[squid-users] Re: Kerberos authentication with MIT KDC from Rob Asher on 2010-12-08 (squid-users)

From: Rob Asher <rasher_at_paragould.k12.ar.us>
Date: Wed, 08 Dec 2010 16:10:30 -0600

Hi Markus,

I created the service principal with kadmin on the apple server. The actual command was kadmin.local -q "add_principal HTTP/proxyserver.paragould.psd". I used kadmin also to export the keytab. Here's exactly what I did:

xserve:~ root# kadmin.local
Authenticating as principal root/admin_at_XSERVE.PARAGOULD.PSD with password.
kadmin.local: xst -k proxyserver.keytab HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab.
Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab.
kadmin.local: q

xserve:~ root# klist -k proxyserver.keytab
Keytab name: WRFILE:proxyserver.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
   5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
   5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
   5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD

xserve:~ root# kadmin.local -q "list_principals" | grep -i http
HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
HTTP/xserve.paragould.psd_at_XSERVE.PARAGOULD.PSD
http/xserve.paragould.psd_at_XSERVE.PARAGOULD.PSD

That last command to list the http principals confused me and I'm not familiar with kerberos at all really. Is it showing there are http service principals for both proxyserver.paragould.psd and xserve.paragould.psd or does the KDC automatically add a http service principal for itself too? In this case, xserve.paragould.psd is the KDC server running on OS X Server 10.6.2 and proxserver.paragould.psd is the squid server running on CentOS 5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host proxyserver.paragould.psd and made sure the squid user had read access to it. Running kinit squidserver and giving it's password works I think. klist after that shows:

[root_at_proxyserver squid]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squidserver_at_XSERVE.PARAGOULD.PSD

Valid starting Expires Service principal
12/08/10 15:38:42 12/09/10 01:38:42 krbtgt/XSERVE.PARAGOULD.PSD_at_XSERVE.PARAGOULD.PSD
renew until 12/09/10 15:38:42

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

I'm sure I've missed something or messed something up but I'm at a loss as what it is or where to even start looking. Thanks for any help!

Regards,
Rob

----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169

>>> "Markus Moeller" <huaraz_at_moeller.plus.com> 12/08/10 2:39 PM >>>
Hi Rob,

It looks like your kdc does not know about the service principal
HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
How did you create the entry and keytab ?

Markus

>"Rob Asher" <rasher_at_paragould.k12.ar.us> wrote in message
>news:4CFCF8E3.0172.0037.0_at_paragould.k12.ar.us...
>I've looked through some of the mailing list archives and can't find
>anything specific on kerberos authentic ation to a MIT KDC for windows
>clients. Everything I've found mentions AD. What I'd like, if possible,
>is t o have single sign on capabilities to between OS X server's Open
>Directory, squid 2.7stable9 on CentOS 5.5, a nd Windows XP clients.
>With pGina and kerberos for windows installed on the XP clients, I
>successfully get a ticket from the OD server. What I'm having
>problems with is getting firefox or IE to use the ticket for neg
>otiation with the squid server. I'm guessing that I've missed setting up a
>principal correctly, copied keyta b, or possibly a DNS issue but I'm
>not familiar enough with kerberos to know what's wrong. Packet captures f
>or kerberos return KRB-ERROR like this after the TGS_REQ when opening a
>browser session with FF:
>
>Kerberos KRB-ERROR
> Pvno: 5
> MSG Type: KRB-ERROR (30)
> ctime: 2010-12-03 21:05:34 (UTC)
> stime: 2010-12-03 21:05:26 (UTC)
> susec: 714271
> error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
> Client Realm: XSERVE.PARAGOULD.PSD
> Client Name (Principal): HTTP/proxyserver.paragould.psd
> Name-type: Principal (1)
> Name: HTTP
> Name: proxyserver.paragould.psd
> Realm: XSERVE.PARAGOULD.PSD
> Server Name (Unknown): krbtgt/xserve.paragould.psd
> Name-type: Unknown (0)
> Name: krbtgt
> Name: xserve.paragould.psd
> e-text: UNKNOWN_SERVER
>
>If anyone has any ideas or what to look for, I'd appreciate any help. If
>this isn't enough information from the capture to make an educated
>guess as to where I need to look further, I have the entire sequence I
>could post as well.
>
>Thanks,
>Rob
>
>
>
>----------------
>Rob Asher
>Network Systems Technician
>Paragould School District
>870-236-7744 x169
>
>
>
>----------
>
>This message has been scanned for viruses and
>dangerous content by the Paragould School District
>MailScanner, and is believed to be clean.
>
>

----------

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.

----------

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
Received on Wed Dec 08 2010 - 22:11:07 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 09 2010 - 12:00:02 MST