"Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message
news:1253822657.5592.1.camel@xxxxxxxxxxxxxxxxxxxxxxxx
tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas:
You are right - I have to use NTLM too because there are many IE 6
around.
But I use the same name for kerberos_auth and ntlm_auth
(kerberos - samba/winbind)
How should I configure a browser setting then? I want to set only one
proxy
server.
Hmm.. I then suspect the HTTP ticket will get mismatch again in some
time when the computer account is renewed by Samba.
I think so too. Let me try to explain. Each entry in AD has a key
associated with it. For a user account the key is based on the user password
and for a computer it is based on a random password. As you may have seen
each entry in AD has also a serviceprincipalname attribute. This attribute
is used to associate a Kerberos principal with a key. You will see a
computer account has usually a HOST/<shorthostname> host/fqdn
serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn for
fileshares.
net ads join creates an entry in AD with a random password with CN=hostname.
If you use msktutil with --computer-name hostname the same AD entry will be
used and since both commands will set a random password you will get
conflicts. For Kerberos the computer name doesn't matter (only the
serviceprinciplname attribute is important) why you should use msktutil with
any computer name (e.g. <shorthostname>-http) to avoid the conflict.
Additionally msktutil sets the userprincipalname when you use --upn. The
userprincipalname is used to authenticate a principal (user or other e.g.
HTTP/<fqdn>) via kinit. So if you use msktutil as described kinit -kt
<keytab> HTTP/<fqdn> will authenticate HTTP/<fqdn> with the key (= encrypted
random password) stored in the keytab.
If that's the case then I also guess you should be able to automatically
renew the HTTP ticket using the Samba keytab however. But Kerberos is
not my main field of expertise..
Regards
Henrik
Regards
Markus
