[squid-users] Kerberos authentication problem - squid 3.4.11

Wed Feb 11 21:07:39 UTC 2015

Hi Ludovit,

   How did you create the keytab ? Usually there is an option allowing you 
to select the encryption type.  The other place to check would be 
/etc/krb5.conf. It can contain a list of supported encryption types. See 
http://www.freebsd.org/cgi/man.cgi?query=krb5.conf&apropos=0&sektion=5&manpath=FreeBSD+Ports+10.1-RELEASE&arch=default&format=html

default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes

Markus

"Ludovit Koren"  wrote in message news:86h9usfpsk.fsf at gmail.com...

>>>>> Markus Moeller <huaraz at moeller.plus.com> writes:

    > Hi Ludovit,
    >  Which Kerberos library version do you use ?    Is it possible that
    > the encryption types don't match ?  I saw in your first email the
    > following:

It is standard Heimdal library on FreeBSD:
# kinit --version
kinit (Heimdal 1.5.2)
Copyright 1995-2011 Kungliga Tekniska HÃ¶gskolan
Send bug-reports to heimdal-bugs at h5l.org

FreeBSD 10.1-STABLE #1 r275861

    > Your klist shows a HTTP ticket for arcfour

    > Server: HTTP/squid1.mdpt.local at MDPT.LOCAL
    > Client: HTTP/squid1.mdpt.local at MDPT.LOCAL
    > Ticket etype: arcfour-hmac-md5, kvno 8
    > Ticket length: 1090
    > Auth time:  Feb  9 14:55:18 2015
    > Start time: Feb  9 14:55:20 2015
    > End time:   Feb 10 00:55:18 2015
    > Ticket flags: enc-pa-rep, pre-authent
    > Addresses: addressless

    > but the keytab has aes128.

    > # ktutil -k /etc/krb5.keytab list
    > /etc/krb5.keytab:

    > Vno  Type                     Principal 
Aliases
    >  8  aes128-cts-hmac-sha1-96  HTTP/squid1.mdpt.local at MDPT.LOCAL

You are right... I tried to find out how to change it. Is it option on
KDC server? I am not able to find anything relevant.

lk
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users 