Hi Markus, I created the service principal with kadmin on the apple server. The actual command was kadmin.local -q "add_principal HTTP/proxyserver.paragould.psd". I used kadmin also to export the keytab. Here's exactly what I did: xserve:~ root# kadmin.local Authenticating as principal root/admin@xxxxxxxxxxxxxxxxxxxx with password. kadmin.local: xst -k proxyserver.keytab HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. kadmin.local: q xserve:~ root# klist -k proxyserver.keytab Keytab name: WRFILE:proxyserver.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx 5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx 5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx 5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx xserve:~ root# kadmin.local -q "list_principals" | grep -i http HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx HTTP/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx http/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx That last command to list the http principals confused me and I'm not familiar with kerberos at all really. Is it showing there are http service principals for both proxyserver.paragould.psd and xserve.paragould.psd or does the KDC automatically add a http service principal for itself too? In this case, xserve.paragould.psd is the KDC server running on OS X Server 10.6.2 and proxserver.paragould.psd is the squid server running on CentOS 5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host proxyserver.paragould.psd and made sure the squid user had read access to it. Running kinit squidserver and giving it's password works I think. klist after that shows: [root@proxyserver squid]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: squidserver@xxxxxxxxxxxxxxxxxxxx Valid starting Expires Service principal 12/08/10 15:38:42 12/09/10 01:38:42 krbtgt/XSERVE.PARAGOULD.PSD@xxxxxxxxxxxxxxxxxxxx renew until 12/09/10 15:38:42 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I'm sure I've missed something or messed something up but I'm at a loss as what it is or where to even start looking. Thanks for any help! Regards, Rob ---------------- Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 >>> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 2:39 PM >>> Hi Rob, It looks like your kdc does not know about the service principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx How did you create the entry and keytab ? Markus >"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message >news:4CFCF8E3.0172.0037.0@xxxxxxxxxxxxxxxxxxxxxx >I've looked through some of the mailing list archives and can't find >anything specific on kerberos authentic ation to a MIT KDC for windows >clients. Everything I've found mentions AD. What I'd like, if possible, >is t o have single sign on capabilities to between OS X server's Open >Directory, squid 2.7stable9 on CentOS 5.5, a nd Windows XP clients. >With pGina and kerberos for windows installed on the XP clients, I >successfully get a ticket from the OD server. What I'm having >problems with is getting firefox or IE to use the ticket for neg >otiation with the squid server. I'm guessing that I've missed setting up a >principal correctly, copied keyta b, or possibly a DNS issue but I'm >not familiar enough with kerberos to know what's wrong. Packet captures f >or kerberos return KRB-ERROR like this after the TGS_REQ when opening a >browser session with FF: > >Kerberos KRB-ERROR > Pvno: 5 > MSG Type: KRB-ERROR (30) > ctime: 2010-12-03 21:05:34 (UTC) > stime: 2010-12-03 21:05:26 (UTC) > susec: 714271 > error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) > Client Realm: XSERVE.PARAGOULD.PSD > Client Name (Principal): HTTP/proxyserver.paragould.psd > Name-type: Principal (1) > Name: HTTP > Name: proxyserver.paragould.psd > Realm: XSERVE.PARAGOULD.PSD > Server Name (Unknown): krbtgt/xserve.paragould.psd > Name-type: Unknown (0) > Name: krbtgt > Name: xserve.paragould.psd > e-text: UNKNOWN_SERVER > >If anyone has any ideas or what to look for, I'd appreciate any help. If >this isn't enough information from the capture to make an educated >guess as to where I need to look further, I have the entire sequence I >could post as well. > >Thanks, >Rob > > > >---------------- >Rob Asher >Network Systems Technician >Paragould School District >870-236-7744 x169 > > > >---------- > >This message has been scanned for viruses and >dangerous content by the Paragould School District >MailScanner, and is believed to be clean. > > ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean. ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
