Re: Kerberos authentication problem - squid 3.4.11

"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> · Tue, 10 Feb 2015 20:46:06 -0000

Hi Ludovit,

 Which Kerberos library version do you use ?    Is it possible that the 
encryption types don't match ?  I saw in your first email the following:

Your klist shows a HTTP ticket for arcfour

Server: HTTP/squid1.mdpt.local@MDPT.LOCAL
Client: HTTP/squid1.mdpt.local@MDPT.LOCAL
Ticket etype: arcfour-hmac-md5, kvno 8
Ticket length: 1090
Auth time:  Feb  9 14:55:18 2015
Start time: Feb  9 14:55:20 2015
End time:   Feb 10 00:55:18 2015
Ticket flags: enc-pa-rep, pre-authent
Addresses: addressless

but the keytab has aes128.

# ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:

Vno  Type                     Principal                          Aliases
 8  aes128-cts-hmac-sha1-96  HTTP/squid1.mdpt.local@MDPT.LOCAL

Markus

"Ludovit Koren"  wrote in message news:86d25i9plr.fsf@xxxxxxxxx...

Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> writes:

   > Hi Ludovit,
   >  I haven't seen that error before either, but when you test you sould
   > have your own user credentials in the cache.  You should use kinit
   > <user>@MDPT.LOCAL and then try again the test. is the hostname
   > correctly set to squid1.mdpt.local ? If not try

   >   /usr/local/libexec/squid/negotiate_kerberos_auth_test
   > squid1.mdpt.local | awk '{sub(/Token:/,"YR"); print $0}END{print
   > "QQ"}' | /usr/local/libexec/squid/negotiate_kerberos_auth -r -s
   > GSS_C_NO_NAME

Hello,

still no progress...

# klist
Credentials cache: FILE:/tmp/krb5cc_0
       Principal: xkoren@MDPT.LOCAL

 Issued                Expires               Principal
Feb 10 08:41:06 2015  Feb 10 18:41:06 2015  krbtgt/MDPT.LOCAL@MDPT.LOCAL
Feb 10 08:42:17 2015  Feb 10 18:41:06 2015 
HTTP/squid1.mdpt.local@MDPT.LOCAL

# hostname
squid1.mdpt.local

# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | 
awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}' | 
/usr/local/libexec/squid/otiate_kerberos_auth -r -s HTTP/squid1.mdpt.local
BH gss_accept_sec_context() failed:  Miscellaneous failure (see text). 
unknown mech-code 2529639093 for mech unknown
BH quit command

# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid1.mdpt.local | 
awk '{sub(/Token:/,"YR"); print $0}END{print "}' | 
/usr/local/libexec/squid/negotiate_kerberos_auth -r -s GSS_C_NO_NAME
BH gss_accept_sec_context() failed:  Miscellaneous failure (see text). 
unknown mech-code 2529639094 for mech unknown
BH quit command

regards,

lk
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users