You can get key version errors, when your client has cached the old key (a
key can be cached for up to 10 hours). Use for example kerbtray purge to
clear the client cache.
Markus
"Mike Bordignon (GMI)" <mike@xxxxxxxxx> wrote in message
news:4B68A70B.4060209@xxxxxxxxxxxx
I did try msktutil at first but it crashed in flames
(http://pastie.org/private/tjfwuprb8xdlm3hlrluwva).
I used ktpass which was already on my server (which is R2 SP2).
In any case, it's now working with RC4! I think the problem may have been
a combination of
* Taking too long to copy the key to the squid machine (is this even
possible?)
* Clock being out by a few minutes on one machine
* Restart of browser and/or Win7 required
Until I restarted my browser/machine, I kept getting this error;
2010/02/03 09:55:46| squid_kerb_auth: gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more information. Key
version number for principal in key table is incorrect
-------- Original Message --------
Subject: Re: Re: Unable to get Firefox to authenticate via
Kerberos
From: Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Date: 3/02/2010 11:14 a.m.
I recall that there was a problem with ktpass. Did you use the version
for SP2 ? Can you try what is described in the squid wiki with msktutil ?
Markus
"Mike Bordignon (GMI)" <mike@xxxxxxxxx> wrote in message
news:4B688F74.1050607@xxxxxxxxxxxx
I did read that I shouldn't use DES but I wasn't able to get it going
with RC4. Each time I generate
a keytab with RC4 encryption I cannot get it going after copying to my
squid box. Do I need to
do anything to Windows Server 2003 to have it generate/accept tickets
with RC4 encryption?
From kerbtray it appears I already have other RC4 tickets, so I'm
confused.
This is the command line I'm using to generate the keytab:
ktpass -princ HTTP/fqdn@REALM -mapuser user@REALM -pass password -ptype
KRB5_NT_SRV_HST -out squid.keytab
The errors I receive in cache.log after generating the keytab with
ktpass are as follows;
2010/02/03 09:45:49| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2010/02/03 09:45:49| squid_kerb_auth: parseNegTokenInit failed with
rc=101
2010/02/03 09:45:49| squid_kerb_auth: received type 1 NTLM token
In /etc/krb5.conf I have;
permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
Any suggestions?
-------- Original Message --------
Subject: Re: Unable to get Firefox to authenticate via
Kerberos
From: Markus Moeller <huaraz@xxxxxxxxxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Date: 2/02/2010 7:21 p.m.
BTW You shouldn't use anymore DES encryption as it is too weak and will
be disabled in future Kerberos libraries (as you have noticed in
windows 7). Use RC4 or AES.
Markus
"Mike Bordignon (GMI)" <mike@xxxxxxxxx> wrote in message
news:4B676552.20907@xxxxxxxxxxxx
No matter - this was the problem
http://www.mcplusa.com/blog/2009/10/authentication-with-kerberos-on-windows-7-and-the-google-search-appliance/
-------- Original Message --------
Subject: Unable to get Firefox to authenticate via
Kerberos
From: Mike Bordignon (GMI) <mike@xxxxxxxxx>
To: squid-users@xxxxxxxxxxxxxxx
Date: 2/02/2010 11:03 a.m.
Hello,
I've recently managed to setup squid3.0 (STABLE8, on Debian Lenny) to
authenticate requests via a Win2003 machine over Kerberos. It's
working
well with IE7 (on XP), but neither IE8 nor FF3.0 (both on Windows 7)
will authenticate successfully. When I configure a squid_ldap_auth
backup it will authenticate, but when I specify only negotiate it
will
fail miserably.
This is what I'm getting in cache.log:
2010/02/02 10:53:48| squid_kerb_auth: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==' from squid
(length: 59).
2010/02/02 10:53:48| squid_kerb_auth: parseNegTokenInit failed with
rc=101
2010/02/02 10:53:48| squid_kerb_auth: received type 1 NTLM token
This puzzles me as I've setup network.negotiate-auth.trusted-uris in
Firefox correctly (I've tried setting it to both domain.com and
proxy.domain.com). Using kerbtray I don't appear to have any tickets
for
http/fqdn/realm.com. Should I have? Do I need to restart Windows?
IE8 appears to prompt for Integrated Security but when I enter my
credentials nothing happens. The same log entry above appears.
Any help much appreciated.
cheers
Mike
--
Mike Bordignon
Gareth Morgan Investments
p: +64 4 494 6076
m: +64 21 614 308
w: http://gmi.co.nz
--
Mike Bordignon
Gareth Morgan Investments
p: +64 4 494 6076
m: +64 21 614 308
w: http://gmi.co.nz