Hi
We moved our W2K3-Domaincontrollers to W2K8-DC's. The active-directory
operational mode is still 2003.
We're using kerberos-authentication against the active-directory.
Nightly runs the "msktutil --auto-update" on the squid-proxy. One day,
this updated the computer-account and added the new
msDS-SupportedEncryption-Type = 28.
On one morning, nobody could be authenticated against the
active-directory. On the cache.log, I saw the following error:
authenticateNegotiateHandleReply: Error validating user via Negotiate.
Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information. Encryption type not
permitted'
So, I added the "aes256-cts-hmac-sha1-96" encryption-type in the
/etc/krb5.conf-file. Now, everything is working fine. On the
computer-object in the active-directory, I see a value of 28 on the
attribut "msDS-SupportedEncryption Types" (updated through msktutil).
When I trace the kerberos-traffic between the proxy and the new
w2k8-domain-controller, I still see the old encryption-type "rc4-hmac"
is being used.
Why is there not the new encryption-type "aes" used? Why is still the
"old" one used? Before I updated the krb5.conf with the "aes"-part,
nobody was able to authenticate. And now, squid "talks" still with the
old one?
Any hints for this behaviour?
Thanks a lot.
Tom
Received on Thu Dec 09 2010 - 06:43:50 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 09 2010 - 12:00:02 MST