[squid-users] Re: Re: Re: squid_kerb_auth.... Key Version number?

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 25 Sep 2009 00:07:44 +0100

"Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
news:1253822657.5592.1.camel_at_localhost.localdomain...
> tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas:
>
>> You are right - I have to use NTLM too because there are many IE 6
>> around.
>> But I use the same name for kerberos_auth and ntlm_auth
>> (kerberos - samba/winbind)
>> How should I configure a browser setting then? I want to set only one
>> proxy
>> server.
>
> Hmm.. I then suspect the HTTP ticket will get mismatch again in some
> time when the computer account is renewed by Samba.
>

I think so too. Let me try to explain. Each entry in AD has a key
associated with it. For a user account the key is based on the user password
and for a computer it is based on a random password. As you may have seen
each entry in AD has also a serviceprincipalname attribute. This attribute
is used to associate a Kerberos principal with a key. You will see a
computer account has usually a HOST/<shorthostname> host/fqdn
serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn for
fileshares.

net ads join creates an entry in AD with a random password with CN=hostname.
If you use msktutil with --computer-name hostname the same AD entry will be
used and since both commands will set a random password you will get
conflicts. For Kerberos the computer name doesn't matter (only the
serviceprinciplname attribute is important) why you should use msktutil with
any computer name (e.g. <shorthostname>-http) to avoid the conflict.

Additionally msktutil sets the userprincipalname when you use --upn. The
userprincipalname is used to authenticate a principal (user or other e.g.
HTTP/<fqdn>) via kinit. So if you use msktutil as described kinit -kt
<keytab> HTTP/<fqdn> will authenticate HTTP/<fqdn> with the key (= encrypted
random password) stored in the keytab.

> If that's the case then I also guess you should be able to automatically
> renew the HTTP ticket using the Samba keytab however. But Kerberos is
> not my main field of expertise..
>
> Regards
> Henrik
>
>
Regards
Markus
Received on Thu Sep 24 2009 - 23:08:38 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 25 2009 - 12:00:03 MDT