[squid-users] Re: Kerberos authentication with MIT KDC

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 8 Dec 2010 23:42:32 -0000

Hi Rob,

 What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc
server ? Do you get a password prompt ?

Markus

>"Rob Asher" <rasher_at_paragould.k12.ar.us> wrote in message
>news:4CFFADF6.0172.0037.0_at_paragould.k12.ar.us...
>Hi Markus,
>
>I created the service principal with kadmin on the apple server. The
>actual command was kadmin.local -q "add_principal
>HTTP/proxyserver.paragould.psd". I used kadmin also to export the keytab.
>Here's exactly what I did:
>
>xserve:~ root# kadmin.local
>Authenticating as principal root/admin_at_XSERVE.PARAGOULD.PSD with password.
>kadmin.local: xst -k proxyserver.keytab
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to
>keytab WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab
>WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added
>to keytab WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added
>to keytab WRFILE:proxyserver.keytab.
>kadmin.local: q
>
>xserve:~ root# klist -k proxyserver.keytab
>Keytab name: WRFILE:proxyserver.keytab
>KVNO Principal
>---- --------------------------------------------------------------------------
> 5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
> 5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
> 5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
> 5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>
>xserve:~ root# kadmin.local -q "list_principals" | grep -i http
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>HTTP/xserve.paragould.psd_at_XSERVE.PARAGOULD.PSD
>http/xserve.paragould.psd_at_XSERVE.PARAGOULD.PSD
>
>That last command to list the http principals confused me and I'm not
>familiar with kerberos at all really. Is it showing there are http service
>principals for both proxyserver.paragould.psd and xserve.paragould.psd or
>does the KDC automatically add a http service principal for itself too? In
>this case, xserve.paragould.psd is the KDC server running on OS X Server
>10.6.2 and proxserver.paragould.psd is the squid server running on CentOS
>5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host
>proxyserver.paragould.psd and made sure the squid user had read access to
>it. Running kinit squidserver and giving it's password works I think.
>klist after that shows:
>
>[root_at_proxyserver squid]# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: squidserver_at_XSERVE.PARAGOULD.PSD
>
>Valid starting Expires Service principal
>12/08/10 15:38:42 12/09/10 01:38:42
>krbtgt/XSERVE.PARAGOULD.PSD_at_XSERVE.PARAGOULD.PSD
>renew until 12/09/10 15:38:42
>
>
>Kerberos 4 ticket cache: /tmp/tkt0
>klist: You have no tickets cached
>
>I'm sure I've missed something or messed something up but I'm at a loss as
>what it is or where to even start looking. Thanks for any help!
>
>Regards,
>Rob
>
>
>
>
>----------------
>Rob Asher
>Network Systems Technician
>Paragould School District
>870-236-7744 x169
>
>
>
>>>> "Markus Moeller" <huaraz_at_moeller.plus.com> 12/08/10 2:39 PM >>>
>Hi Rob,
>
> It looks like your kdc does not know about the service principal
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
> How did you create the entry and keytab ?
>
>Markus
>
>
>
>
Received on Wed Dec 08 2010 - 23:42:59 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 09 2010 - 12:00:02 MST