On 05/31/2011 11:07 AM, spiderslack wrote:
On 05/30/2011 07:02 PM, Markus Moeller wrote:That looks better, but not quite right. What does klist -ekt <squid-keytab> (for MIT) or ktutil -k <squid-keytab> list (for Heimdal) give ? Also can you do a kinit <user> and then a kvno HTTP/<squid-fqdn> ( I assume MIT here) ?
On 05/30/2011 07:02 PM, Markus Moeller wrote:
That looks better, but not quite right. What does klist -ekt <squid-keytab> (for MIT) or ktutil -k <squid-keytab> list (for Heimdal) give ? Also can you do a kinit <user> and then a kvno HTTP/<squid-fqdn> ( I assume MIT here) ?
follows the output of the commands: root@teste:/etc/squid3# root@teste:/etc/squid3# klist -ekt /etc/squid3/proxy.keytab Keytab name: WRFILE:/etc/squid3/proxy.keytab KVNO Timestamp Principal---- ----------------- -------------------------------------------------------- 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp@xxxxxxxxxxxxxx (DES cbc mode with CRC-32) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp@xxxxxxxxxxxxxx (DES cbc mode with RSA-MD5) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp@xxxxxxxxxxxxxx (ArcFour with HMAC/md5) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp@xxxxxxxxxxxxxx (AES-256 CTS mode with 96-bit SHA-1 HMAC) 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp@xxxxxxxxxxxxxx (AES-128 CTS mode with 96-bit SHA-1 HMAC)
root@teste:/etc/squid3#
root@teste:/etc/squid3#
root@teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp
HTTP/proxy.vialactea.corp@xxxxxxxxxxxxxx: kvno = 9
root@teste:/etc/squid3#
root@teste:/etc/squid3# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squid@xxxxxxxxxxxxxx
Valid starting Expires Service principal
05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/VIALACTEA.CORP@xxxxxxxxxxxxxx
renew until 05/31/11 23:22:23
root@teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp
HTTP/proxy.vialactea.corp@xxxxxxxxxxxxxx: kvno = 8
root@teste:/etc/squid3# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squid@xxxxxxxxxxxxxx
Valid starting Expires Service principal
05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/VIALACTEA.CORP@xxxxxxxxxxxxxx
renew until 05/31/11 23:22:23
05/30/11 23:25:38 05/31/11 09:25:30
HTTP/proxy.vialactea.corp@xxxxxxxxxxxxxx
renew until 05/31/11 23:22:23
root@teste:/etc/squid3#
I did not understand what is KVNO, what would it be?
also ran the command klist windows on the client which I am trying to
connect via internet explorer see below
C:\kerberos>klist
Current LogonId is 0:0x2fe13
Cached Tickets: (2)
#0> Client: Administrator @ VIALACTEA.CORP
Server: krbtgt/VIALACTEA.CORP @ VIALACTEA.CORP
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial
pre_authent
Start Time: 5/31/2011 14:39:29 (local)
End Time: 6/1/2011 0:39:29 (local)
Renew Time: 6/7/2011 14:39:29 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: Administrator @ VIALACTEA.CORP
Server: HTTP/proxy.vialactea.corp @ VIALACTEA.CORP
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 5/31/2011 14:44:25 (local)
End Time: 6/1/2011 0:39:29 (local)
Renew Time: 6/7/2011 14:39:29 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
C:\kerberos>
is attached another. pcap what intrigued me was the following line of
capture.
APOptions: 20000000 (Mutual required)
.0.. .... .... .... .... .... .... ....
= Use Session Key: Do NOT use the session key to encrypt the ticket
..1. .... .... .... .... .... .... ....
= Mutual required: MUTUAL authentication is REQUIRED
Do not use the session key? Thanks for the help. Att.
Attachment:
squid_kerberos2.pcap
Description: application/cap
