[squid-users] FreeBSD and Kerberos: RC4 keytabs work, AES256 don't
Victor Sudakov
sudakov at sibptus.tomsk.ru
Wed Mar 16 08:24:24 UTC 2016
Victor Sudakov wrote:
> >
> > I am setting up new AD-integrated squid server, so I thought I might as
> > well upgrade kerberos crypto on keytabs.
> >
> > It seems that, at least on FreeBSD 10.2-RELEASE-p13, squid-3.5.15
> > compiled with GSSAPI_BASE (kerberos from base system) can't
> > authenticate users via kerberos using AES256 keytabs.
> >
> > Testing with kinit works, but squid auth does not. I am getting these
> > in cache.log:
> > BH gss_accept_sec_context() failed: Miscellaneous failure (see text).
> > unknown mech-code 0 for mech unknown
>
> What encryption type is the ticket (for the HTTP/proxy at YOUR.REALM) the
> Windows KDC gives you? You can figure this out from klist.exe or
> kerbtray.exe.
>
> In my case, the Windows KDC never issues an AES256 ticket for some
> reason, even if the squid service principal has one in the AD.
I mean, though the squid service principal in the AD has lots of
enctypes, which is evident from the keytab exported with
"ktpass -princ HTTP/proxy.domain.example at DOMAIN.EXAMPLE":
/usr/local/etc/squid/2/squid.keytab:
Vno Type Principal
1 des-cbc-crc HTTP/proxy2.XXXXXXX at YYYYYYYY
1 des-cbc-md5 HTTP/proxy2.XXXXXXX at YYYYYYYY
1 arcfour-hmac-md5 HTTP/proxy2.XXXXXXX at YYYYYYYY
1 aes256-cts-hmac-sha1-96 HTTP/proxy2.XXXXXXX at YYYYYYYY
1 aes128-cts-hmac-sha1-96 HTTP/proxy2.XXXXXXX at YYYYYYYY
3 arcfour-hmac-md5 HTTP/proxy2.XXXXXXX at YYYYYYYY
the ticket received from the domain controller always has the only "RSADSI
RC4-HMAC(NT)" enctype. I don't really know the reason for that. I might as
well delete all other enctypes from the squid keytab without any ill
effect.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the squid-users
mailing list