I've looked through some of the mailing list archives and can't find anything
specific on kerberos authentication to a MIT KDC for windows clients.
Everything I've found mentions AD. What I'd like, if possible, is to have
single sign on capabilities to between OS X server's Open Directory, squid
2.7stable9 on CentOS 5.5, and Windows XP clients. With pGina and kerberos for
windows installed on the XP clients, I successfully get a ticket from the OD
server. What I'm having problems with is getting firefox or IE to use the
ticket for negotiation with the squid server. I'm guessing that I've missed
setting up a principal correctly, copied keytab, or possibly a DNS issue but
I'm not familiar enough with kerberos to know what's wrong. Packet captures
for kerberos return KRB-ERROR like this after the TGS_REQ when opening a
browser session with FF:
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
ctime: 2010-12-03 21:05:34 (UTC)
stime: 2010-12-03 21:05:26 (UTC)
susec: 714271
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Client Realm: XSERVE.PARAGOULD.PSD
Client Name (Principal): HTTP/proxyserver.paragould.psd
Name-type: Principal (1)
Name: HTTP
Name: proxyserver.paragould.psd
Realm: XSERVE.PARAGOULD.PSD
Server Name (Unknown): krbtgt/xserve.paragould.psd
Name-type: Unknown (0)
Name: krbtgt
Name: xserve.paragould.psd
e-text: UNKNOWN_SERVER
If anyone has any ideas or what to look for, I'd appreciate any help. If this
isn't enough information from the capture to make an educated guess as to where
I need to look further, I have the entire sequence I could post as well.
Thanks,
Rob
----------------
Rob Asher
Network Systems Technician
Paragould School District
870-236-7744 x169
----------
This message has been scanned for viruses and
dangerous content by the Paragould School District
MailScanner, and is believed to be clean.
