<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">W dniu 03.07.2017 o 09:43, Todd Pearson
pisze:<br>
</div>
<blockquote type="cite"
cite="mid:111642404.3970659.1499067815362@mail.yahoo.com">
<div style="color:#000; background-color:#fff;
font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px">
<div dir="ltr" id="yui_3_16_0_ym19_1_1499067573933_3064"><br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1499067573933_3064">I have
spent the past few days working to get the latest version
working in an all windows environment. I am unable to get
kerberos authentication to work. I am struggling with getting
the keytab file correct. </div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1499067573933_3064">Wondering
if there is anyone who has seen it actually work in an all
windows environment. I have had earlier version (v2.X stable)
with NTLM authentication, but unfortunately I do not have the
binaries to implement in v3.5.x.x.</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1499067573933_3064"><br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1499067573933_3064">I
continue to struggle to find the secret forumula for SPN and
keytab. </div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1499067573933_3064"><br>
</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1499067573933_3064">Thanks,</div>
<div dir="ltr" id="yui_3_16_0_ym19_1_1499067573933_3064">Todd</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<p><br>
</p>
<p><font size="-1">Hi,</font></p>
<p><font size="-1">I have 4 squid serves, 3 of them are 3.5.9
@centos 7.x. Everything is working fine, both pure NTLM and
NEGOTIATE helpers are working flawlessly. I've created local
group on squid servers like keytab-readers, then:<br>
chown root:keytab-readers /etc/krb5.keytab<br>
chmod 740 /etc/keytab-readers<br>
and added squid to keytab-readers.<br>
</font></p>
<p><font size="-1">Squid clients are windows workstations, mostly
8.1 and 10.<br>
</font></p>
<font size="-1">Why do you need to have Squid on Windows server so
badly? Less documentation, less support. And nowadays, my guess
is almost every MS security update can brake things down. <br>
<br>
My guess is when you're using squid on Windows server, you have
to, alternatively:<br>
1. Run squid on NT AUTHORITY/SYSTEM or NT AUTHORITY/NETWORK
SERVICE account and put SPN squid_accessible_name to AD machine
account. So, if Your squid DNS name is squidproxy.corpo.local and
your server name is srvSquid01.corpo.local, machine account
srvSquid01$ has to have HOST/squidproxy SPN also. <br>
2. Run squid on dedicated domain account (user account). Create
user like "squid01", give it all nessecary permissions on squid
server and then give this user SPN. And there's the problem: what
kind of SPN in this configuration... I would say that
HTTP/squidproxy, and then in DNS you'll have to have presumably
CNAME (not A) pointing squidproxy to srvSquid01.corpo.local. And
domain user squid01 will have to read acces to keytab, as well as
keytab will have to have apropriate content (it should be a user,
not machine keytab). <br>
<br>
<a class="moz-txt-link-freetext" href="https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on">https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on</a>
<br>
</font>
<pre class="moz-signature" cols="72">--
Greets, Dijx</pre>
</body>
</html>