Agreed. So if I read your mail correctly you want to say: - net ads join uses _computer-name_ to identify the authentication scheme - msktutil (kerberos) only watches at the _service_ (http,cifs,...) The HowTo should look like: 1. use net ads join to talk via computer-name with AD 2 use msktutil _with a non-existend computer-name_ so that the associated HOST/<non-existendhostname> can not correlate with net ads join Only the sericePrincipal HTTP/<fqdn> is important for squid/kerberos. Have I understood you in the right way? And will it work to use a non-existend hostname, or will msktutil fail? :-) The best way would be - the client sends an NTLM token and squid_kerb_auth does the rest. :-) Thanks for support. I can imagine lots of other squid-users use net ads join and want to implement kerberos too. Regards Andrew Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller: > "Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message > news:1253822657.5592.1.camel@xxxxxxxxxxxxxxxxxxxxxxxx > > > tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas: > >> You are right - I have to use NTLM too because there are many IE 6 > >> around. > >> But I use the same name for kerberos_auth and ntlm_auth > >> (kerberos - samba/winbind) > >> How should I configure a browser setting then? I want to set only one > >> proxy > >> server. > > > > Hmm.. I then suspect the HTTP ticket will get mismatch again in some > > time when the computer account is renewed by Samba. > > I think so too. Let me try to explain. Each entry in AD has a key > associated with it. For a user account the key is based on the user > password and for a computer it is based on a random password. As you may > have seen each entry in AD has also a serviceprincipalname attribute. This > attribute is used to associate a Kerberos principal with a key. You will > see a computer account has usually a HOST/<shorthostname> host/fqdn > serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn for > fileshares. > > net ads join creates an entry in AD with a random password with > CN=hostname. If you use msktutil with --computer-name hostname the same AD > entry will be used and since both commands will set a random password you > will get conflicts. For Kerberos the computer name doesn't matter (only > the serviceprinciplname attribute is important) why you should use > msktutil with any computer name (e.g. <shorthostname>-http) to avoid the > conflict. > > Additionally msktutil sets the userprincipalname when you use --upn. The > userprincipalname is used to authenticate a principal (user or other e.g. > HTTP/<fqdn>) via kinit. So if you use msktutil as described kinit -kt > <keytab> HTTP/<fqdn> will authenticate HTTP/<fqdn> with the key (= > encrypted random password) stored in the keytab. > > > If that's the case then I also guess you should be able to automatically > > renew the HTTP ticket using the Samba keytab however. But Kerberos is > > not my main field of expertise.. > > > > Regards > > Henrik > > Regards > Markus >
