Victor Sudakov wrote: > > > > I am setting up new AD-integrated squid server, so I thought I might as > > well upgrade kerberos crypto on keytabs. > > > > It seems that, at least on FreeBSD 10.2-RELEASE-p13, squid-3.5.15 > > compiled with GSSAPI_BASE (kerberos from base system) can't > > authenticate users via kerberos using AES256 keytabs. > > > > Testing with kinit works, but squid auth does not. I am getting these > > in cache.log: > > BH gss_accept_sec_context() failed: Miscellaneous failure (see text). > > unknown mech-code 0 for mech unknown > > What encryption type is the ticket (for the HTTP/proxy@YOUR.REALM) the > Windows KDC gives you? You can figure this out from klist.exe or > kerbtray.exe. > > In my case, the Windows KDC never issues an AES256 ticket for some > reason, even if the squid service principal has one in the AD. I mean, though the squid service principal in the AD has lots of enctypes, which is evident from the keytab exported with "ktpass -princ HTTP/proxy.domain.example@DOMAIN.EXAMPLE": /usr/local/etc/squid/2/squid.keytab: Vno Type Principal 1 des-cbc-crc HTTP/proxy2.XXXXXXX@YYYYYYYY 1 des-cbc-md5 HTTP/proxy2.XXXXXXX@YYYYYYYY 1 arcfour-hmac-md5 HTTP/proxy2.XXXXXXX@YYYYYYYY 1 aes256-cts-hmac-sha1-96 HTTP/proxy2.XXXXXXX@YYYYYYYY 1 aes128-cts-hmac-sha1-96 HTTP/proxy2.XXXXXXX@YYYYYYYY 3 arcfour-hmac-md5 HTTP/proxy2.XXXXXXX@YYYYYYYY the ticket received from the domain controller always has the only "RSADSI RC4-HMAC(NT)" enctype. I don't really know the reason for that. I might as well delete all other enctypes from the squid keytab without any ill effect. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@xxxxxxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
