Search squid archive

Re: Re: Kerberos with LDAP authentication failover and iTunes auth problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




"Brett Lymn" <brett.lymn@xxxxxxxxxxxxxx> wrote in message news:20111228062759.GB21829@xxxxxxxxxxx...
On Wed, Dec 28, 2011 at 05:23:55PM +1100, James Robertson wrote:

Because I implemented Kerberos first I already had a machine account
in Active Directory that was created by the msktutil utility.
When I researched implementing ntlm_auth the documentation mentions
joining the computer to AD using "net ads join".  This was an issue
because I already had the computer account and didn't want to hose
anything that the Negotiate/Kerberos might use and researched how to
use a pre-existing computer account in AD but could not find anything,
so in the end I just ran it (which worked).  However after I did this
Negotiate/Kerberos was broken.  I fixed it by resetting the computer
account and running "msktutil --auto-update" to update the computer
accounts password.  NTLM still worked after this.


Don't use the machine account for the kerberos SPN if you also want to
use NTLM.  Create a new user account and use that for generating the
kerberos keytab, this allows you to use NTLM as well without the creds
getting stomped.


You should use two different computer accounts. For Kerberos the machine name does not matter only the user- and service-principalname is of importance. So use net ads join <computername> and for msktutil use something like <computername>-HTTP as computername.

The issue with using the same name is that samba runs a daemon which regularly changes the computer account password and thereby also changes the Kerberos key making the keytab with the extracted Kerberos key invalid. Many people use user accounts instead of computer accounts because they use thw MS ktpass tool which only works with user accounts, whereas msktutil can work with computer accounts. I dislike user accounts as you may have to create exceptions to your domain password policy for users (e.g. don't expire password).

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."





Regards
Markus




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux