[squid-users] Re: Re: Re: Re: squid_kerb_auth.... Key Version number?

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 27 Sep 2009 21:30:18 +0100

Andrew,

   I added more details to the wiki for cases where Samba is used too. I
hope this helps.

Regards
Markus

"Mrvka Andreas" <mrv_at_tuv.at> wrote in message
news:200909250845.48301.mrv_at_tuv.at...
> Agreed.
>
> So if I read your mail correctly you want to say:
> - net ads join uses _computer-name_ to identify the authentication scheme
> - msktutil (kerberos) only watches at the _service_ (http,cifs,...)
>
> The HowTo should look like:
> 1.
> use net ads join to talk via computer-name with AD
>
> 2
> use msktutil _with a non-existend computer-name_ so that the associated
> HOST/<non-existendhostname> can not correlate with net ads join
> Only the sericePrincipal HTTP/<fqdn> is important for squid/kerberos.
>
>
> Have I understood you in the right way?
> And will it work to use a non-existend hostname, or will msktutil fail?
> :-)
>
> The best way would be - the client sends an NTLM token and squid_kerb_auth
> does the rest. :-)
>
>
> Thanks for support.
> I can imagine lots of other squid-users use net ads join and want to
> implement
> kerberos too.
>
> Regards
> Andrew
>
>
> Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller:
>> "Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
>> news:1253822657.5592.1.camel_at_localhost.localdomain...
>>
>> > tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas:
>> >> You are right - I have to use NTLM too because there are many IE 6
>> >> around.
>> >> But I use the same name for kerberos_auth and ntlm_auth
>> >> (kerberos - samba/winbind)
>> >> How should I configure a browser setting then? I want to set only one
>> >> proxy
>> >> server.
>> >
>> > Hmm.. I then suspect the HTTP ticket will get mismatch again in some
>> > time when the computer account is renewed by Samba.
>>
>> I think so too. Let me try to explain. Each entry in AD has a key
>> associated with it. For a user account the key is based on the user
>> password and for a computer it is based on a random password. As you may
>> have seen each entry in AD has also a serviceprincipalname attribute.
>> This
>> attribute is used to associate a Kerberos principal with a key. You will
>> see a computer account has usually a HOST/<shorthostname> host/fqdn
>> serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn for
>> fileshares.
>>
>> net ads join creates an entry in AD with a random password with
>> CN=hostname. If you use msktutil with --computer-name hostname the same
>> AD
>> entry will be used and since both commands will set a random password
>> you
>> will get conflicts. For Kerberos the computer name doesn't matter (only
>> the serviceprinciplname attribute is important) why you should use
>> msktutil with any computer name (e.g. <shorthostname>-http) to avoid the
>> conflict.
>>
>> Additionally msktutil sets the userprincipalname when you use --upn. The
>> userprincipalname is used to authenticate a principal (user or other e.g.
>> HTTP/<fqdn>) via kinit. So if you use msktutil as described kinit -kt
>> <keytab> HTTP/<fqdn> will authenticate HTTP/<fqdn> with the key (=
>> encrypted random password) stored in the keytab.
>>
>> > If that's the case then I also guess you should be able to
>> > automatically
>> > renew the HTTP ticket using the Samba keytab however. But Kerberos is
>> > not my main field of expertise..
>> >
>> > Regards
>> > Henrik
>>
>> Regards
>> Markus
>>
>
Received on Sun Sep 27 2009 - 20:31:03 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 28 2009 - 12:00:03 MDT