>Hi,
>
>I testing with Internet Explorer and obtain this error
>
>2011/05/30 22:06:36| squid_kerb_auth: gss_acquire_cred() failed:
>Unspecified GSS failure. Minor code may provide more information. Key
>table entry not found
>
That looks better, but not quite right. What does klist -ekt <squid-keytab>
(for MIT) or ktutil -k <squid-keytab> list (for Heimdal) give ?
Also can you do a kinit <user> and then a kvno HTTP/<squid-fqdn> ( I assume
MIT here) ?
klist -ekt /etc/squid/squid.keytab
Keytab name: WRFILE:/etc/squid/squid.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
41 05/28/11 14:40:42 HTTP/w2k3r2.win2003r2.home_at_WIN2003R2.HOME (ArcFour
with HMAC/md5)
# kinit mm_at_WIN2003R2.HOME
Password for mm_at_WIN2003R2.HOME:
# kvno HTTP/w2k3r2.win2003r2.home_at_WIN2003R2.HOME
HTTP/w2k3r2.win2003r2.home_at_WIN2003R2.HOME: kvno = 41
The kvno must be the same (in my case here 41) !
Also can you lock/unlock your desktop to get new credentials and run
wireshark again when you use IE ?
You should see a TGS-REQ and TGS-REP and the TGS-REP looks like:
No. Time Source Destination Protocol
Info
8 23:51:18.941121 192.168.1.12 192.168.1.27 KRB5
TGS-REP
Frame 8 (1300 bytes on wire, 1300 bytes captured)
Ethernet II, Src: Vmware_d0:e5:e9 (00:0c:29:d0:e5:e9), Dst: Vmware_8e:33:fe
(00:0c:29:8e:33:fe)
Internet Protocol, Src: 192.168.1.12 (192.168.1.12), Dst: 192.168.1.27
(192.168.1.27)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 43611 (43611)
Kerberos TGS-REP
Pvno: 5
MSG Type: TGS-REP (13)
Client Realm: WIN2003R2.HOME
Client Name (Principal): mm
Name-type: Principal (1)
Name: mm
Ticket
Tkt-vno: 5
Realm: WIN2003R2.HOME
Server Name (Principal): HTTP/w2k3r2.win2003r2.home
Name-type: Principal (1)
Name: HTTP
Name: w2k3r2.win2003r2.home
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 41
enc-part: 7435AE25CA1CA6B2BA3E2C29D62A7F80D38B3A96E1528168...
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
enc-part: BA59EF1595A8CDAEE212C41EBE29C68E9D427D49995919D8...
Can you check that the keytab details (name, encryption type and kvno) match
with what you see in the TGS-REP ?
>Regards
>
>On 05/30/2011 05:52 PM, spiderslack wrote:
>> Hi,
>>
>> For the log can not see any connection against the Active Directory on
>> port 88 (kerberos, right). Attached is the. pcap. I did the
>> configuration of firefox as below
>>
>> firefox set variables as follows:
>>
>> network.negotiate-auth.delegation-uris=vialactea.corp
>> network.negotiate-auth.trusted-uris= vialactea.corp
>>
>> where vialactea.corp is the domain of the Active Directory. I tried in
>> IE but he keeps asking for login and password infinitely
>>
>> Regards
>>
>> On 05/29/2011 09:39 AM, Markus Moeller wrote:
>>> Hi,
>>>
>>> The squid log file says that the client could not use Kerberos and
>>> fell back to NTLM.
>>>
>>> Can you capture the traffic from the client to the proxy and to your
>>> Kerberos servers (e.g. active directory) with wireshark and send me
>>> the cap file (if not too big) ?
>>>
>>> Markus
>>
>
Regards
Markus
Received on Mon May 30 2011 - 23:02:47 MDT
This archive was generated by hypermail 2.2.0 : Tue May 31 2011 - 12:00:03 MDT