[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Eugene M. Zheganin
eugene at zhegan.in
Sat Oct 18 18:40:03 UTC 2014
Hi.
On 18.10.2014 16:11, Victor Sudakov wrote:
> I thought as much. This error seems suspicious. But why does a second
> request not cause the same error?
No idea.
> We have tried both ways (enabling all ciphers and enabling only
> arcfour-hmac-md5), but it made no difference. Currently we are using
> the keytab with one arcfour-hmac-md5 key only:
>
> Vno Type Principal
> 1 arcfour-hmac-md5 HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
>
> Which of the ways is correct, in your opinion? Could you repeat?
To my knowledge, RC4 should fit, because newer versions add only aes
cipher suites.
> Which was your situation when the article helped?
I had a situaltion when there were lots ot e-types errors between non-R2
w2k3 and w7 workstations. Plus, my keytab was only for RC4 only. Plus, I
had duplicate SPNs and wrong understanding about how the kerberos
exchange is working and what principal name is requested when (yours
seems to be correct, though). I played with "use only DES" setting for a
troubled user in AD, played with msDS-SupportedEncrytionTypes in AD, but
due to all the complications this didn't help. So, I eliminated w2k3 by
changing it to the w2k3r2 dc, - this didn't help by itself, so I had to
clear out other errors. Then my setup started to work. Unfortunately, I
don't have an answer to the question "what is needed for squid to work
in a kerberos environment with different generation OSes". I also didn't
get KRB5KRB_AP_ERR_MODIFIED error. I can say that if we talk about w7
coexistance with the w2k3 domain controller - no critical errors were
seen, so workstations could log in to the AD domain just fine.
I would propose to you to conduct some tests pointing your squid setup
to some modern DC, if you have one, and see if this error would disappear.
Eugene.
More information about the squid-users
mailing list