[squid-users] Kerberos (Negotiate) problem with win2008 AD users
Markus Moeller
huaraz at moeller.plus.com
Fri Mar 4 23:30:18 UTC 2016
Hi Victor,
What does the squid log say when you use -d for the authentication
helper ?
Can you provide a wireshark capture from the client ? I guess that
2008 is using AES not RC4.
Markus
"Victor Sudakov" wrote in message
news:20160304162923.GB81514 at admin.sibptus.tomsk.ru...
L.P.H. van Belle wrote:
>
> What is the output of
>
> ktutil list
>
> (of the squid keytab. )
I have already quoted it in the previous message, but I am happy to repeat:
/usr/local/etc/squid/squid.keytab:
Vno Type Principal
1 arcfour-hmac-md5 HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU
1 arcfour-hmac-md5 squiduser at SIBPTUS.TRANSNEFT.RU
1 arcfour-hmac-md5 HTTP/proxy2.sibptus.ru at SIBPTUS.TRANSNEFT.RU
1 arcfour-hmac-md5 HTTP/proxy2.SIBPTUS.ru at SIBPTUS.TRANSNEFT.RU
1 arcfour-hmac-md5 HTTP/proxy2.sibptus.ru at STN.TN.CORP
[root at proxy2 local/etc/squid]
>
> And you can try adding To krb5.conf
>
> ; for Windows 2008 with AES
As you can see, there is only one key with only one enctype for the
2008 realm. It is the very type that the ticket on Windows has. I can
consider adding some more keys to the squid keytab, but I'm afraid the
problem is eisewhere.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list