[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Eugene M. Zheganin
emz at norma.perm.ru
Fri Oct 17 05:31:44 UTC 2014
Hi.
On 17.10.2014 11:02, Victor Sudakov wrote:
>
> I am attaching a traffic dump.
>
> Please look at Frame No. 36, where a ticket is requested for
> "HTTP/proxy.sibptus.transneft.ru", and then at Frame No. 39, where
> the ticket is granted, but for the wrong principal name.
>
The thing is, valid exchange should not and does not contain the
KRB5KRB_AP_ERR_MODIFIED error, and yours does. This indicates something
is wrong between these two hosts (as I understand, 10.14.134.4 is a
Windows Server, and .122 is a workstation). You need to investigate on
your DC what's happening, Probably these are the etype errors (may be
not). If your DC is really w2k (not w2k3 or w2k8) and the workstation is
of different generation, this can happen. Also, lots of howtos spread
around the Internet, make an engineer believe that he should kreate the
keytab with only one encryption type for squid, insted kreating the
keytab with all of available on the DC ciphers, This can also lead to
complicated situations.
There's also a decent article there:
http://blogs.technet.com/b/askds/archive/2008/06/11/kerberos-authentication-problems-service-principal-name-spn-issues-part-3.aspx
Could help you as it did help me one day.
Eugene.
//
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141017/f6d0a4e6/attachment-0001.html>
More information about the squid-users
mailing list