so when I do kinit I should use a different account to the samba one. I'm lost sorry. when I attach with winbind, I kinit with my personal admin account and also do a net ads join -U <admin account>. the password on the <admin account> doesn't / hasn't changed. are you talking about the computer account password ? if so, then I setup a different computer account for the squid kerberos application ! On 9 December 2015 at 07:20, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi, > > The issue appears if you use the same AD account for samba and the > kerberos keytab creation. As samba will reset the password of the AD > account and thereby invalidate the extracted keytab. > > Markus > > > "Alex Samad" wrote in message > news:CAJ+Q1PW9Ue4zdT9GCt-4MjW=UjDWyBOPc4AFrcjG=qFNEwMMGA@xxxxxxxxxxxxxx... > > > Hi > > So what your saying is I should install the mskutil and let it manage > the squid krb keytab file. > > > Could you possible help with the changed to the squid.conf file do I > leave as is and just add kerberos first ? > > > On 8 December 2015 at 20:03, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >> >> On 8/12/2015 7:44 p.m., Alex Samad wrote: >>> >>> Hi >>> >>> Currently using 3.1 (from centos 6) >>> I have setup squid to auth against MS AD >>> >>> I have >>> # ####### >>> # Negotiate >>> # ####### >>> >>> # http://wiki.squid-cache.org/Features/Authentication >>> # http://wiki.squid-cache.org/Features/NegotiateAuthentication >>> auth_param negotiate program /usr/bin/ntlm_auth >>> --helper-protocol=gss-spnego --configfile /etc/samba/smb.conf-squid >>> auth_param negotiate children 10 startup=0 idle=3 >>> auth_param negotiate keep_alive on >>> >>> # ####### >>> # NTLM AUTH >>> # ####### >>> >>> # ntlm auth >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp --configfile >>> /etc/samba/smb.conf-squid >>> auth_param ntlm children 10 >>> #auth_param ntlm children 10 startup=0 idle=3 >>> #auth_param ntlm keep_alive >>> >>> >>> # ####### >>> # NTLM over basic >>> # ####### >>> >>> # warning: basic authentication sends passwords plaintext >>> # a network sniffer can and will discover passwords >>> auth_param basic program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-basic --configfile >>> /etc/samba/smb.conf-squid >>> auth_param basic children 5 >>> auth_param basic realm Squid proxy-caching web server >>> auth_param basic credentialsttl 2 hours >>> >>> >>> I want to move towards using kerberos come to this page >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos >>> >>> worked through that, but i saw this >>> >>> Do not use this method if you run winbindd or other samba services as >>> samba will reset the machine password every x days and thereby makes >>> the keytab invalid !! >> >> >> >> As I understand it that disclaimer applies only to the "OR with Samba" >> instructions for keytab creation directly above it. The other two >> methods should work. >> >> Also, it is just a disclaimer about a known problem. There is always the >> option to setup a script that re-builds the keytab and reloads Squid >> every X days when it changes. >> >>> >>> I have winbindd running for my users list in linux >>> >>> is there a way around this and if not how >>> >> >> The initial mskutil method of keytab creation is both a way around it >> and the preferred method of keytab creation. >> >> As you found elsewhere ... >> >>> then found this one >>> >>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory >>> >>> but I am not using msktutil, i do have samba and the krb-workstation >>> installed >>> >> >> mskutil is just a tool to generate keytabs and link the machine to >> domain. I *think* it should still be usable even if you have Sambe, the >> probem is just that if you let Samba know about the keytab and account >> it will do the periodic updates. >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
