I recall that there was a problem with ktpass. Did you use the version for
SP2 ? Can you try what is described in the squid wiki with msktutil ?
Markus
"Mike Bordignon (GMI)" <mike@xxxxxxxxx> wrote in message
news:4B688F74.1050607@xxxxxxxxxxxx
I did read that I shouldn't use DES but I wasn't able to get it going with
RC4. Each time I generate
a keytab with RC4 encryption I cannot get it going after copying to my
squid box. Do I need to
do anything to Windows Server 2003 to have it generate/accept tickets with
RC4 encryption?
From kerbtray it appears I already have other RC4 tickets, so I'm
confused.
This is the command line I'm using to generate the keytab:
ktpass -princ HTTP/fqdn@REALM -mapuser user@REALM -pass password -ptype
KRB5_NT_SRV_HST -out squid.keytab
The errors I receive in cache.log after generating the keytab with ktpass
are as follows;
2010/02/03 09:45:49| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2010/02/03 09:45:49| squid_kerb_auth: parseNegTokenInit failed with rc=101
2010/02/03 09:45:49| squid_kerb_auth: received type 1 NTLM token
In /etc/krb5.conf I have;
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
Any suggestions?
-------- Original Message --------
Subject: Re: Unable to get Firefox to authenticate via
Kerberos
From: Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Date: 2/02/2010 7:21 p.m.
BTW You shouldn't use anymore DES encryption as it is too weak and will
be disabled in future Kerberos libraries (as you have noticed in windows
7). Use RC4 or AES.
Markus
"Mike Bordignon (GMI)" <mike@xxxxxxxxx> wrote in message
news:4B676552.20907@xxxxxxxxxxxx
No matter - this was the problem
http://www.mcplusa.com/blog/2009/10/authentication-with-kerberos-on-windows-7-and-the-google-search-appliance/
-------- Original Message --------
Subject: Unable to get Firefox to authenticate via
Kerberos
From: Mike Bordignon (GMI) <mike@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Date: 2/02/2010 11:03 a.m.
Hello,
I've recently managed to setup squid3.0 (STABLE8, on Debian Lenny) to
authenticate requests via a Win2003 machine over Kerberos. It's working
well with IE7 (on XP), but neither IE8 nor FF3.0 (both on Windows 7)
will authenticate successfully. When I configure a squid_ldap_auth
backup it will authenticate, but when I specify only negotiate it will
fail miserably.
This is what I'm getting in cache.log:
2010/02/02 10:53:48| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2010/02/02 10:53:48| squid_kerb_auth: parseNegTokenInit failed with
rc=101
2010/02/02 10:53:48| squid_kerb_auth: received type 1 NTLM token
This puzzles me as I've setup network.negotiate-auth.trusted-uris in
Firefox correctly (I've tried setting it to both domain.com and
proxy.domain.com). Using kerbtray I don't appear to have any tickets
for
http/fqdn/realm.com. Should I have? Do I need to restart Windows?
IE8 appears to prompt for Integrated Security but when I enter my
credentials nothing happens. The same log entry above appears.
Any help much appreciated.
cheers
Mike
--
Mike Bordignon
Gareth Morgan Investments
p: +64 4 494 6076
m: +64 21 614 308
w: http://gmi.co.nz
