Markus, I do get a password prompt although I don't remember setting a password for it. xserve:~ root# kinit HTTP/proxyserver.paragould.psd Please enter the password for HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx: Kerberos Login Failed: Password incorrect In Open Directory, I just added a new machine(what I assumed was a host principal) named proxyserver but adding a machine via OD's workgroup manager doesn't ask for a password that I can remember. I didn't add an actual user named proxyserver because that didn't make sense to me for a host. Thanks, Rob ---------------- Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 >>> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 5:44 PM >>> Hi Rob, What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc server ? Do you get a password prompt ? Markus >"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message >news:4CFFADF6.0172.0037.0@xxxxxxxxxxxxxxxxxxxxxx >Hi Markus, > >I created the service principal with kadmin on the apple server. The >actual command was kadmin.local -q "add_principal >HTTP/proxyserver.paragould.psd". I used kadmin also to export the keytab. >Here's exactly what I did: > >xserve:~ root# kadmin.local >Authenticating as principal root/admin@xxxxxxxxxxxxxxxxxxxx with password. >kadmin.local: xst -k proxyserver.keytab >HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx >Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx >with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to >keytab WRFILE:proxyserver.keytab. >Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx >with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab >WRFILE:proxyserver.keytab. >Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx >with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added >to keytab WRFILE:proxyserver.keytab. >Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx >with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added >to keytab WRFILE:proxyserver.keytab. >kadmin.local: q > >xserve:~ root# klist -k proxyserver.keytab >Keytab name: WRFILE:proxyserver.keytab >KVNO Principal >---- -------------------------------------------------------------------------- > 5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx > 5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx > 5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx > 5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx > >xserve:~ root# kadmin.local -q "list_principals" | grep -i http >HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx >HTTP/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx >http/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx > >That last command to list the http principals confused me and I'm not >familiar with kerberos at all really. Is it showing there are http service >principals for both proxyserver.paragould.psd and xserve.paragould.psd or >does the KDC automatically add a http service principal for itself too? In >this case, xserve.paragould.psd is the KDC server running on OS X Server >10.6.2 and proxserver.paragould.psd is the squid server running on CentOS >5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host >proxyserver.paragould.psd and made sure the squid user had read access to >it. Running kinit squidserver and giving it's password works I think. >klist after that shows: > >[root@proxyserver squid]# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: squidserver@xxxxxxxxxxxxxxxxxxxx > >Valid starting Expires Service principal >12/08/10 15:38:42 12/09/10 01:38:42 >krbtgt/XSERVE.PARAGOULD.PSD@xxxxxxxxxxxxxxxxxxxx >renew until 12/09/10 15:38:42 > > >Kerberos 4 ticket cache: /tmp/tkt0 >klist: You have no tickets cached > >I'm sure I've missed something or messed something up but I'm at a loss as >what it is or where to even start looking. Thanks for any help! > >Regards, >Rob > > > > >---------------- >Rob Asher >Network Systems Technician >Paragould School District >870-236-7744 x169 > > > >>>> "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 2:39 PM >>> >Hi Rob, > > It looks like your kdc does not know about the service principal >HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx > How did you create the entry and keytab ? > >Markus > > > > ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean. ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
