[squid-users] Re: Re: Re: Re: Re: Re: Kerberos with LDAP authentication failover and iTunes auth problems

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 7 Jan 2012 00:52:47 -0000

"James Robertson" <j_at_mesrobertson.com> wrote in message
news:CAMALoy-QRRGSzN6sSU6J6UTmFkAmh7aGETRo=qcn0gjS2R=69A_at_mail.gmail.com...
>> Now the update (which does not happen as msktutil determines it is not
>> old
>> enough to change):
>
> Thanks for the testing Markus.
>
> But what happens after you reset your squid-test-http account on your
> Windows Server and run the update again. My guess is it will fail
> when it gets to the try_machine_password step. This would typically
> work if the msktutil generated computer name matches the proxy's
> hostname.

A reset of the account in AD will mean the password and therefore the
Kerberos key changes who will be then out of sync with the key in the
keytab.

If you use samba for NTLM authentication in squid then use the AD entry
which matches the squid host name only for Samba and use use the -http name
with the HTTP/<fqdn> service principal for Kerberos with msktutil. Use 2
separate AD computer accounts.

Markus
Received on Sat Jan 07 2012 - 00:53:09 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 07 2012 - 12:00:02 MST