Hi
Firstly kvno means Kerberos key version number and marks each key so that
you can keep old and new keys. Each time you change the password of the AD
account associated to the HTTP service principal the version number
increases by 1.
"spiderslack" <spiderslack_at_yahoo.com.br> wrote in message
news:4DE5091F.4090109_at_yahoo.com.br...
> On 05/31/2011 11:07 AM, spiderslack wrote:
>> On 05/30/2011 07:02 PM, Markus Moeller wrote:
>>> That looks better, but not quite right. What does klist -ekt
>>> <squid-keytab> (for MIT) or ktutil -k <squid-keytab> list (for
>>> Heimdal) give ?
>>> Also can you do a kinit <user> and then a kvno HTTP/<squid-fqdn> ( I
>>> assume MIT here) ?
> On 05/30/2011 07:02 PM, Markus Moeller wrote:
>> That looks better, but not quite right. What does klist -ekt
>> <squid-keytab> (for MIT) or ktutil -k <squid-keytab> list (for
>> Heimdal) give ?
>> Also can you do a kinit <user> and then a kvno HTTP/<squid-fqdn> ( I
>> assume MIT here) ?
> follows the output of the commands:
>
> root_at_teste:/etc/squid3#
> root_at_teste:/etc/squid3# klist -ekt /etc/squid3/proxy.keytab
> Keytab name: WRFILE:/etc/squid3/proxy.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP (DES
> cbc mode with CRC-32)
> 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP (DES
> cbc mode with RSA-MD5)
> 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP
> (ArcFour with HMAC/md5)
> 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP
> (AES-256 CTS mode with 96-bit SHA-1 HMAC)
> 9 12/31/69 20:00:00 HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP
> (AES-128 CTS mode with 96-bit SHA-1 HMAC)
> root_at_teste:/etc/squid3#
> root_at_teste:/etc/squid3#
> root_at_teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp
> HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP: kvno = 9
> root_at_teste:/etc/squid3#
>
This is what I see also in the pcap. kvno = 9 and RC4-hmac which is the
same as ArcFour with HMAC/md5
[truncated] Proxy-Authorization: Negotiate
YIIGHwYGKwYBBQUCoIIGEzCCBg+gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBdkEggXVYIIF0QYJKoZIhvcSAQICAQBuggXAMIIFvKADAgEFoQMCAQ6iBwMFACAAAACjggSlYYIEoTCCBJ2gAwIBBaEQGw5WSUFM
GSS-API Generic Security Service Application Program Interface
OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
SPNEGO
negTokenInit
mechTypes: 4 items
mechToken:
608205D106092A864886F71201020201006E8205C0308205...
krb5_blob:
608205D106092A864886F71201020201006E8205C0308205...
KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
krb5_tok_id: KRB5_AP_REQ (0x0001)
Kerberos AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 20000000 (Mutual required)
Ticket
Tkt-vno: 5
Realm: VIALACTEA.CORP
Server Name (Service and Instance):
HTTP/proxy.vialactea.corp
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 9
enc-part:
7080B29BE044CEFD9C56911F2F481F93E00D89E23963ED57...
Authenticator rc4-hmac
This should have worked as it matches a key in the keytab.
> root_at_teste:/etc/squid3# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: squid_at_VIALACTEA.CORP
>
> Valid starting Expires Service principal
> 05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/VIALACTEA.CORP_at_VIALACTEA.CORP
> renew until 05/31/11 23:22:23
> root_at_teste:/etc/squid3# kvno HTTP/proxy.vialactea.corp
> HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP: kvno = 8
What is done differently here ? kvno is now 8 ? This can only happen if you
have more then one AD server (or kdc) and they have not synchronised the
keys. So one AD server has an old key which does not match a key in the
keytab.
> root_at_teste:/etc/squid3# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: squid_at_VIALACTEA.CORP
>
> Valid starting Expires Service principal
> 05/30/11 23:22:23 05/31/11 09:25:30 krbtgt/VIALACTEA.CORP_at_VIALACTEA.CORP
> renew until 05/31/11 23:22:23
> 05/30/11 23:25:38 05/31/11 09:25:30
> HTTP/proxy.vialactea.corp_at_VIALACTEA.CORP
> renew until 05/31/11 23:22:23
> root_at_teste:/etc/squid3#
>
>
> I did not understand what is KVNO, what would it be?
>
> also ran the command klist windows on the client which I am trying to
> connect via internet explorer see below
>
> C:\kerberos>klist
>
> Current LogonId is 0:0x2fe13
>
> Cached Tickets: (2)
>
> #0> Client: Administrator @ VIALACTEA.CORP
> Server: krbtgt/VIALACTEA.CORP @ VIALACTEA.CORP
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40e00000 -> forwardable renewable initial
> pre_authent
> Start Time: 5/31/2011 14:39:29 (local)
> End Time: 6/1/2011 0:39:29 (local)
> Renew Time: 6/7/2011 14:39:29 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>
>
> #1> Client: Administrator @ VIALACTEA.CORP
> Server: HTTP/proxy.vialactea.corp @ VIALACTEA.CORP
> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
> Start Time: 5/31/2011 14:44:25 (local)
> End Time: 6/1/2011 0:39:29 (local)
> Renew Time: 6/7/2011 14:39:29 (local)
> Session Key Type: RSADSI RC4-HMAC(NT)
>
>
> C:\kerberos>
>
> is attached another. pcap what intrigued me was the following line of
> capture.
>
> APOptions: 20000000 (Mutual required)
> .0.. .... .... .... .... .... .... ....
> = Use Session Key: Do NOT use the session key to encrypt the ticket
> ..1. .... .... .... .... .... .... ....
> = Mutual required: MUTUAL authentication is REQUIRED
>
> Do not use the session key?
> Thanks for the help.
>
> Att.
>
>
Can you check that you do an export KRB5_KTNAME=/etc/squid3/proxy.keytab in
the squid startup script.
Markus
Received on Tue May 31 2011 - 19:58:05 MDT
This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 12:00:04 MDT