Re: [squid-users] Re: Re: squid_kerb_auth.... Key Version number?

From: Mrvka Andreas <mrv_at_tuv.at>
Date: Thu, 24 Sep 2009 10:09:18 +0200

Hi,

Am Mittwoch, 23. September 2009 23:45:17 schrieb Markus Moeller:
> "Mrvka Andreas" <mrv_at_tuv.at> wrote in message
> news:200909230856.14501.mrv_at_tuv.at...
>
> > Well,
> > What do you mean with clearing cache on Windows client? Do you mean the
> > AD Server Win2k8 or a normal Windows browser cache?
>
> Windows XP Kerberos cache. When you authenticate on XP ( or other Windows
> systems) against AD you cache a ticket for about 8 hours. This ticket is
> used to get a so called TGS for the service HTTP/fqdn from AD. Once
> requested from AD the TGS is also cached for 8 hours. This means if you
> change during the 8 hours the entry in AD the Windows XP client won't know
> and will still use the previously cached TGS with the key from the "old"
> AD entry.
>

So I thought in the wrong direction concerning key missmatch.
I thought of AD and squid as the client.... maybe it should stated at your
wiki?

>
> If the keytab has been created with msktutil in the way I described in the
> wiki then the kinit must work otherwise the key in teh keytab does not
> macth the entry in AD.
>
Now that everything works as expected I won't try kinit HTTP/fqdn again :-)

> > I tested with klist, ktab, kvno and looked to have the versions coherent
> > and
> > after using kinit I had to do an net ads join again becaue wbinfo -t
> > check
>
> You must make sure that the AD entries don't have the same name (e.g. the
> computername in msktutil can not be the same as the one net ads join uses
> !!)
> BTW net ads join is not needed for Kerberos, but I guess you want to handle
> NTLM too
>
You are right - I have to use NTLM too because there are many IE 6 around.
But I use the same name for kerberos_auth and ntlm_auth
(kerberos - samba/winbind)
How should I configure a browser setting then? I want to set only one proxy
server.

Well, in fact .... it works after a long way.

> I can only guess that you did use the same name as this would explain a
> chnage in the kvno.
>
Yes so I do.

Bye and thanks for the support.
Andrew
Received on Thu Sep 24 2009 - 08:09:30 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 25 2009 - 12:00:03 MDT