Hi Ludovit,
Yes the client determines the encryption strength and squid needs to have
all of them in the keytab (You can disallow DES or other weak encryption by
not adding these encryptions to the keytab).
Regards
Markus
"Ludovit Koren" wrote in message news:86lhk0j2xe@gmail.com...
> Markus Moeller writes:
> It could be the new AD server is setup to be backward compatible
> meaning it use RC4 despite being able to use AES. I suggest you crate
> an additional keytab entry for RC4. How did you create the keytab ?
Now it seems to work:
# /usr/local/libex
> Markus Moeller writes:
> It could be the new AD server is setup to be backward compatible
> meaning it use RC4 despite being able to use AES. I suggest you crate
> an additional keytab entry for RC4. How did you create the keytab ?
It was created with ktpass on AD. The exac
It could be the new AD server is setup to be backward compatible meaning
it use RC4 despite being able to use AES. I suggest you crate an additional
keytab entry for RC4. How did you create the keytab ?
Markus
"Ludovit Koren" wrote in message news:86mw4hbl56@gmail.com...
Markus Moe
> Markus Moeller writes:
> Hi Ludovit,
> Firstly, these lines are contradictory
> permitted_enctypes = aes128-cts-hmac-sha1-96
> allow_weak_crypto = true
> weak crypto is des and permitted is aes. Do you use a mixed AD
> environment ( 2003/2008 ) ? 2003 does not
Hi Ludovit,
Firstly, these lines are contradictory
permitted_enctypes = aes128-cts-hmac-sha1-96
allow_weak_crypto = true
weak crypto is des and permitted is aes. Do you use a mixed AD environment
( 2003/2008 ) ? 2003 does not support aes.
Markus
"Ludovit Koren" wrote in message news:8
> Markus Moeller writes:
> Hi Ludovit,
> How did you create the keytab ? Usually there is an option allowing
> you to select the encryption type. The other place to check would be
> /etc/krb5.conf. It can contain a list of supported encryption
> types. See
>
http:/
Hi Ludovit,
How did you create the keytab ? Usually there is an option allowing you
to select the encryption type. The other place to check would be
/etc/krb5.conf. It can contain a list of supported encryption types. See
http://www.freebsd.org/cgi/man.cgi?query=krb5.conf&apropos=0&sektion=
> Markus Moeller writes:
> Hi Ludovit,
> Which Kerberos library version do you use ?Is it possible that
> the encryption types don't match ? I saw in your first email the
> following:
It is standard Heimdal library on FreeBSD:
# kinit --version
kinit (Heimdal 1.5.2)
Cop
Hi Ludovit,
Which Kerberos library version do you use ?Is it possible that the
encryption types don't match ? I saw in your first email the following:
Your klist shows a HTTP ticket for arcfour
Server: HTTP/squid1.mdpt.local@MDPT.LOCAL
Client: HTTP/squid1.mdpt.local@MDPT.LOCAL
Ticket et
> Markus Moeller writes:
> Hi Ludovit,
> I haven't seen that error before either, but when you test you sould
> have your own user credentials in the cache. You should use kinit
> @MDPT.LOCAL and then try again the test. is the hostname
> correctly set to squid1.mdpt.loc
Hi Ludovit,
I haven't seen that error before either, but when you test you sould have
your own user credentials in the cache. You should use kinit
@MDPT.LOCAL and then try again the test. is the hostname correctly set
to squid1.mdpt.local ? If not try
/usr/local/libexec/squid/negotiate_k
Hi,
I have setup kerberos according to:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: HTTP/squid1.mdpt.local@MDPT.LOCAL
IssuedExpires Principal
Feb 9 14:55:18 20
13 matches
Mail list logo
