Search squid archive

Re: Kerberos authentication with MIT KDC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Rob,
It looks like your kdc does not know about the service principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx 
 How did you create the entry and keytab ?

Markus
"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message news:4CFCF8E3.0172.0037.0@xxxxxxxxxxxxxxxxxxxxxx I've looked through some of the mailing list archives and can't find anything specific on kerberos authentic ation to a MIT KDC for windows clients. Everything I've found mentions AD. What I'd like, if possible, is t o have single sign on capabilities to between OS X server's Open Directory, squid 2.7stable9 on CentOS 5.5, a nd Windows XP clients. With pGina and kerberos for windows installed on the XP clients, I successfully get a ticket from the OD server. What I'm having problems with is getting firefox or IE to use the ticket for neg otiation with the squid server. I'm guessing that I've missed setting up a principal correctly, copied keyta b, or possibly a DNS issue but I'm not familiar enough with kerberos to know what's wrong. Packet captures f or kerberos return KRB-ERROR like this after the TGS_REQ when opening a browser session with FF: 

Kerberos KRB-ERROR
   Pvno: 5
   MSG Type: KRB-ERROR (30)
   ctime: 2010-12-03 21:05:34 (UTC)
   stime: 2010-12-03 21:05:26 (UTC)
   susec: 714271
   error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
   Client Realm: XSERVE.PARAGOULD.PSD
   Client Name (Principal): HTTP/proxyserver.paragould.psd
       Name-type: Principal (1)
       Name: HTTP
       Name: proxyserver.paragould.psd
   Realm: XSERVE.PARAGOULD.PSD
   Server Name (Unknown): krbtgt/xserve.paragould.psd
       Name-type: Unknown (0)
       Name: krbtgt
       Name: xserve.paragould.psd
   e-text: UNKNOWN_SERVER
If anyone has any ideas or what to look for, I'd appreciate any help. If this isn't enough information from the capture to make an educated guess as to where I need to look further, I have the entire sequence I could post as well. 

Thanks,
Rob



----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169



----------

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux