[squid-users] squid_kerb_auth and Windows 2008

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 29 Aug 2009 15:28:02 +0100

I finally could look more into Windows 2008 and I found some unusal
behaviour. Firstly you need hotfix 951191 and possibly

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc]
"KdcUseRequestedEtypesForTickets"=dword:00000001

Secondly it looks like 2008 creates the HTTP principal out of a host
principal ( see my posts on the MIT Kerberos mailing list). The work around
I got is:

use msktutil

msktutil -c -b "CN=COMPUTERS" -s host/<fqdn> -h <fqdn> -k
/etc/krb5.keytab --computer-name squid-host --upn host/<fqdn> --server
<domain controller> --verbose --enctypes 28

delete any AD entry for HTTP/<fqdn>

Then use ktutil (for MIT Kerberos)

#ktutil: addent -key -p HTTP/<fqdn>@DOMAIN -k 2 -e aes256-cts-hmac-sha1-96
Key for HTTP/<fqdn>@DOMAIN (hex):
3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03
ktutil: wkt /etc/krb5.keytab
ktutil: quit

where the key is the same key as the host key which you can get with
klist -ekKt /etc/krb5.keytab

klist -ekKt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
   2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (ArcFour with HMAC/md5)
(0x824b609421c13ca9f6f0faf93163fe7a)
   2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (AES-128 CTS mode with 96-bit
SHA-1 HMAC) (0x700fd54f1d4ec2cd379d239f056235b3)
   2 08/29/09 22:08:24 host/<fqdn>@DOMAIN (AES-256 CTS mode with 96-bit
SHA-1 HMAC)
(0x3fab515ac867e26a6f388707f282824ee3b50310cbbb9b625273dfe21aed5c03)

I would appreciate if someone could confirm/deny this.

Regards
Markus
Received on Sat Aug 29 2009 - 14:29:02 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 29 2009 - 12:00:04 MDT