[squid-users] Kerberos (Negotiate) problem with win2008 AD users
Victor Sudakov
sudakov at sibptus.tomsk.ru
Sun Mar 6 13:18:18 UTC 2016
Markus Moeller wrote:
> > mismatch. What do you get when using the 2003 clients ?
>
> Markus, you are great! That was indeed the cause of the problem. Thank
> you ever so much.
>
> I have created an identical key with kvno=3 in the squid keytab, and
> now it's working. To hell with the Windows admin and his bogus kvno.
On a more practical note, the Windows command to extract the squid
keytab from the AD was
ktpass -princ HTTP/proxy2.sibptus.ru at STN.TN.CORP -mapuser squiduser +rndPass -out squid.keytab -ptype KRB5_NT_PRINCIPAL /target x.x.x.x -kvno 1 -crypto All
probably the "-kvno 1" is to blame. If anyone is experienced with the
Microsoft Kerberos implementation, is this a correct command? Is it
necessary to explicitly specify the kvno?
The Squid Wiki recommends msktutil instead of ktpass.exe though.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the squid-users
mailing list