A wireshark capture would help to understand what is happening.
Markus
"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message
news:4D0883E4.0172.0037.0@xxxxxxxxxxxxxxxxxxxxxx
Hi Markus,
I did actually follow that setting up FF. These are the actual changes I've
made to FF:
network.auth.use-sspi = false
network.negotiate-auth.gsslib = C:\Program
Files\MIT\Kerberos\bin\gssapi32.dll
network.negotiate-auth.trusted-uris = XSERVE.PARAGOULD.PSD
network.negotiate-auth.using-native-gsslib = false
I've also made sure to use the FQDN instead of the IP for the proxy server
settings and the FF version is 3.6.12 I still get a prompt for new
credentials and it still denies me even though the credentials are valid in
network identity manager.
Thanks,
Rob
----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/14/10 12:36 PM >>>
Hi Rob,
Did you follow what I described in this threat
http://thread.gmane.org/gmane.comp.web.squid.general/87060/focus=87084
regarding the FF configuration and gssapi selection ?
Regards
Markus
"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message
news:4D05F92B.0172.0037.0@xxxxxxxxxxxxxxxxxxxxxx
Hi Markus,
I must still have something wrong. When I open FF now, I get a prompt from
KfW for new credentials for my username even though the network identity
manager already shows I have a valid ticket from the KDC. If I supply the
correct password, I'm still denied cache access. Looking at the capture
from the client machine, I see this KRB5KDC_ERR_PREAUTH_REQUIRED after the
first AS-REQ. I can provide the full capture in pcap or plain text if it
would be helpful?
Thanks,
Rob
----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/10/10 6:09 PM >>>
That looks better. In theory it should work now.
Markus
"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message
news:4D026B11020000370004E6EC@xxxxxx
Markus,
I did run change_password on the HTTP/proxyserver.paragould.psd principal to
set it's password. I also removed and re-added the principal to the
krb5.keytab on the KDC then exported/added it to the proxyserver.keytab and
copied that file over to the centos box. Running kinit -kt
/etc/squid/proxyserver.keytab
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx didn't return any output
and klist -e returned this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
12/10/10 16:20:59 12/11/10 02:20:59
krbtgt/XSERVE.PARAGOULD.PSD@xxxxxxxxxxxxxxxxxxxx
renew until 12/11/10 16:21:05, Etype (skey, tkt): AES-256 CTS mode
with 96-bit SHA-1 HMAC, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
I think that means the keys matched and it got a ticket from the KDC?
Thanks,
Rob
----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/10/10 5:16 PM >>>
Hi Rob,
It looks like no password was set or the keytab does not contain the right
key (password). Can you try to use add_principal with -randkey ?
Markus
"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message
news:4D025E0C020000370004E6E0@xxxxxx
Hi Markus,
I added the principal with a query instead of at the kadmin console. Here's
the command I used:
kadmin.local -q "add_principal HTTP/proxyserver.paragould.psd"
I'm just guessing here that since I didn't specify a password that it
defaulted to a random key. I tried the same kinit on the centos box and it
prompted for a password. Running kinit -kt /etc/squid/proxyserver.keytab
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx gave me a "password
incorrect" when I ran it. Here's the actual output:
[root@proxyserver ~]# kinit HTTP/proxyserver.paragould.psd
Password for HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx:
kinit(v5): Password read interrupted while getting initial credentials
[root@proxyserver ~]# kinit -kt /etc/squid/proxyserver.keytab
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
kinit(v5): Password incorrect while getting initial credentials
[root@proxyserver ~]# klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Assuming that I needed to fix the principal on the KDC, I went to the KDC
and did this:
xserve:~ root# kadmin.local
Authenticating as principal root/admin@xxxxxxxxxxxxxxxxxxxx with password.
kadmin.local: cpw HTTP/proxyserver.paragould.psd
Enter password for principal "HTTP/proxyserver.paragould.psd":
Re-enter password for principal "HTTP/proxyserver.paragould.psd":
Password for "HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx" changed.
kadmin.local: ktremove HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 2 removed from keytab WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 2 removed from keytab WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 2 removed from keytab WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 2 removed from keytab WRFILE:/etc/krb5.keytab.
kadmin.local: ktadd HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 7, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 7, encryption type ArcFour with HMAC/md5 added to keytab
WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 7, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:/etc/krb5.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 7, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:/etc/krb5.keytab.
kadmin.local: xst -k proxyserver.keytab
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 8, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 8, encryption type ArcFour with HMAC/md5 added to keytab
WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 8, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx with
kvno 8, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to
keytab WRFILE:proxyserver.keytab.
kadmin.local: q
Hopefully that was a correct assumption on my part? Back on the centos box,
I tried the kinit -kt .... again and here's the output now without an error:
[root@proxyserver squid]# kinit -kt /etc/squid/proxy.keytab
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
[root@proxyserver squid]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
12/10/10 16:20:59 12/11/10 02:20:59
krbtgt/XSERVE.PARAGOULD.PSD@xxxxxxxxxxxxxxxxxxxx
renew until 12/11/10 16:21:05, Etype (skey, tkt): AES-256 CTS mode
with 96-bit SHA-1 HMAC, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
I haven't had a chance to run a capture again between the client, centos or
kdc yet to check things. I should be back in the office on Monday morning
though and will check then. If you have any other things you can think of
or that you'd like me to check remotely(SSH), just let me know. Thanks for
the help.
Regards,
Rob
----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/10/10 2:19 PM >>>
Hi Rob,
Before you used xst you must have created the principal with a command
like add_principal or ank with either a -pw or -randkey option. This would
have set the password for the principal. Can you try the same kinit on your
Centos box ( I assume you have the correct krb5.conf) ?
If you get prompted can you try kinit -kt squid.keytab
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx ? it should not create
an error and a klist -e should show the default principal of
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxxx
An example:
opensuse11:~ # kinit -kt /etc/squid/squid.keytab
HTTP/opensuse11.suse.home@xxxxxxxxx
opensuse11:~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/opensuse11.suse.home@xxxxxxxxx
Valid starting Expires Service principal
12/10/10 20:16:42 12/11/10 06:16:42 krbtgt/SUSE.HOME@xxxxxxxxx
renew until 12/11/10 20:16:42, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
Markus
"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message
news:4CFFF127020000370004E33C@xxxxxx
Markus,
I do get a password prompt although I don't remember setting a password for
it.
xserve:~ root# kinit HTTP/proxyserver.paragould.psd
Please enter the password for
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx:
Kerberos Login Failed:
Password incorrect
In Open Directory, I just added a new machine(what I assumed was a host
principal) named proxyserver but adding a machine via OD's workgroup manager
doesn't ask for a password that I can remember. I didn't add an actual user
named proxyserver because that didn't make sense to me for a host.
Thanks,
Rob
----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 5:44 PM >>>
Hi Rob,
What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc
server ? Do you get a password prompt ?
Markus
"Rob Asher" <rasher@xxxxxxxxxxxxxxxxxxx> wrote in message
news:4CFFADF6.0172.0037.0@xxxxxxxxxxxxxxxxxxxxxx
Hi Markus,
I created the service principal with kadmin on the apple server. The
actual command was kadmin.local -q "add_principal
HTTP/proxyserver.paragould.psd". I used kadmin also to export the keytab.
Here's exactly what I did:
xserve:~ root# kadmin.local
Authenticating as principal root/admin@xxxxxxxxxxxxxxxxxxxx with password.
kadmin.local: xst -k proxyserver.keytab
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to
keytab WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab
WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added
to keytab WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added
to keytab WRFILE:proxyserver.keytab.
kadmin.local: q
xserve:~ root# klist -k proxyserver.keytab
Keytab name: WRFILE:proxyserver.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
5 HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
xserve:~ root# kadmin.local -q "list_principals" | grep -i http
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
HTTP/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx
http/xserve.paragould.psd@xxxxxxxxxxxxxxxxxxxx
That last command to list the http principals confused me and I'm not
familiar with kerberos at all really. Is it showing there are http service
principals for both proxyserver.paragould.psd and xserve.paragould.psd or
does the KDC automatically add a http service principal for itself too? In
this case, xserve.paragould.psd is the KDC server running on OS X Server
10.6.2 and proxserver.paragould.psd is the squid server running on CentOS
5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host
proxyserver.paragould.psd and made sure the squid user had read access to
it. Running kinit squidserver and giving it's password works I think.
klist after that shows:
[root@proxyserver squid]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squidserver@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
12/08/10 15:38:42 12/09/10 01:38:42
krbtgt/XSERVE.PARAGOULD.PSD@xxxxxxxxxxxxxxxxxxxx
renew until 12/09/10 15:38:42
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
I'm sure I've missed something or messed something up but I'm at a loss as
what it is or where to even start looking. Thanks for any help!
Regards,
Rob
----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> 12/08/10 2:39 PM >>>
Hi Rob,
It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould.psd@xxxxxxxxxxxxxxxxxxxx
How did you create the entry and keytab ?
Markus
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.