Markus Moeller wrote: > Hi Pedro, > > I looked at your captures and I observed something similar to > Victor???s issue. I see KRB5KRB_AP_ERR_MODIFIED and then the > use of the name of the AD object (e.g. proxy$) instead of > HTTP/<proxy fqdn>. Dear Pedro, If it is so as Markus wrote, then adding another principal to squid's keytab (namely 'proxy$@YOUR.REALM' with the same key identical to that of 'HTTP/<proxy fqdn>@YOUR.REALM' could help you as a workaround. Just add it manually with ktutil. However, I am eager to know what could be causing such weird tickets to be issued, but I think only a Windows expert can tell. After all, the key in the tickets is correct, only the principal name is changed. I only suspect that the name is changed when the client sets the Canonicalize option in the request, and not all clients do that. <rant>I have not been able to find such an expert, most Windows admins I know are GUI mouse boys without thorough understanding of Windows internals.</rant> > I also see that you have more than one AD > server and I assume there is a sync problem between your AD > servers ( You said it start working after removing an unused AD > server which would support y assumption). If it were a DC sync problem, then probably the key/password would be incorrect too. I blame the Canonicalize flag, but I don't understand the logic behind it. -- Victor Sudakov Tomsk, Russia Russian Barefoot FAQ at http://www.barefooters.ru/barefoot.txt _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
