"Brett Lymn" <brett.lymn@xxxxxxxxxxxxxx> wrote in message
news:20111228062759.GB21829@xxxxxxxxxxx...
On Wed, Dec 28, 2011 at 05:23:55PM +1100, James Robertson wrote:
Because I implemented Kerberos first I already had a machine account
in Active Directory that was created by the msktutil utility.
When I researched implementing ntlm_auth the documentation mentions
joining the computer to AD using "net ads join". This was an issue
because I already had the computer account and didn't want to hose
anything that the Negotiate/Kerberos might use and researched how to
use a pre-existing computer account in AD but could not find anything,
so in the end I just ran it (which worked). However after I did this
Negotiate/Kerberos was broken. I fixed it by resetting the computer
account and running "msktutil --auto-update" to update the computer
accounts password. NTLM still worked after this.
Don't use the machine account for the kerberos SPN if you also want to
use NTLM. Create a new user account and use that for generating the
kerberos keytab, this allows you to use NTLM as well without the creds
getting stomped.
You should use two different computer accounts. For Kerberos the machine
name does not matter only the user- and service-principalname is of
importance. So use net ads join <computername> and for msktutil use
something like <computername>-HTTP as computername.
The issue with using the same name is that samba runs a daemon which
regularly changes the computer account password and thereby also changes the
Kerberos key making the keytab with the extracted Kerberos key invalid.
Many people use user accounts instead of computer accounts because they use
thw MS ktpass tool which only works with user accounts, whereas msktutil can
work with computer accounts. I dislike user accounts as you may have to
create exceptions to your domain password policy for users (e.g. don't
expire password).
--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited. If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility. It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."
Regards
Markus
