Hi again,
now I created the HTTP.keytab file on Win2k8 server and actually
the apps klist -ke and kvno say the key versions are VALID.
but squid is of the opion that they differ.
# klist -ke
Keytab name: FILE:/etc/squid/HTTP.keytab
KVNO Principal
--
5 HTTP/f...@domain (DES cbc mode with CRC-32)
5 HTTP/f...@domain (DES cbc mode with RSA-MD5)
5 HTTP/f...@domain (ArcFour with HMAC/md5)
5 HTTP/f...@domain (AES-256 CTS mode with 96-bit SHA-1 HMAC)
5 HTTP/f...@domain (AES-128 CTS mode with 96-bit SHA-1 HMAC)
# kvno -k /etc/squid/HTTP.keytab HTTP/f...@domain
HTTP/f...@domain: kvno = 5, keytab entry valid
From where does squid get his wrong impression?
My squid.conf
auth_param negotiate program squid_kerb_auth -d -s HTTP/f...@domain
Maybe I can support anyone by my detailed described errors. :-)
Regards
Andrew
Am Dienstag, 22. September 2009 08:48:28 schrieb Mrvka Andreas:
Hello,
on the next day, I also get my Key Version number-problem on the same
domain
What is the best way to keep the versions in sync?
I already erased the computer account and did msktutil again.
I believe that for a short time the versions were correct (said klist and
kvno) but during tests with squid they differed.!?
I only use one KDC Win2k8 (configured in krb5.conf).
Does anybody has a clue?
Thanks
Andrew
Am Dienstag, 22. September 2009 00:33:13 schrieb Mrvka Andreas:
Hi list,
does anybody know what to do againg different key version numbers using
squid_kerb_auth?
I created HTTP.keytab from the msktutil and works great.
In fact in this domain where squid lives this internet explorers has no
problem using squid_kerb_auth.
On other domains I get
Unspecified GSS failure. Minor code may provide more information. Key
version number for principal in key table is incorrect
Via klist -ke and kvno HTTP/fqdn I am able to can compare these keys
and they differ.
kinit -R doesn't work...: KDC can't fulfill requested option while
renewing credentials
Can anybody shine me a light?
Thanks you very much.
Andrew