Search squid archive

Re: Squid HTTP Keytab SPN question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Nick,

You do not need a DNS entry for AUTH1. As default squid_kerb_auth uses HTTP/gethostbyadr(gethostbyname(hostname()) which means I it canonicalises the hostname. You can change this by using the -S option.

When you use msktutil you have to make sure that you do not have two entries in AD withe the same SPN. If you still have a samba account in AD with the HTTP/<fqdn> entry delete it the SPN with setspn -d ... .

Regards
Markus



"Nick Cairncross" <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote in message news:C7EB8A2C.1F285%Nick.Cairncross@xxxxxxxxxxxxxxxxxx
Hi,

I'd like confirmation of something is possible, but first best to detail what I want:

I want to use a separate computer account to authenticate my users against. I know that this requires an HTTP.keytab and computer in AD with SPN. I would like to use MKTSUTIL for this. If my proxy server is called SQUID1 and is already happily joined to the domain then I need to create a new machine account which I will call AUTH1.

1) Do I need to create a DNS entry for AUTH1 (with the same IP as SQUID1)?
2) If so, do I need just an A record?
3) I have evidently got confused over the msktutil switches and values and so I'm specifying something wrong. What have I done? See below...

I used this command after a kinit myusername:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squid1.[mydomain] iz -k /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 -verbose

This created the computer account auth1 in the computers ou, added HTTP/squid1.mydomain to SPN and HTTP/squid1.mydomain@mydomain to the UPN.
It also created the keytab HTTP.keytab. Klist reports:

  2 HTTP/squid1.[mydomain]@[MYDOMAIN]
  2 HTTP/squid1.[mydomain]@[MYDOMAIN]
  2 HTTP/squid1.[mydomain]@[MYDOMAIN]

However cache.log shows this when I then fire up me IE

2010/04/14 14:52:46| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information. No principal in keytab matches desired name'

Thanks as always,
Nick




** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux