[squid-users] Kerberos authentication problem - squid 3.4.11
Markus Moeller
huaraz at moeller.plus.com
Wed Feb 11 21:07:39 UTC 2015
Hi Ludovit,
How did you create the keytab ? Usually there is an option allowing you
to select the encryption type. The other place to check would be
/etc/krb5.conf. It can contain a list of supported encryption types. See
http://www.freebsd.org/cgi/man.cgi?query=krb5.conf&apropos=0&sektion=5&manpath=FreeBSD+Ports+10.1-RELEASE&arch=default&format=html
default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes
Markus
"Ludovit Koren" wrote in message news:86h9usfpsk.fsf at gmail.com...
>>>>> Markus Moeller <huaraz at moeller.plus.com> writes:
> Hi Ludovit,
> Which Kerberos library version do you use ? Is it possible that
> the encryption types don't match ? I saw in your first email the
> following:
It is standard Heimdal library on FreeBSD:
# kinit --version
kinit (Heimdal 1.5.2)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs at h5l.org
FreeBSD 10.1-STABLE #1 r275861
> Your klist shows a HTTP ticket for arcfour
> Server: HTTP/squid1.mdpt.local at MDPT.LOCAL
> Client: HTTP/squid1.mdpt.local at MDPT.LOCAL
> Ticket etype: arcfour-hmac-md5, kvno 8
> Ticket length: 1090
> Auth time: Feb 9 14:55:18 2015
> Start time: Feb 9 14:55:20 2015
> End time: Feb 10 00:55:18 2015
> Ticket flags: enc-pa-rep, pre-authent
> Addresses: addressless
> but the keytab has aes128.
> # ktutil -k /etc/krb5.keytab list
> /etc/krb5.keytab:
> Vno Type Principal
Aliases
> 8 aes128-cts-hmac-sha1-96 HTTP/squid1.mdpt.local at MDPT.LOCAL
You are right... I tried to find out how to change it. Is it option on
KDC server? I am not able to find anything relevant.
lk
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list