Re: [squid-users] Re: Re: problems squid_kerb_auth

On 05/31/2011 11:07 AM, spiderslack wrote:
> On 05/30/2011 07:02 PM, Markus Moeller wrote:
>> That looks better, but not quite right. What does klist -ekt
>> <squid-keytab> (for MIT) or ktutil -k <squid-keytab> list (for
>> Heimdal) give ?
>> Also can you do a kinit <user> and then a kvno HTTP/<squid-fqdn> ( I
>> assume MIT here) ?
On 05/30/2011 07:02 PM, Markus Moeller wrote:
> That looks better, but not quite right. What does klist -ekt
> <squid-keytab> (for MIT) or ktutil -k <squid-keytab> list (for
> Heimdal) give ?
> Also can you do a kinit <user> and then a kvno HTTP/<squid-fqdn> ( I
> assume MIT here) ?
follows the output of the commands:

root_at_teste:/etc/squid3#
root_at_teste:/etc/squid3# klist -ekt /etc/squid3/proxy.keytab
Keytab name: WRFILE:/etc/squid3/proxy.keytab
KVNO Timestamp Principal
---- -----------------
--------------------------------------------------------
    9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP (DES
cbc mode with CRC-32)
    9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP (DES
cbc mode with RSA-MD5)
    9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP
(ArcFour with HMAC/md5)
    9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP
(AES-256 CTS mode with 96-bit SHA-1 HMAC)
    9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP
(AES-128 CTS mode with 96-bit SHA-1 HMAC)
root_at_teste:/etc/squid3#
root_at_teste:/etc/squid3#
root_at_teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp
HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP: kvno = 9
root_at_teste:/etc/squid3#

root_at_teste:/etc/squid3# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squid_at_VIALACTEA.CORP

Valid starting Expires Service principal
05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/VIALACTEA.CORP_at_VIALACTEA.CORP
     renew until 05/31/11 23:22:23
root_at_teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp
HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP: kvno = 8
root_at_teste:/etc/squid3# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: squid_at_VIALACTEA.CORP

Valid starting Expires Service principal
05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/VIALACTEA.CORP_at_VIALACTEA.CORP
     renew until 05/31/11 23:22:23
05/30/11 23:25:38 05/31/11 09:25:30
HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP
     renew until 05/31/11 23:22:23
root_at_teste:/etc/squid3#

I did not understand what is KVNO, what would it be?

also ran the command klist windows on the client which I am trying to
connect via internet explorer see below

C:\kerberos>klist

Current LogonId is 0:0x2fe13

Cached Tickets: (2)

#0> Client: Administrator @ VIALACTEA.CORP
         Server: krbtgt/VIALACTEA.CORP @ VIALACTEA.CORP
         KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
         Ticket Flags 0x40e00000 -> forwardable renewable initial
pre_authent
         Start Time: 5/31/2011 14:39:29 (local)
         End Time: 6/1/2011 0:39:29 (local)
         Renew Time: 6/7/2011 14:39:29 (local)
         Session Key Type: AES-256-CTS-HMAC-SHA1-96

#1> Client: Administrator @ VIALACTEA.CORP
         Server: HTTP/proxy.vialactea.corp @ VIALACTEA.CORP
         KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
         Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
         Start Time: 5/31/2011 14:44:25 (local)
         End Time: 6/1/2011 0:39:29 (local)
         Renew Time: 6/7/2011 14:39:29 (local)
         Session Key Type: RSADSI RC4-HMAC(NT)

C:\kerberos>

is attached another. pcap what intrigued me was the following line of
capture.

                             APOptions: 20000000 (Mutual required)
                                 .0.. .... .... .... .... .... .... ....
= Use Session Key: Do NOT use the session key to encrypt the ticket
                                 ..1. .... .... .... .... .... .... ....
= Mutual required: MUTUAL authentication is REQUIRED

Do not use the session key?
Thanks for the help.

Att.