[squid-users] Squid, Kerberos and FireFox (Was: Re: leaking memory in squid 3.4.8 and 3.4.7.)
Victor Sudakov
sudakov at sibptus.tomsk.ru
Mon Oct 20 16:29:31 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eugene M. Zheganin wrote:
> >
> > Hopefully I can interest our Windows admin to enable Kerberos event
> > logging per KB262177.
> >
> > But for the present I have found an ugly workaround. In squid's keytab, I
> > created another principal called 'squiduser' with the same hex key and
> > kvno as that of the principal 'HTTP/proxy.sibptus.transneft.ru.'
> >
> (This may sound like a dumb question, but anyway) Did you initially map
> any AD user to the SPN with a hostname that clients know your proxy under ?
That's what we did.
1. Created an AD user called squiduser.
2. Extracted its keytab with something like
ktpass -princ HTTP/proxy.sibptus.transneft.ru at SIBPTUS.TRANSNEFT.RU -mapuser squiduser +rndPass -out squid.keytab -ptype KRB5_NT_PRINCIPAL /target dc01-sibptus -kvno 1 -crypto All
3. Checked the mapping with "setspn -Q HTTP/*" (positive) and checked
for duplicate SPNs with "setspn -X" (negative).
4. Transferred squid.keytab to the proxy host.
Does it agree with your understanding of the right way?
- --
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJURThrAAoJEA2k8lmbXsY04twH/icn4ERHooRh+SihptuYTvPk
WO99RZh816EkSBGeTkNkOinEVnYqYwFn8UbL9wqlog6vVqS67EVGGFNEbLZ6kNOC
nP6kCFdND+LPGoZd+UQpd0nQDoTpN7pWfYzjDwPJaZ6o8pRY6HPqylJNVo28D2SD
so1phB3QVzeF/du/gxXxZQk8OAwGhOVZz06+90RQ0eaFLhp6Q86Vx1ndMI9EVv5F
7/9UoelcvXxZbO7YVmpMXWZR8yGnP0uYJ0NmVulz9YvJPcunbTxRWvZS/BUn/CAL
gSVlH8SHQIEWsmBp3pF2lWDl5+NRH8yXxLqAxtPePF6a4BuDD8ZOBlh05A1sObo=
=RSIh
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list