"Mrvka Andreas" <mrv@xxxxxx> wrote in message
news:200909250845.48301.mrv@xxxxxxxxx
Agreed.
So if I read your mail correctly you want to say:
- net ads join uses _computer-name_ to identify the authentication scheme
- msktutil (kerberos) only watches at the _service_ (http,cifs,...)
No, msktutil does create a computer account in AD if no one with the
selected name exists, sets the serviceprincipal name attribute and creates a
keytab with the computer account key. If a computer account exists with the
same name msktutil resets the account with a new random passwords and
creates a keytab with the computer account key.
The HowTo should look like:
1.
use net ads join to talk via computer-name with AD
2
use msktutil _with a non-existend computer-name_ so that the associated
HOST/<non-existendhostname> can not correlate with net ads join
Only the sericePrincipal HTTP/<fqdn> is important for squid/kerberos.
Have I understood you in the right way?
And will it work to use a non-existend hostname, or will msktutil fail?
:-)
The best way would be - the client sends an NTLM token and squid_kerb_auth
does the rest. :-)
Thanks for support.
I can imagine lots of other squid-users use net ads join and want to
implement
kerberos too.
Regards
Andrew
Am Freitag, 25. September 2009 01:07:44 schrieb Markus Moeller:
"Henrik Nordstrom" <henrik@xxxxxxxxxxxxxxxxxxx> wrote in message
news:1253822657.5592.1.camel@xxxxxxxxxxxxxxxxxxxxxxxx
> tor 2009-09-24 klockan 10:09 +0200 skrev Mrvka Andreas:
>> You are right - I have to use NTLM too because there are many IE 6
>> around.
>> But I use the same name for kerberos_auth and ntlm_auth
>> (kerberos - samba/winbind)
>> How should I configure a browser setting then? I want to set only one
>> proxy
>> server.
>
> Hmm.. I then suspect the HTTP ticket will get mismatch again in some
> time when the computer account is renewed by Samba.
I think so too. Let me try to explain. Each entry in AD has a key
associated with it. For a user account the key is based on the user
password and for a computer it is based on a random password. As you may
have seen each entry in AD has also a serviceprincipalname attribute.
This
attribute is used to associate a Kerberos principal with a key. You will
see a computer account has usually a HOST/<shorthostname> host/fqdn
serviceprincipal name and HTTP/fqdn if IIS is installed and cifs/fqdn for
fileshares.
net ads join creates an entry in AD with a random password with
CN=hostname. If you use msktutil with --computer-name hostname the same
AD
entry will be used and since both commands will set a random password
you
will get conflicts. For Kerberos the computer name doesn't matter (only
the serviceprinciplname attribute is important) why you should use
msktutil with any computer name (e.g. <shorthostname>-http) to avoid the
conflict.
Additionally msktutil sets the userprincipalname when you use --upn. The
userprincipalname is used to authenticate a principal (user or other e.g.
HTTP/<fqdn>) via kinit. So if you use msktutil as described kinit -kt
<keytab> HTTP/<fqdn> will authenticate HTTP/<fqdn> with the key (=
encrypted random password) stored in the keytab.
> If that's the case then I also guess you should be able to
> automatically
> renew the HTTP ticket using the Samba keytab however. But Kerberos is
> not my main field of expertise..
>
> Regards
> Henrik
Regards
Markus
