Re: [squid-users] Re: Kerberos with LDAP authentication failover and iTunes auth problems

From: James Robertson <>
Date: Wed, 28 Dec 2011 17:23:55 +1100

> The best is to configure Negotiate with the wrapper to cover Negotiate/NTLM
> and Negotiate/Kerberos and NTLM as "pure" NTLM for applications/clients
> which do not support Negotiate but NTLM ( like some chat tools).

Thank you both for the feedback and help with my understanding on
authentication. I installed negotiate_wrapper (running squid 3.1) and
after some initial problems trying to implement the use of ntlm_auth
post kerberos configuration I have it working now.

I have a concern that can hopefully be cleared up...

Because I implemented Kerberos first I already had a machine account
in Active Directory that was created by the msktutil utility.
When I researched implementing ntlm_auth the documentation mentions
joining the computer to AD using "net ads join". This was an issue
because I already had the computer account and didn't want to hose
anything that the Negotiate/Kerberos might use and researched how to
use a pre-existing computer account in AD but could not find anything,
so in the end I just ran it (which worked). However after I did this
Negotiate/Kerberos was broken. I fixed it by resetting the computer
account and running "msktutil --auto-update" to update the computer
accounts password. NTLM still worked after this.

I have a cron job setup to run "msktutil --auto-update" each day to
update the computer account's password when required. Will these two
mechanisms interfere with each other in future? i.e. is there
anything that the msktutil --auto-update might break for the winbind
ntlm_auth and visa versa - if this is a dumb question I apologise but
my knowledge on this is limited.

Also iTunes still prompts for a password but after input of the
username and password it works - I presume this is the expected
behaviour and that it shouldn't be seamless - is this the difference
between Negotiate/NTLM and pure NTLM?


Received on Wed Dec 28 2011 - 06:24:04 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 28 2011 - 12:00:03 MST