k8 (configured in krb5.conf). > > Does anybody has a clue? > > Thanks > Andrew > > Am Dienstag, 22. September 2009 00:33:13 schrieb Mrvka Andreas: > > Hi list, > > > > does anybody know what to do againg different key version numbers using > > squid_kerb_auth? > > > > I created HTTP.keytab from the msktutil and works great. > > In fact in this domain where squid lives this internet explorers has no > > problem using squid_kerb_auth. > > > > On other domains I get > > "Unspecified GSS failure. Minor code may provide more information. Key > > version number for principal in key table is incorrect" > > > > Via "klist -ke" and "kvno HTTP/fqdn" I am able to can compare these keys > > and they differ. > > > > "kinit -R" doesn't work...: "KDC can't fulfill requested option while > > renewing credentials" > > > > Can anybody shine me a light? > > > > Thanks you very much. > > Andrew >