[squid-users] Kerberos (Negotiate) problem with win2008 AD users

LYMN brett.lymn at baesystems.com
Sun Mar 6 23:49:34 UTC 2016


On Sun, Mar 06, 2016 at 07:18:18PM +0600, Victor Sudakov wrote:
> 
> On a more practical note, the Windows command to extract the squid
> keytab from the AD was
> 
> ktpass -princ HTTP/proxy2.sibptus.ru at STN.TN.CORP -mapuser squiduser +rndPass -out squid.keytab -ptype KRB5_NT_PRINCIPAL /target x.x.x.x -kvno 1 -crypto All 
> 
> probably the "-kvno 1" is to blame. If anyone is experienced with the
> Microsoft Kerberos implementation, is this a correct command? Is it
> necessary to explicitly specify the kvno?
> 

You should not be specifying the kvno normally.  If you specify the kvno
that is the number that gets written to the keytab but the one in AD is
not set to that number.  I think it is only useful if you are exporting
the keytab for multiple principals, in that case you specify the kvno
that will be in effect once you have done all the principals, if that
makes sense.

> The Squid Wiki recommends msktutil instead of ktpass.exe though.
> 

Which is fine if you are able to install those tools in your
environment.  The ktpass command is a bit clunky but can get the job
done in most instances.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

    BAE Systems Australia Limited - Australian Company Number 008 423 005
    BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
    BAE Systems Australia Logistics Pty Limited - Australian Company Number 086 228 864

Our registered office is Evans Building, Taranaki Road, Edinburgh Parks,
Edinburgh, South Australia, 5111. If the identity of the sending company is
not clear from the content of this email please contact the sender.

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy or
disclose its content, but please reply to this email immediately and highlight
the error to the sender and then immediately delete the message.



More information about the squid-users mailing list