Search squid archive

Re: squid_kerb_auth.... Key Version number?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi again,

now I created the HTTP.keytab file on Win2k8 server and actually
the apps "klist -ke" and kvno say the key versions are VALID.

but squid is of the opion that they differ.

# klist -ke
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   5 HTTP/fqdn@DOMAIN (DES cbc mode with CRC-32)
   5 HTTP/fqdn@DOMAIN (DES cbc mode with RSA-MD5)
   5 HTTP/fqdn@DOMAIN (ArcFour with HMAC/md5)
   5 HTTP/fqdn@DOMAIN (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   5 HTTP/fqdn@DOMAIN (AES-128 CTS mode with 96-bit SHA-1 HMAC)

# kvno -k /etc/squid/HTTP.keytab HTTP/fqdn@DOMAIN
HTTP/fqdn@DOMAIN: kvno = 5, keytab entry valid


>From where does squid get his wrong impression?

My squid.conf
auth_param negotiate program squid_kerb_auth -d -s HTTP/fqdn@DOMAIN


Maybe I can support anyone by my detailed described errors. :-)


Regards
Andrew


Am Dienstag, 22. September 2009 08:48:28 schrieb Mrvka Andreas:
> Hello,
> 
> on the next day, I also get my "Key Version number"-problem on the same
>  domain
> 
> What is the best way to keep the versions in sync?
> I already erased the computer account and did msktutil again.
> I believe that for a short time the versions were correct (said klist and
> kvno) but during tests with squid they differed.!?
> 
> I only use one KDC Win2k8 (configured in krb5.conf).
> 
> Does anybody has a clue?
> 
> Thanks
> Andrew
> 
> Am Dienstag, 22. September 2009 00:33:13 schrieb Mrvka Andreas:
> > Hi list,
> >
> > does anybody know what to do againg different key version numbers using
> > squid_kerb_auth?
> >
> > I created HTTP.keytab from the msktutil and works great.
> > In fact in this domain where squid lives this internet explorers has no
> > problem using squid_kerb_auth.
> >
> > On other domains I get
> > "Unspecified GSS failure.  Minor code may provide more information. Key
> > version number for principal in key table is incorrect"
> >
> > Via "klist -ke" and "kvno HTTP/fqdn" I am able to can compare these keys
> > and they differ.
> >
> > "kinit -R" doesn't work...: "KDC can't fulfill requested option while
> > renewing credentials"
> >
> > Can anybody shine me a light?
> >
> > Thanks you very much.
> > Andrew
> 


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux