Kerberos Heimdal Server Authentication

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos Heimdal Server Authentication

Panagiotis Bariamis
Hello my setup is as follows :
Freebsd 11 Heimdal Kerberos Server and DNS properly configured (testlab enviroment for example.com domain)
Freebsd 11 squid proxy server
Windows Client


I have created a keytab from the Kerberos Server for http/squid.example.com
Proxy server machine has no problem kinit ing with the keytab file and gets a ticket

# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: http/[hidden email]

  Issued                Expires               Principal
May  9 15:38:36 2018  May 10 01:38:37 2018  krbtgt/[hidden email]

My squid.conf is as follows concerning the authentication :
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth
auth_param negotiate children 10 startup=1
auth_param negotiate keep_alive on

Trying to use :
 # /usr/local/libexec/squid/negotiate_kerberos_auth_test squid.example.com
| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}'
| /usr/local/libexec/squid/negotiate_kerberos_auth -r -s http/squid.example.com

fails with :
| negotiate_kerberos_auth_test: gss_init_sec_context() failed:  An unsupported mechanism was requested. unknown mech-code 0 for mech unknown
BH gss_accept_sec_context() failed:  A token was invalid. unknown mech-code 0 for mech unknown
BH quit command


Any ideas ?

Thank you ,
Bariamis Panagiotis



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos Heimdal Server Authentication

Markus Moeller
Can you capture the traffic on port 88 ? Heimdal has not helpful messages, so seeing the real traffic may help identifying the issue.
 
Kinit should create an AS req/rep
the test program creates a TGS req/rep
 
Example attached if it gets through.
 
Markus
 
"Panagiotis Bariamis" <[hidden email]> wrote in message news:CAPxN_PVp9RETXBPZG6ZX5rzNK6Hu-HLxdAagSfgXVcg=[hidden email]...
Hello my setup is as follows :
Freebsd 11 Heimdal Kerberos Server and DNS properly configured (testlab enviroment for example.com domain)
Freebsd 11 squid proxy server
Windows Client


I have created a keytab from the Kerberos Server for http/squid.example.com
Proxy server machine has no problem kinit ing with the keytab file and gets a ticket

# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: http/[hidden email]

  Issued                Expires               Principal
May  9 15:38:36 2018  May 10 01:38:37 2018  krbtgt/[hidden email]

My squid.conf is as follows concerning the authentication :
auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth
auth_param negotiate children 10 startup=1
auth_param negotiate keep_alive on

Trying to use :
# /usr/local/libexec/squid/negotiate_kerberos_auth_test squid.example.com
| awk '{sub(/Token:/,"YR"); print $0}END{print "QQ"}'
| /usr/local/libexec/squid/negotiate_kerberos_auth -r -s http/squid.example.com

fails with :
| negotiate_kerberos_auth_test: gss_init_sec_context() failed:  An unsupported mechanism was requested. unknown mech-code 0 for mech unknown
BH gss_accept_sec_context() failed:  A token was invalid. unknown mech-code 0 for mech unknown
BH quit command


Any ideas ?

Thank you ,
Bariamis Panagiotis
 
 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

krb5.pcap (3K) Download Attachment