Re: [squid-users] Re: Re: Kerberos with AD

From: Simon Dwyer <mail_at_simmyd.net>
Date: Tue, 17 Apr 2012 07:47:10 +1000

Hi Everyone,

Thanks for all the help. It ended up being some confusion with how DNS
needed to be setup.

I managed to use ktpass with a machine account by putting a $ at the end
of the computer account name.

The current release of krb5-lib that is in centos 6.2 does not work with
msktutil so unless i create my own rpms i will have to wait for it to be
updated to use msktutil. Looking forward to this however :)

Thanks all,

Simon

On Mon, 2012-04-16 at 11:06 +0100, Markus Moeller wrote:
> Hi Brett,
>
> The best tool is msktutil, which creates a computer account and assings
> the HTTP/<squid-fqdn> service principal to it. Also you can run it remotely
> directly on your squid server. You just need to make sure the computer name
> is not the same as used by samba (e.g. Use hostname-squid - Keep it mind max
> length is 15 characters)
>
> Regards
> Markus
>
>
> "Brett Lymn" <brett.lymn_at_baesystems.com> wrote in message
> news:20120416061457.GJ598_at_baea.com.au...
> > On Mon, Apr 16, 2012 at 07:05:23AM +0100, Markus Moeller wrote:
> >>
> >> BTW I would not recommend using ktpass and a user account. ktpass uses
> >> DES
> >> as a default which is not anymore supported by newer MS systems and
> >> secondly user accounts in AD have usually (depending on your AD setting)
> >> a
> >> password expiry which would make you keytab invalid.
> >>
> >
> > You can choose the encryption that ktpass uses:
> >
> > ktpass -princ HTTP/proxy.domain.com_at_DOMAIN.COM -mapuser
> > proxyuser_at_DOMAIN.COM -crypto rc4-hmac-nt -pass secret -ptype
> > KRB5_NT_SRV_HST -out file.keytab
> >
> > This works fine on Win 2008 R2 servers - no problems with Win 7 machines
> > authenticating. What you say about using an user account is valid but
> > sometimes you are wedged if you want to use samba on the same machine.
> > For us regenerating the keytab is not onerous.
> >
> > --
> > Brett Lymn
> > "Warning:
> > The information contained in this email and any attached files is
> > confidential to BAE Systems Australia. If you are not the intended
> > recipient, any use, disclosure or copying of this email or any
> > attachments is expressly prohibited. If you have received this email
> > in error, please notify us immediately. VIRUS: Every care has been
> > taken to ensure this email and its attachments are virus free,
> > however, any loss or damage incurred in using this email is not the
> > sender's responsibility. It is your responsibility to ensure virus
> > checks are completed before installing any data sent in this email to
> > your computer."
> >
> >
> >
>
>
Received on Mon Apr 16 2012 - 21:47:21 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 17 2012 - 12:00:03 MDT