I recognized, that the values in the AD-computer-object (attribut msDS-SupportedEncryption-Type) has to match the client-kerberos-ticket (session-key) and the settings made in /etc/krb5.conf. On all three parts, the aes-256....value must be set. If not, there's not authentication possible. Is it true, that always the strongest key (in this case probably aes-256) wins? Tom 2010/12/9 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 09/12/10 19:43, Tom Tux wrote: >> >> Hi >> >> We moved our W2K3-Domaincontrollers to W2K8-DC's. The active-directory >> operational mode is still 2003. >> >> We're using kerberos-authentication against the active-directory. >> Nightly runs the "msktutil --auto-update" on the squid-proxy. One day, >> this updated the computer-account and added the new >> msDS-SupportedEncryption-Type = 28. >> >> On one morning, nobody could be authenticated against the >> active-directory. On the cache.log, I saw the following error: >> >> authenticateNegotiateHandleReply: Error validating user via Negotiate. >> Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS >> failure. Minor code may provide more information. Encryption type not >> permitted' >> >> >> So, I added the "aes256-cts-hmac-sha1-96" encryption-type in the >> /etc/krb5.conf-file. Now, everything is working fine. On the >> computer-object in the active-directory, I see a value of 28 on the >> attribut "msDS-SupportedEncryption Types" (updated through msktutil). >> >> When I trace the kerberos-traffic between the proxy and the new >> w2k8-domain-controller, I still see the old encryption-type "rc4-hmac" >> is being used. >> >> Why is there not the new encryption-type "aes" used? Why is still the >> "old" one used? Before I updated the krb5.conf with the "aes"-part, >> nobody was able to authenticate. And now, squid "talks" still with the >> old one? > > Squid uses whatever support is available in the libraries, which may be > version-specific from when it was built. It is likely that they and/or squid > need to be upgraded to support that algorithm. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.9 > Beta testers wanted for 3.2.0.3 >
