Re: [squid-users] Re: Re: Re: squid kerberos authenticators spamming AD and locking out users

From: Brett Lymn <brett.lymn_at_baesystems.com>
Date: Tue, 26 Feb 2013 09:55:44 +1030

On Mon, Feb 25, 2013 at 11:13:35PM +0000, Markus Moeller wrote:
> Maybe it has to do with Samba and NTLM. DO you use the same AD account for
> samba and Kerberos ? You should not do that, use different AD accounts as
> Smaba might invalidate the keytab.
>

We use separate accounts for samba & the keytab. Samba generates a
machine account when we run the "net ads join", the keytab is generated
using what we call a service account - a special user account in AD, as
I stated before I use the windows ktpass command not the mskutil command
to generate the keytab..

The thing is neither of these accounts get locked, it is one specific
user out of thousands that gets hit and, to date, never the same user
each time.

-- 
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."
Received on Mon Feb 25 2013 - 23:26:10 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 26 2013 - 12:00:04 MST