Hi Everyone, Thanks for all the help. It ended up being some confusion with how DNS needed to be setup. I managed to use ktpass with a machine account by putting a $ at the end of the computer account name. The current release of krb5-lib that is in centos 6.2 does not work with msktutil so unless i create my own rpms i will have to wait for it to be updated to use msktutil. Looking forward to this however :) Thanks all, Simon On Mon, 2012-04-16 at 11:06 +0100, Markus Moeller wrote: > Hi Brett, > > The best tool is msktutil, which creates a computer account and assings > the HTTP/<squid-fqdn> service principal to it. Also you can run it remotely > directly on your squid server. You just need to make sure the computer name > is not the same as used by samba (e.g. Use hostname-squid - Keep it mind max > length is 15 characters) > > Regards > Markus > > > "Brett Lymn" <brett.lymn@xxxxxxxxxxxxxx> wrote in message > news:20120416061457.GJ598@xxxxxxxxxxx... > > On Mon, Apr 16, 2012 at 07:05:23AM +0100, Markus Moeller wrote: > >> > >> BTW I would not recommend using ktpass and a user account. ktpass uses > >> DES > >> as a default which is not anymore supported by newer MS systems and > >> secondly user accounts in AD have usually (depending on your AD setting) > >> a > >> password expiry which would make you keytab invalid. > >> > > > > You can choose the encryption that ktpass uses: > > > > ktpass -princ HTTP/proxy.domain.com@xxxxxxxxxx -mapuser > > proxyuser@xxxxxxxxxx -crypto rc4-hmac-nt -pass secret -ptype > > KRB5_NT_SRV_HST -out file.keytab > > > > This works fine on Win 2008 R2 servers - no problems with Win 7 machines > > authenticating. What you say about using an user account is valid but > > sometimes you are wedged if you want to use samba on the same machine. > > For us regenerating the keytab is not onerous. > > > > -- > > Brett Lymn > > "Warning: > > The information contained in this email and any attached files is > > confidential to BAE Systems Australia. If you are not the intended > > recipient, any use, disclosure or copying of this email or any > > attachments is expressly prohibited. If you have received this email > > in error, please notify us immediately. VIRUS: Every care has been > > taken to ensure this email and its attachments are virus free, > > however, any loss or damage incurred in using this email is not the > > sender's responsibility. It is your responsibility to ensure virus > > checks are completed before installing any data sent in this email to > > your computer." > > > > > > > >
