[squid-users] Kerberos authentication problem - squid 3.4.11

Ludovit Koren ludovit.koren at gmail.com
Fri Feb 13 19:55:50 UTC 2015


>>>>> Markus Moeller <huaraz at moeller.plus.com> writes:

    > Hi Ludovit,
    >   How did you create the keytab ? Usually there is an option allowing
    > you to select the encryption type.  The other place to check would be
    > /etc/krb5.conf. It can contain a list of supported encryption
    > types. See
    > http://www.freebsd.org/cgi/man.cgi?query=krb5.conf&apropos=0&sektion=5&manpath=FreeBSD+Ports+10.1-RELEASE&arch=default&format=html

    > default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes


Hello,

I am sorry, I was not able to contact windows ADS administrator...

I am not able to get the same ciphers in session key and ticket etype.

Here is my /etc/krb5.conf:

[logging]
default = SYSLOG:INFO:USER
kdc = SYSLOG:INFO
kdc = FILE:/var/log/krb.log
admin_server = FILE:/var/log/krb.log
default_keytab_name = FILE:/usr/local/etc/squid/HTTP.keytab

[libdefaults]
default_realm = MDPT.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_etypes = aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha1-96
permitted_enctypes = aes128-cts-hmac-sha1-96
allow_weak_crypto = true

[realms]
 MDPT.LOCAL = {
  kdc = 10.1.8.21:88
  admin_server = 10.1.8.21:464
 }

[domain_realm]
.mdpt.local = MDPT.LOCAL
.local = MDPT.LOCAL

[appdefaults]
pam = {
 ticket_lifetime = 1d
 renew_lifetime = 1d
 forwardable = true
 proxiable = false
}


I do not know where to setup ticket etype on the squid server side.

regards,

lk


More information about the squid-users mailing list