[squid-users] Re: Re: Kerberos authentication with MIT KDC

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 10 Dec 2010 20:17:33 -0000

Hi Rob,

  Before you used xst you must have created the principal with a command
like add_principal or ank with either a -pw or -randkey option. This would
have set the password for the principal. Can you try the same kinit on your
Centos box ( I assume you have the correct krb5.conf) ?

  If you get prompted can you try kinit -kt squid.keytab
HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD ? it should not create
an error and a klist -e should show the default principal of
HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD.

An example:

opensuse11:~ # kinit -kt /etc/squid/squid.keytab
HTTP/opensuse11.suse.home_at_SUSE.HOME
opensuse11:~ # klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/opensuse11.suse.home_at_SUSE.HOME

Valid starting Expires Service principal
12/10/10 20:16:42 12/11/10 06:16:42 krbtgt/SUSE.HOME_at_SUSE.HOME
        renew until 12/11/10 20:16:42, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5

Markus

"Rob Asher" <rasher_at_paragould.k12.ar.us> wrote in message
news:4CFFF127020000370004E33C_at_RSC...
Markus,

I do get a password prompt although I don't remember setting a password for
it.

xserve:~ root# kinit HTTP/proxyserver.paragould.psd
Please enter the password for
HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD:
Kerberos Login Failed:
Password incorrect

In Open Directory, I just added a new machine(what I assumed was a host
principal) named proxyserver but adding a machine via OD's workgroup manager
doesn't ask for a password that I can remember. I didn't add an actual user
named proxyserver because that didn't make sense to me for a host.

Thanks,
Rob

----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169

>>> "Markus Moeller" <huaraz_at_moeller.plus.com> 12/08/10 5:44 PM >>>
Hi Rob,

 What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc
server ? Do you get a password prompt ?

Markus

>"Rob Asher" <rasher_at_paragould.k12.ar.us> wrote in message
>news:4CFFADF6.0172.0037.0_at_paragould.k12.ar.us...
>Hi Markus,
>
>I created the service principal with kadmin on the apple server. The
>actual command was kadmin.local -q "add_principal
>HTTP/proxyserver.paragould.psd". I used kadmin also to export the keytab.
>Here's exactly what I did:
>
>xserve:~ root# kadmin.local
>Authenticating as principal root/admin_at_XSERVE.PARAGOULD.PSD with password.
>kadmin.local: xst -k proxyserver.keytab
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to
>keytab WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab
>WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added
>to keytab WRFILE:proxyserver.keytab.
>Entry for principal HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added
>to keytab WRFILE:proxyserver.keytab.
>kadmin.local: q
>
>xserve:~ root# klist -k proxyserver.keytab
>Keytab name: WRFILE:proxyserver.keytab
>KVNO Principal
>---- --------------------------------------------------------------------------
> 5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
> 5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
> 5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
> 5 HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>
>xserve:~ root# kadmin.local -q "list_principals" | grep -i http
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
>HTTP/xserve.paragould.psd_at_XSERVE.PARAGOULD.PSD
>http/xserve.paragould.psd_at_XSERVE.PARAGOULD.PSD
>
>That last command to list the http principals confused me and I'm not
>familiar with kerberos at all really. Is it showing there are http service
>principals for both proxyserver.paragould.psd and xserve.paragould.psd or
>does the KDC automatically add a http service principal for itself too? In
>this case, xserve.paragould.psd is the KDC server running on OS X Server
>10.6.2 and proxserver.paragould.psd is the squid server running on CentOS
>5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host
>proxyserver.paragould.psd and made sure the squid user had read access to
>it. Running kinit squidserver and giving it's password works I think.
>klist after that shows:
>
>[root_at_proxyserver squid]# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: squidserver_at_XSERVE.PARAGOULD.PSD
>
>Valid starting Expires Service principal
>12/08/10 15:38:42 12/09/10 01:38:42
>krbtgt/XSERVE.PARAGOULD.PSD_at_XSERVE.PARAGOULD.PSD
>renew until 12/09/10 15:38:42
>
>
>Kerberos 4 ticket cache: /tmp/tkt0
>klist: You have no tickets cached
>
>I'm sure I've missed something or messed something up but I'm at a loss as
>what it is or where to even start looking. Thanks for any help!
>
>Regards,
>Rob
>
>
>
>
>----------------
>Rob Asher
>Network Systems Technician
>Paragould School District
>870-236-7744 x169
>
>
>
>>>> "Markus Moeller" <huaraz_at_moeller.plus.com> 12/08/10 2:39 PM >>>
>Hi Rob,
>
> It looks like your kdc does not know about the service principal
>HTTP/proxyserver.paragould.psd_at_XSERVE.PARAGOULD.PSD
> How did you create the entry and keytab ?
>
>Markus
>
>
>
>

----------

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.

----------

This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
Received on Fri Dec 10 2010 - 20:17:58 MST

This archive was generated by hypermail 2.2.0 : Sat Dec 11 2010 - 12:00:02 MST