"James Robertson" <j@xxxxxxxxxxxxxxxx> wrote in message
news:CAMALoy-QRRGSzN6sSU6J6UTmFkAmh7aGETRo=qcn0gjS2R=69A@xxxxxxxxxxxxxx...
Now the update (which does not happen as msktutil determines it is not
old
enough to change):
Thanks for the testing Markus.
But what happens after you reset your squid-test-http account on your
Windows Server and run the update again. My guess is it will fail
when it gets to the try_machine_password step. This would typically
work if the msktutil generated computer name matches the proxy's
hostname.
A reset of the account in AD will mean the password and therefore the
Kerberos key changes who will be then out of sync with the key in the
keytab.
If you use samba for NTLM authentication in squid then use the AD entry
which matches the squid host name only for Samba and use use the -http name
with the HTTP/<fqdn> service principal for Kerberos with msktutil. Use 2
separate AD computer accounts.
Markus