Re: [squid-users] squid_kerb_auth.... Key Version number?

From: Mrvka Andreas <mrv_at_tuv.at>
Date: Tue, 22 Sep 2009 10:22:00 +0200

Hi again,

now I created the HTTP.keytab file on Win2k8 server and actually
the apps "klist -ke" and kvno say the key versions are VALID.

but squid is of the opion that they differ.

# klist -ke
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   5 HTTP/fqdn_at_DOMAIN (DES cbc mode with CRC-32)
   5 HTTP/fqdn_at_DOMAIN (DES cbc mode with RSA-MD5)
   5 HTTP/fqdn_at_DOMAIN (ArcFour with HMAC/md5)
   5 HTTP/fqdn_at_DOMAIN (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   5 HTTP/fqdn_at_DOMAIN (AES-128 CTS mode with 96-bit SHA-1 HMAC)

# kvno -k /etc/squid/HTTP.keytab HTTP/fqdn_at_DOMAIN
HTTP/fqdn_at_DOMAIN: kvno = 5, keytab entry valid

From where does squid get his wrong impression?

My squid.conf
auth_param negotiate program squid_kerb_auth -d -s HTTP/fqdn_at_DOMAIN

Maybe I can support anyone by my detailed described errors. :-)

Regards
Andrew

Am Dienstag, 22. September 2009 08:48:28 schrieb Mrvka Andreas:
> Hello,
>
> on the next day, I also get my "Key Version number"-problem on the same
> domain
>
> What is the best way to keep the versions in sync?
> I already erased the computer account and did msktutil again.
> I believe that for a short time the versions were correct (said klist and
> kvno) but during tests with squid they differed.!?
>
> I only use one KDC Win2k8 (configured in krb5.conf).
>
> Does anybody has a clue?
>
> Thanks
> Andrew
>
> Am Dienstag, 22. September 2009 00:33:13 schrieb Mrvka Andreas:
> > Hi list,
> >
> > does anybody know what to do againg different key version numbers using
> > squid_kerb_auth?
> >
> > I created HTTP.keytab from the msktutil and works great.
> > In fact in this domain where squid lives this internet explorers has no
> > problem using squid_kerb_auth.
> >
> > On other domains I get
> > "Unspecified GSS failure. Minor code may provide more information. Key
> > version number for principal in key table is incorrect"
> >
> > Via "klist -ke" and "kvno HTTP/fqdn" I am able to can compare these keys
> > and they differ.
> >
> > "kinit -R" doesn't work...: "KDC can't fulfill requested option while
> > renewing credentials"
> >
> > Can anybody shine me a light?
> >
> > Thanks you very much.
> > Andrew
>
Received on Tue Sep 22 2009 - 08:22:10 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 23 2009 - 12:00:03 MDT