Re: [squid-users] kerberos-authentication, msktutil, w2k8-domain-controllers and the old encryption-type "rc4-hmac"?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 10 Dec 2010 01:43:14 +1300

On 09/12/10 19:43, Tom Tux wrote:
> Hi
>
> We moved our W2K3-Domaincontrollers to W2K8-DC's. The active-directory
> operational mode is still 2003.
>
> We're using kerberos-authentication against the active-directory.
> Nightly runs the "msktutil --auto-update" on the squid-proxy. One day,
> this updated the computer-account and added the new
> msDS-SupportedEncryption-Type = 28.
>
> On one morning, nobody could be authenticated against the
> active-directory. On the cache.log, I saw the following error:
>
> authenticateNegotiateHandleReply: Error validating user via Negotiate.
> Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS
> failure. Minor code may provide more information. Encryption type not
> permitted'
>
>
> So, I added the "aes256-cts-hmac-sha1-96" encryption-type in the
> /etc/krb5.conf-file. Now, everything is working fine. On the
> computer-object in the active-directory, I see a value of 28 on the
> attribut "msDS-SupportedEncryption Types" (updated through msktutil).
>
> When I trace the kerberos-traffic between the proxy and the new
> w2k8-domain-controller, I still see the old encryption-type "rc4-hmac"
> is being used.
>
> Why is there not the new encryption-type "aes" used? Why is still the
> "old" one used? Before I updated the krb5.conf with the "aes"-part,
> nobody was able to authenticate. And now, squid "talks" still with the
> old one?

Squid uses whatever support is available in the libraries, which may be
version-specific from when it was built. It is likely that they and/or
squid need to be upgraded to support that algorithm.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.3
Received on Thu Dec 09 2010 - 12:43:18 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 09 2010 - 12:00:02 MST