[squid-users] FreeBSD and Kerberos: RC4 keytabs work, AES256 don't
Victor Sudakov
sudakov at sibptus.tomsk.ru
Tue Mar 15 14:06:18 UTC 2016
Marko Cupa?? wrote:
>
> I am setting up new AD-integrated squid server, so I thought I might as
> well upgrade kerberos crypto on keytabs.
>
> It seems that, at least on FreeBSD 10.2-RELEASE-p13, squid-3.5.15
> compiled with GSSAPI_BASE (kerberos from base system) can't
> authenticate users via kerberos using AES256 keytabs.
>
> Testing with kinit works, but squid auth does not. I am getting these
> in cache.log:
> BH gss_accept_sec_context() failed: Miscellaneous failure (see text).
> unknown mech-code 0 for mech unknown
What encryption type is the ticket (for the HTTP/proxy at YOUR.REALM) the
Windows KDC gives you? You can figure this out from klist.exe or
kerbtray.exe.
In my case, the Windows KDC never issues an AES256 ticket for some
reason, even if the squid service principal has one in the AD.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the squid-users
mailing list