Hi Nick,
You do not need a DNS entry for AUTH1. As default squid_kerb_auth uses
HTTP/gethostbyadr(gethostbyname(hostname()) which means I it canonicalises
the hostname. You can change this by using the -S option.
When you use msktutil you have to make sure that you do not have two
entries in AD withe the same SPN. If you still have a samba account in AD
with the HTTP/<fqdn> entry delete it the SPN with setspn -d ... .
Regards
Markus
"Nick Cairncross" <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote in message
news:C7EB8A2C.1F285%Nick.Cairncross@xxxxxxxxxxxxxxxxxx
Hi,
I'd like confirmation of something is possible, but first best to detail
what I want:
I want to use a separate computer account to authenticate my users against.
I know that this requires an HTTP.keytab and computer in AD with SPN. I
would like to use MKTSUTIL for this.
If my proxy server is called SQUID1 and is already happily joined to the
domain then I need to create a new machine account which I will call AUTH1.
1) Do I need to create a DNS entry for AUTH1 (with the same IP as SQUID1)?
2) If so, do I need just an A record?
3) I have evidently got confused over the msktutil switches and values and
so I'm specifying something wrong. What have I done? See below...
I used this command after a kinit myusername:
msktutil -c -b "CN=COMPUTERS" -s HTTP/squid1.[mydomain] iz -k
/etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server
dc1 -verbose
This created the computer account auth1 in the computers ou, added
HTTP/squid1.mydomain to SPN and HTTP/squid1.mydomain@mydomain to the UPN.
It also created the keytab HTTP.keytab. Klist reports:
2 HTTP/squid1.[mydomain]@[MYDOMAIN]
2 HTTP/squid1.[mydomain]@[MYDOMAIN]
2 HTTP/squid1.[mydomain]@[MYDOMAIN]
However cache.log shows this when I then fire up me IE
2010/04/14 14:52:46| authenticateNegotiateHandleReply: Error validating user
via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS
failure. Minor code may provide more information. No principal in keytab
matches desired name'
Thanks as always,
Nick
** Please consider the environment before printing this e-mail **
The information contained in this e-mail is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee, any
disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore Conde
Nast does not accept legal responsibility for the contents of this message.
Any views or opinions expressed are those of the author.
Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU
Registered in London No. 226900