Re: [squid-users] Re: Re: Re: Re: squid_kerb_auth.... Key Version number?

From: Mrvka Andreas <mrv_at_tuv.at>
Date: Mon, 28 Sep 2009 15:46:30 +0200

Hello Markus,

I thought there will be more changes in wiki than what you have written.

You write about either use msktutil or net ads... but not both.

In fact, after installation of squid I did the way via msktutil but ntlm
authentication didn't work afterwards.
Maybe it was because of the client cache I missunderstood.

If you say my installation will run into miss-behaviours of my keys (mkstutil
and net ads at the same time) then I will try to
- delete kerberos key on windows client
- use either msktutil or net ads

Maybe I can share my experience again.

Thanks a lot
Andrew

Am Sonntag, 27. September 2009 22:30:18 schrieb Markus Moeller:
> Andrew,
>
> I added more details to the wiki for cases where Samba is used too. I
> hope this helps.
>
> Regards
> Markus
>
> "Mrvka Andreas" <mrv_at_tuv.at> wrote in message
> news:200909250845.48301.mrv_at_tuv.at...
>
> > Agreed.
> >
> > So if I read your mail correctly you want to say:
> > - net ads join uses _computer-name_ to identify the authentication scheme
> > - msktutil (kerberos) only watches at the _service_ (http,cifs,...)
> >
> > The HowTo should look like:
> > 1.
> > use net ads join to talk via computer-name with AD
> >
> > 2
> > use msktutil _with a non-existend computer-name_ so that the associated
> > HOST/<non-existendhostname> can not correlate with net ads join
> > Only the sericePrincipal HTTP/<fqdn> is important for squid/kerberos.
> >
> >
> > Have I understood you in the right way?
> > And will it work to use a non-existend hostname, or will msktutil fail?
> >
> > :-)
> >
> > The best way would be - the client sends an NTLM token and
> > squid_kerb_auth does the rest. :-)
> >
> >
> > Thanks for support.
> > I can imagine lots of other squid-users use net ads join and want to
> > implement
> > kerberos too.
> >
> > Regards
> > Andrew
> >
> > Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller:
> >> "Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
> >> news:1253822657.5592.1.camel_at_localhost.localdomain...
> >>
> >> > tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas:
> >> >> You are right - I have to use NTLM too because there are many IE 6
> >> >> around.
> >> >> But I use the same name for kerberos_auth and ntlm_auth
> >> >> (kerberos - samba/winbind)
> >> >> How should I configure a browser setting then? I want to set only one
> >> >> proxy
> >> >> server.
> >> >
> >> > Hmm.. I then suspect the HTTP ticket will get mismatch again in some
> >> > time when the computer account is renewed by Samba.
> >>
> >> I think so too. Let me try to explain. Each entry in AD has a key
> >> associated with it. For a user account the key is based on the user
> >> password and for a computer it is based on a random password. As you
> >> may have seen each entry in AD has also a serviceprincipalname
> >> attribute. This
> >> attribute is used to associate a Kerberos principal with a key. You
> >> will see a computer account has usually a HOST/<shorthostname> host/fqdn
> >> serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn
> >> for fileshares.
> >>
> >> net ads join creates an entry in AD with a random password with
> >> CN=hostname. If you use msktutil with --computer-name hostname the same
> >> AD
> >> entry will be used and since both commands will set a random password
> >> you
> >> will get conflicts. For Kerberos the computer name doesn't matter (only
> >> the serviceprinciplname attribute is important) why you should use
> >> msktutil with any computer name (e.g. <shorthostname>-http) to avoid
> >> the conflict.
> >>
> >> Additionally msktutil sets the userprincipalname when you use --upn. The
> >> userprincipalname is used to authenticate a principal (user or other
> >> e.g. HTTP/<fqdn>) via kinit. So if you use msktutil as described kinit
> >> -kt <keytab> HTTP/<fqdn> will authenticate HTTP/<fqdn> with the key (=
> >> encrypted random password) stored in the keytab.
> >>
> >> > If that's the case then I also guess you should be able to
> >> > automatically
> >> > renew the HTTP ticket using the Samba keytab however. But Kerberos is
> >> > not my main field of expertise..
> >> >
> >> > Regards
> >> > Henrik
> >>
> >> Regards
> >> Markus
>
Received on Mon Sep 28 2009 - 13:46:37 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 29 2009 - 12:00:03 MDT