[squid-users] Re: Re: Re: Re: Re: Re: Re: Kerberos with LDAP authentication failover and iTunes auth problems

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 7 Jan 2012 12:27:19 -0000

Hi James,

 The issue you have might be related to:

  The <computer-name> has Windows Netbios limitations of 15 characters (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos )

3MSYDPROXY01-HTTP is 17 characters long and 3MSYDPROXY01 is 12 characters
long. Can you choose a shorter one and try again ?As said the computer name
is just a name in AD to identify the object.


"James Robertson" <j_at_mesrobertson.com> wrote in message
>> BTW Why do you want to reset the account in AD ? I don't see any reason.
> I work with some Engineers that won't have a clue about how the proxy
> integrates in AD and although unlikely, if they do reset the
> <fqdn>-http account for any reason msktutil --auto-update will not
> automatically resolve the issue and I will have to manually kinit
> administrator and then run msktutil --auto-update to resolve it. If I
> am not available this will be a problem. I can document what to do
> (which is not hard) but frankly I do not have enough confidence they
> would follow the instructions... sad I know.
> from --auto-update in the msktutil man page:
> ...Will also update if the keytab failed to authenticate but the
> default password did work. (e.g. after resetting the account in AD)...
> This works with the <fqdn> but fails when using <fqdn>-http. So
> although minor, it looks like a possible bug in msktutil, but I am not
> sure.
> I understand the point of having 2 different accounts in AD (thanks
> for that) and will just use <fqdn>-http for kerberos and advise the
> guys to never reset the account and hope they remember.
> Thank you for your time with this Markus, I appreciate it.
> James
Received on Sat Jan 07 2012 - 12:27:48 MST

This archive was generated by hypermail 2.2.0 : Sun Jan 08 2012 - 12:00:02 MST