[squid-users] Re: Re: Kerberos with LDAP authentication failover and iTunes auth problems

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Wed, 28 Dec 2011 17:54:08 -0000

"Brett Lymn" <brett.lymn_at_baesystems.com> wrote in message
news:20111228062759.GB21829_at_baea.com.au...
> On Wed, Dec 28, 2011 at 05:23:55PM +1100, James Robertson wrote:
>>
>> Because I implemented Kerberos first I already had a machine account
>> in Active Directory that was created by the msktutil utility.
>> When I researched implementing ntlm_auth the documentation mentions
>> joining the computer to AD using "net ads join". This was an issue
>> because I already had the computer account and didn't want to hose
>> anything that the Negotiate/Kerberos might use and researched how to
>> use a pre-existing computer account in AD but could not find anything,
>> so in the end I just ran it (which worked). However after I did this
>> Negotiate/Kerberos was broken. I fixed it by resetting the computer
>> account and running "msktutil --auto-update" to update the computer
>> accounts password. NTLM still worked after this.
>>
>
> Don't use the machine account for the kerberos SPN if you also want to
> use NTLM. Create a new user account and use that for generating the
> kerberos keytab, this allows you to use NTLM as well without the creds
> getting stomped.
>

You should use two different computer accounts. For Kerberos the machine
name does not matter only the user- and service-principalname is of
importance. So use net ads join <computername> and for msktutil use
something like <computername>-HTTP as computername.

The issue with using the same name is that samba runs a daemon which
regularly changes the computer account password and thereby also changes the
Kerberos key making the keytab with the extracted Kerberos key invalid.
Many people use user accounts instead of computer accounts because they use
thw MS ktpass tool which only works with user accounts, whereas msktutil can
work with computer accounts. I dislike user accounts as you may have to
create exceptions to your domain password policy for users (e.g. don't
expire password).

> --
> Brett Lymn
> "Warning:
> The information contained in this email and any attached files is
> confidential to BAE Systems Australia. If you are not the intended
> recipient, any use, disclosure or copying of this email or any
> attachments is expressly prohibited. If you have received this email
> in error, please notify us immediately. VIRUS: Every care has been
> taken to ensure this email and its attachments are virus free,
> however, any loss or damage incurred in using this email is not the
> sender's responsibility. It is your responsibility to ensure virus
> checks are completed before installing any data sent in this email to
> your computer."
>
>
>

Regards
Markus
Received on Wed Dec 28 2011 - 17:54:28 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 28 2011 - 12:00:03 MST