[squid-users] Re: Re: Kerberos with AD

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 16 Apr 2012 11:06:38 +0100

Hi Brett,

   The best tool is msktutil, which creates a computer account and assings
the HTTP/<squid-fqdn> service principal to it. Also you can run it remotely
directly on your squid server. You just need to make sure the computer name
is not the same as used by samba (e.g. Use hostname-squid - Keep it mind max
length is 15 characters)

Regards
Markus

"Brett Lymn" <brett.lymn_at_baesystems.com> wrote in message
news:20120416061457.GJ598_at_baea.com.au...
> On Mon, Apr 16, 2012 at 07:05:23AM +0100, Markus Moeller wrote:
>>
>> BTW I would not recommend using ktpass and a user account. ktpass uses
>> DES
>> as a default which is not anymore supported by newer MS systems and
>> secondly user accounts in AD have usually (depending on your AD setting)
>> a
>> password expiry which would make you keytab invalid.
>>
>
> You can choose the encryption that ktpass uses:
>
> ktpass -princ HTTP/proxy.domain.com_at_DOMAIN.COM -mapuser
> proxyuser_at_DOMAIN.COM -crypto rc4-hmac-nt -pass secret -ptype
> KRB5_NT_SRV_HST -out file.keytab
>
> This works fine on Win 2008 R2 servers - no problems with Win 7 machines
> authenticating. What you say about using an user account is valid but
> sometimes you are wedged if you want to use samba on the same machine.
> For us regenerating the keytab is not onerous.
>
> --
> Brett Lymn
> "Warning:
> The information contained in this email and any attached files is
> confidential to BAE Systems Australia. If you are not the intended
> recipient, any use, disclosure or copying of this email or any
> attachments is expressly prohibited. If you have received this email
> in error, please notify us immediately. VIRUS: Every care has been
> taken to ensure this email and its attachments are virus free,
> however, any loss or damage incurred in using this email is not the
> sender's responsibility. It is your responsibility to ensure virus
> checks are completed before installing any data sent in this email to
> your computer."
>
>
>
Received on Mon Apr 16 2012 - 10:06:59 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 17 2012 - 12:00:03 MDT