Search squid archive

Re: Re: Kerberos authentication with MIT KDC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Rob,

Before you used xst you must have created the principal with a command like add_principal or ank with either a -pw or -randkey option. This would have set the password for the principal. Can you try the same kinit on your Centos box ( I assume you have the correct krb5.conf) ?

If you get prompted can you try kinit -kt squid.keytab HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx ? it should not create an error and a klist -e should show the default principal of HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxxx

An example:

opensuse11:~ # kinit -kt /etc/squid/squid.keytab HTTP/opensuse11.suse.home@xxxxxxxxx
opensuse11:~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/opensuse11.suse.home@xxxxxxxxx

Valid starting     Expires            Service principal
12/10/10 20:16:42  12/11/10 06:16:42  krbtgt/SUSE.HOME@xxxxxxxxx
renew until 12/11/10 20:16:42, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

Markus


"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message news:4CFFF127020000370004E33C@xxxxxx
Markus,

I do get a password prompt although I don't remember setting a password for it.

xserve:~ root# kinit HTTP/proxyserver.paragould.psd
Please enter the password for HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx:
Kerberos Login Failed:
Password incorrect

In Open Directory, I just added a new machine(what I assumed was a host principal) named proxyserver but adding a machine via OD's workgroup manager doesn't ask for a password that I can remember. I didn't add an actual user named proxyserver because that didn't make sense to me for a host.

Thanks,
Rob


----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169


"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 5:44 PM >>>
Hi Rob,

What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc
server ? Do you get a password prompt ?

Markus

"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message
news:4CFFADF6.0172.0037.0@xxxxxxxxxxxxxxxxxxxxxx
Hi Markus,

I created the service principal with kadmin on the apple server.  The
actual command was kadmin.local -q "add_principal
HTTP/proxyserver.paragould.psd".  I used kadmin also to export the keytab.
Here's exactly what I did:

xserve:~ root# kadmin.local
Authenticating as principal root/admin@xxxxxxxxxxxxxxxxxxxx with password.
kadmin.local:  xst -k proxyserver.keytab
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to
keytab WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab
WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added
to keytab WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added
to keytab WRFILE:proxyserver.keytab.
kadmin.local:  q

xserve:~ root# klist -k proxyserver.keytab
Keytab name: WRFILE:proxyserver.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
  5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
  5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
  5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx

xserve:~ root# kadmin.local -q "list_principals" | grep -i http
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
HTTP/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx
http/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx

That last command to list the http principals confused me and I'm not
familiar with kerberos at all really.  Is it showing there are http service
principals for both proxyserver.paragould.psd and xserve.paragould.psd or
does the KDC automatically add a http service principal for itself too?  In
this case, xserve.paragould.psd is the KDC server running on OS X Server
10.6.2 and proxserver.paragould.psd is the squid server running on CentOS
5.5.   I copied the exported proxyserver.keytab to /etc/squid/ on the host
proxyserver.paragould.psd and made sure the squid user had read access to
it.  Running kinit squidserver and giving it's password works I think.
klist after that shows:

[root@proxyserver squid]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squidserver@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
12/08/10 15:38:42  12/09/10 01:38:42
krbtgt/XSERVE.PARAGOULD.PSD@xxxxxxxxxxxxxxxxxxxx
renew until 12/09/10 15:38:42


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

I'm sure I've missed something or messed something up but I'm at a loss as
what it is or where to even start looking.  Thanks for any help!

Regards,
Rob




----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169



"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 2:39 PM >>>
Hi Rob,

 It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
 How did you create the entry and keytab ?

Markus







----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.



----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux