Hi Markus, I added the principal with a query instead of at the kadmin console. Here's the command I used:
kadmin.local -q "add_principal HTTP/proxyserver.paragould.psd" I'm just guessing here that since I didn't specify a password that it defaulted to a random key. I tried the same kinit on the centos box and it prompted for a password. Running kinit -kt /etc/squid/proxyserver.keytab HTTP/[email protected] gave me a "password incorrect" when I ran it. Here's the actual output: [r...@proxyserver ~]# kinit HTTP/proxyserver.paragould.psd Password for HTTP/[email protected]: kinit(v5): Password read interrupted while getting initial credentials [r...@proxyserver ~]# kinit -kt /etc/squid/proxyserver.keytab HTTP/[email protected] kinit(v5): Password incorrect while getting initial credentials [r...@proxyserver ~]# klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Assuming that I needed to fix the principal on the KDC, I went to the KDC and did this: xserve:~ root# kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: cpw HTTP/proxyserver.paragould.psd Enter password for principal "HTTP/proxyserver.paragould.psd": Re-enter password for principal "HTTP/proxyserver.paragould.psd": Password for "HTTP/[email protected]" changed. kadmin.local: ktremove HTTP/[email protected] Entry for principal HTTP/[email protected] with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. Entry for principal HTTP/[email protected] with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. Entry for principal HTTP/[email protected] with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. Entry for principal HTTP/[email protected] with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. kadmin.local: ktadd HTTP/[email protected] Entry for principal HTTP/[email protected] with kvno 7, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal HTTP/[email protected] with kvno 7, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal HTTP/[email protected] with kvno 7, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal HTTP/[email protected] with kvno 7, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. kadmin.local: xst -k proxyserver.keytab HTTP/[email protected] Entry for principal HTTP/[email protected] with kvno 8, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/[email protected] with kvno 8, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/[email protected] with kvno 8, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. Entry for principal HTTP/[email protected] with kvno 8, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:proxyserver.keytab. kadmin.local: q Hopefully that was a correct assumption on my part? Back on the centos box, I tried the kinit -kt .... again and here's the output now without an error: [r...@proxyserver squid]# kinit -kt /etc/squid/proxy.keytab HTTP/[email protected] [r...@proxyserver squid]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HTTP/[email protected] Valid starting Expires Service principal 12/10/10 16:20:59 12/11/10 02:20:59 krbtgt/[email protected] renew until 12/11/10 16:21:05, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, Triple DES cbc mode with HMAC/sha1 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached I haven't had a chance to run a capture again between the client, centos or kdc yet to check things. I should be back in the office on Monday morning though and will check then. If you have any other things you can think of or that you'd like me to check remotely(SSH), just let me know. Thanks for the help. Regards, Rob ---------------- Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 >>> "Markus Moeller" <[email protected]> 12/10/10 2:19 PM >>> Hi Rob, Before you used xst you must have created the principal with a command like add_principal or ank with either a -pw or -randkey option. This would have set the password for the principal. Can you try the same kinit on your Centos box ( I assume you have the correct krb5.conf) ? If you get prompted can you try kinit -kt squid.keytab HTTP/[email protected] ? it should not create an error and a klist -e should show the default principal of HTTP/[email protected]. An example: opensuse11:~ # kinit -kt /etc/squid/squid.keytab HTTP/[email protected] opensuse11:~ # klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HTTP/[email protected] Valid starting Expires Service principal 12/10/10 20:16:42 12/11/10 06:16:42 krbtgt/[email protected] renew until 12/11/10 20:16:42, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Markus "Rob Asher" <[email protected]> wrote in message news:4cfff127020000370004e...@rsc... Markus, I do get a password prompt although I don't remember setting a password for it. xserve:~ root# kinit HTTP/proxyserver.paragould.psd Please enter the password for HTTP/[email protected]: Kerberos Login Failed: Password incorrect In Open Directory, I just added a new machine(what I assumed was a host principal) named proxyserver but adding a machine via OD's workgroup manager doesn't ask for a password that I can remember. I didn't add an actual user named proxyserver because that didn't make sense to me for a host. Thanks, Rob ---------------- Rob Asher Network Systems Technician Paragould School District 870-236-7744 x169 >>> "Markus Moeller" <[email protected]> 12/08/10 5:44 PM >>> Hi Rob, What happens when you type kinit HTTP/proxyserver.paragould.psd on your kdc server ? Do you get a password prompt ? Markus >"Rob Asher" <[email protected]> wrote in message >news:[email protected]... >Hi Markus, > >I created the service principal with kadmin on the apple server. The >actual command was kadmin.local -q "add_principal >HTTP/proxyserver.paragould.psd". I used kadmin also to export the keytab. >Here's exactly what I did: > >xserve:~ root# kadmin.local >Authenticating as principal root/[email protected] with password. >kadmin.local: xst -k proxyserver.keytab >HTTP/[email protected] >Entry for principal HTTP/[email protected] >with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to >keytab WRFILE:proxyserver.keytab. >Entry for principal HTTP/[email protected] >with kvno 5, encryption type ArcFour with HMAC/md5 added to keytab >WRFILE:proxyserver.keytab. >Entry for principal HTTP/[email protected] >with kvno 5, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added >to keytab WRFILE:proxyserver.keytab. >Entry for principal HTTP/[email protected] >with kvno 5, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added >to keytab WRFILE:proxyserver.keytab. >kadmin.local: q > >xserve:~ root# klist -k proxyserver.keytab >Keytab name: WRFILE:proxyserver.keytab >KVNO Principal >---- -------------------------------------------------------------------------- > 5 HTTP/[email protected] > 5 HTTP/[email protected] > 5 HTTP/[email protected] > 5 HTTP/[email protected] > >xserve:~ root# kadmin.local -q "list_principals" | grep -i http >HTTP/[email protected] >HTTP/[email protected] >http/[email protected] > >That last command to list the http principals confused me and I'm not >familiar with kerberos at all really. Is it showing there are http service >principals for both proxyserver.paragould.psd and xserve.paragould.psd or >does the KDC automatically add a http service principal for itself too? In >this case, xserve.paragould.psd is the KDC server running on OS X Server >10.6.2 and proxserver.paragould.psd is the squid server running on CentOS >5.5. I copied the exported proxyserver.keytab to /etc/squid/ on the host >proxyserver.paragould.psd and made sure the squid user had read access to >it. Running kinit squidserver and giving it's password works I think. >klist after that shows: > >[r...@proxyserver squid]# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: [email protected] > >Valid starting Expires Service principal >12/08/10 15:38:42 12/09/10 01:38:42 >krbtgt/[email protected] >renew until 12/09/10 15:38:42 > > >Kerberos 4 ticket cache: /tmp/tkt0 >klist: You have no tickets cached > >I'm sure I've missed something or messed something up but I'm at a loss as >what it is or where to even start looking. Thanks for any help! > >Regards, >Rob > > > > >---------------- >Rob Asher >Network Systems Technician >Paragould School District >870-236-7744 x169 > > > >>>> "Markus Moeller" <[email protected]> 12/08/10 2:39 PM >>> >Hi Rob, > > It looks like your kdc does not know about the service principal >HTTP/[email protected] > How did you create the entry and keytab ? > >Markus > > > > ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean. ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean. ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean. ---------- This message has been scanned for viruses and dangerous content by the Paragould School District MailScanner, and is believed to be clean.
