[squid-users] Re: Kerberos authentication with MIT KDC from Markus Moeller on 2010-12-08 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 8 Dec 2010 20:39:56 -0000

Hi Rob,

It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
How did you create the entry and keytab ?

Markus

>"Rob Asher" <rasher_at_paragould.k12.ar.us> wrote in message
>news:4CFCF8E3.0172.0037.0_at_paragould.k12.ar.us...
>I've looked through some of the mailing list archives and can't find
>anything specific on kerberos authentic ation to a MIT KDC for windows
>clients. Everything I've found mentions AD. What I'd like, if possible,
>is t o have single sign on capabilities to between OS X server's Open
>Directory, squid 2.7stable9 on CentOS 5.5, a nd Windows XP clients.
>With pGina and kerberos for windows installed on the XP clients, I
>successfully get a ticket from the OD server. What I'm having
>problems with is getting firefox or IE to use the ticket for neg
>otiation with the squid server. I'm guessing that I've missed setting up a
>principal correctly, copied keyta b, or possibly a DNS issue but I'm
>not familiar enough with kerberos to know what's wrong. Packet captures f
>or kerberos return KRB-ERROR like this after the TGS_REQ when opening a
>browser session with FF:
>
>Kerberos KRB-ERROR
> Pvno: 5
> MSG Type: KRB-ERROR (30)
> ctime: 2010-12-03 21:05:34 (UTC)
> stime: 2010-12-03 21:05:26 (UTC)
> susec: 714271
> error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> Client Realm: XSERVE.PARAGOULD.PSD
> Client Name (Principal): HTTP/proxyserver.paragould.psd
> Name-type: Principal (1)
> Name: HTTP
> Name: proxyserver.paragould.psd
> Realm: XSERVE.PARAGOULD.PSD
> Server Name (Unknown): krbtgt/xserve.paragould.psd
> Name-type: Unknown (0)
> Name: krbtgt
> Name: xserve.paragould.psd
> e-text: UNKNOWN_SERVER
>
>If anyone has any ideas or what to look for, I'd appreciate any help. If
>this isn't enough information from the capture to make an educated
>guess as to where I need to look further, I have the entire sequence I
>could post as well.
>
>Thanks,
>Rob
>
>
>
>----------------
>Rob Asher
>Network Systems Technician
>Paragould School District
>870-236-7744 x169
>
>
>
>----------
>
>This message has been scanned for viruses and
>dangerous content by the Paragould School District
>MailScanner, and is believed to be clean.
>
>
Received on Wed Dec 08 2010 - 20:40:25 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 09 2010 - 12:00:02 MST