Hi, Am Mittwoch, 23. September 2009 23:45:17 schrieb Markus Moeller: > "Mrvka Andreas" <mrv@xxxxxx> wrote in message > news:200909230856.14501.mrv@xxxxxxxxx > > > Well, > > What do you mean with clearing cache on Windows client? Do you mean the > > AD Server Win2k8 or a normal Windows browser cache? > > Windows XP Kerberos cache. When you authenticate on XP ( or other Windows > systems) against AD you cache a ticket for about 8 hours. This ticket is > used to get a so called TGS for the service HTTP/fqdn from AD. Once > requested from AD the TGS is also cached for 8 hours. This means if you > change during the 8 hours the entry in AD the Windows XP client won't know > and will still use the previously cached TGS with the key from the "old" > AD entry. > So I thought in the wrong direction concerning key missmatch. I thought of AD and squid as the client.... maybe it should stated at your wiki? > > If the keytab has been created with msktutil in the way I described in the > wiki then the kinit must work otherwise the key in teh keytab does not > macth the entry in AD. > Now that everything works as expected I won't try kinit HTTP/fqdn again :-) > > I tested with klist, ktab, kvno and looked to have the versions coherent > > and > > after using kinit I had to do an net ads join again becaue wbinfo -t > > check > > You must make sure that the AD entries don't have the same name (e.g. the > computername in msktutil can not be the same as the one net ads join uses > !!) > BTW net ads join is not needed for Kerberos, but I guess you want to handle > NTLM too > You are right - I have to use NTLM too because there are many IE 6 around. But I use the same name for kerberos_auth and ntlm_auth (kerberos - samba/winbind) How should I configure a browser setting then? I want to set only one proxy server. Well, in fact .... it works after a long way. > I can only guess that you did use the same name as this would explain a > chnage in the kvno. > Yes so I do. Bye and thanks for the support. Andrew
