[squid-users] Re: Re: Re: squid kerberos authenticators spamming AD and locking out users

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 25 Feb 2013 23:13:35 -0000

Maybe it has to do with Samba and NTLM. DO you use the same AD account for
samba and Kerberos ? You should not do that, use different AD accounts as
Smaba might invalidate the keytab.

Markus

"Brett Lymn" <brett.lymn_at_baesystems.com> wrote in message
news:20130224232500.GA7082_at_baea.com.au...
> On Fri, Feb 22, 2013 at 02:48:56PM +0000, Markus Moeller wrote:
>>
>> A pure squid Kerberos authentication setup does not create any
>> connection
>> between squid and AD. I am 100% sure of that.
>>
>
> OK, in that case I am now confused.
>
>> If you use additionally squid_kerb_ldap then yes there are connections.
>> If
>> you use NTLM then there are connections too.
>>
>
> no squid_kerb_ldap. What I do have is:
>
> 1) squid_kerb_auth
> 2) basic auth using ntlm_auth
> 3) group lookups using wbinfo_group
>
> We are running samba on the proxies and samba is bound to AD, for
> kerberos we use a keytab that contains entries for our load balancer and
> the machine SPNs, I manually generate these keytabs on the windows
> server, transfer them over and use ktutil to merge them into a single
> keytab file.
>
> All I can say is about 1 in 1000 password changes triggers something
> that causes one user to continually get locked out until we restart
> squid on the machine causing the password errors according to AD.
>
> --
> Brett Lymn
> "Warning:
> The information contained in this email and any attached files is
> confidential to BAE Systems Australia. If you are not the intended
> recipient, any use, disclosure or copying of this email or any
> attachments is expressly prohibited. If you have received this email
> in error, please notify us immediately. VIRUS: Every care has been
> taken to ensure this email and its attachments are virus free,
> however, any loss or damage incurred in using this email is not the
> sender's responsibility. It is your responsibility to ensure virus
> checks are completed before installing any data sent in this email to
> your computer."
>
>
>
Received on Mon Feb 25 2013 - 23:13:55 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 26 2013 - 12:00:04 MST