Markus,
I do get a password prompt although I don't remember setting a password for it.  
xserve:~ root# kinit HTTP/proxyserver.paragould.psd
Please enter the password for HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD: 
Kerberos Login Failed:
Password incorrect
In Open Directory, I just added a new machine(what I assumed was a host principal) named proxyserver but adding a machine via OD's workgroup manager doesn't ask for a password that I can remember.  I didn't add an actual user named proxyserver because that didn't make sense to me for a host.  
Thanks,
Rob
----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
>>> "Markus Moeller" <huaraz_at_moeller.plus.com> 12/08/10 5:44 PM >>>
Hi Rob,
 What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc 
server ? Do you get a password prompt ?
Markus
>"Rob Asher" <rasher_at_paragould.k12.ar.us> wrote in message 
>news:4CFFADF6.0172.0037.0_at_paragould.k12.ar.us...
>Hi Markus,
>
>I created the service principal with kadmin on the apple server.  The 
>actual command was kadmin.local -q "add_principal 
>HTTP/proxyserver.paragould.psd".  I used kadmin also to export the keytab. 
>Here's exactly what I did:
>
>xserve:~ root# kadmin.local
>Authenticating as principal root/admin_at_XSERVE.PARAGOULD.PSD with password.
>kadmin.local:  xst -k proxyserver.keytab 
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD 
>with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to 
>keytab WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD 
>with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab 
>WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD 
>with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added 
>to keytab WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD 
>with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added 
>to keytab WRFILE:proxyserver.keytab.
>kadmin.local:  q
>
>xserve:~ root# klist -k proxyserver.keytab
>Keytab name: WRFILE:proxyserver.keytab
>KVNO Principal
>---- --------------------------------------------------------------------------
>   5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>   5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>   5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>   5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>
>xserve:~ root# kadmin.local -q "list_principals" | grep -i http
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>HTTP/xserve.paragould.psd_at_XSERVE.PARAGOULD.PSD
>http/xserve.paragould.psd_at_XSERVE.PARAGOULD.PSD
>
>That last command to list the http principals confused me and I'm not 
>familiar with kerberos at all really.  Is it showing there are http service 
>principals for both proxyserver.paragould.psd and xserve.paragould.psd or 
>does the KDC automatically add a http service principal for itself too?  In 
>this case, xserve.paragould.psd is the KDC server running on OS X Server 
>10.6.2 and proxserver.paragould.psd is the squid server running on CentOS 
>5.5.   I copied the exported proxyserver.keytab to /etc/squid/ on the host 
>proxyserver.paragould.psd and made sure the squid user had read access to 
>it.  Running kinit squidserver and giving it's password works I think. 
>klist after that shows:
>
>[root_at_proxyserver squid]# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: squidserver_at_XSERVE.PARAGOULD.PSD
>
>Valid starting     Expires            Service principal
>12/08/10 15:38:42  12/09/10 01:38:42 
>krbtgt/XSERVE.PARAGOULD.PSD_at_XSERVE.PARAGOULD.PSD
>renew until 12/09/10 15:38:42
>
>
>Kerberos 4 ticket cache: /tmp/tkt0
>klist: You have no tickets cached
>
>I'm sure I've missed something or messed something up but I'm at a loss as 
>what it is or where to even start looking.  Thanks for any help!
>
>Regards,
>Rob
>
>
>
>
>----------------
>Rob Asher
>Network Systems Technician
>Paragould School District
>870-236-7744 x169
>
>
>
>>>> "Markus Moeller" <huaraz_at_moeller.plus.com> 12/08/10 2:39 PM >>>
>Hi Rob,
>
>  It looks like your kdc does not know about the service principal
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>  How did you create the entry and keytab ?
>
>Markus
>
>
>
>
---------- 
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
---------- 
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
Received on Thu Dec 09 2010 - 02:57:38 MST
This archive was generated by hypermail 2.2.0 : Sat Dec 11 2010 - 12:00:02 MST