[squid-users] Re: kerberos-authentication, msktutil, w2k8-domain-controllers and the old encryption-type "rc4-hmac"? from Markus Moeller on 2010-12-09 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 9 Dec 2010 20:10:35 -0000

Hi Tom,

What does klist -ekt squid.keytab show ? Does it have an entry for AES ?
Did you use --enctypes 28 with msktutil as described here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Create_keytab ?

Markus

"Tom Tux" <tomtux80_at_gmail.com> wrote in message
news:AANLkTimUyH9MSqcTe5sHmMOQdJpvdYhfqPOtf+Ajto9U_at_mail.gmail.com...
I recognized, that the values in the AD-computer-object (attribut
msDS-SupportedEncryption-Type) has to match the client-kerberos-ticket
(session-key) and the settings made in /etc/krb5.conf. On all three
parts, the aes-256....value must be set.
If not, there's not authentication possible.

Is it true, that always the strongest key (in this case probably aes-256)
wins?
Tom

2010/12/9 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 09/12/10 19:43, Tom Tux wrote:
>>
>> Hi
>>
>> We moved our W2K3-Domaincontrollers to W2K8-DC's. The active-directory
>> operational mode is still 2003.
>>
>> We're using kerberos-authentication against the active-directory.
>> Nightly runs the "msktutil --auto-update" on the squid-proxy. One day,
>> this updated the computer-account and added the new
>> msDS-SupportedEncryption-Type = 28.
>>
>> On one morning, nobody could be authenticated against the
>> active-directory. On the cache.log, I saw the following error:
>>
>> authenticateNegotiateHandleReply: Error validating user via Negotiate.
>> Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS
>> failure. Minor code may provide more information. Encryption type not
>> permitted'
>>
>>
>> So, I added the "aes256-cts-hmac-sha1-96" encryption-type in the
>> /etc/krb5.conf-file. Now, everything is working fine. On the
>> computer-object in the active-directory, I see a value of 28 on the
>> attribut "msDS-SupportedEncryption Types" (updated through msktutil).
>>
>> When I trace the kerberos-traffic between the proxy and the new
>> w2k8-domain-controller, I still see the old encryption-type "rc4-hmac"
>> is being used.
>>
>> Why is there not the new encryption-type "aes" used? Why is still the
>> "old" one used? Before I updated the krb5.conf with the "aes"-part,
>> nobody was able to authenticate. And now, squid "talks" still with the
>> old one?
>
> Squid uses whatever support is available in the libraries, which may be
> version-specific from when it was built. It is likely that they and/or
> squid
> need to be upgraded to support that algorithm.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.9
> Beta testers wanted for 3.2.0.3
>
Received on Thu Dec 09 2010 - 20:13:00 MST

This archive was generated by hypermail 2.2.0 : Fri Dec 10 2010 - 12:00:01 MST