Marko Cupa?? wrote: > > I am setting up new AD-integrated squid server, so I thought I might as > well upgrade kerberos crypto on keytabs. > > It seems that, at least on FreeBSD 10.2-RELEASE-p13, squid-3.5.15 > compiled with GSSAPI_BASE (kerberos from base system) can't > authenticate users via kerberos using AES256 keytabs. > > Testing with kinit works, but squid auth does not. I am getting these > in cache.log: > BH gss_accept_sec_context() failed: Miscellaneous failure (see text). > unknown mech-code 0 for mech unknown What encryption type is the ticket (for the HTTP/proxy@YOUR.REALM) the Windows KDC gives you? You can figure this out from klist.exe or kerbtray.exe. In my case, the Windows KDC never issues an AES256 ticket for some reason, even if the squid service principal has one in the AD. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
