[squid-users] Re: Re: Squid Kerb Auth Issue from Markus Moeller on 2010-03-25 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 25 Mar 2010 19:41:45 -0000

Hi Nick,

That looks alright, but I am wondering that because you share the HTTP
AD entry with you samba host entry a change by samba to the AD entry makes
your HTTP keytab invalid.

Regards
Markus

BTW There is more documentation here
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

"Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
news:C7D130F3.1D842%Nick.Cairncross_at_condenast.co.uk...
Markus,

kinit ncairncross
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME

The made sure the keytab is readable by the squid process owner e.g. chgrp
squid /etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab )

Is there another way to do this (or have I done it wrong)

Nick

On 24/03/2010 23:45, "Markus Moeller" <huaraz_at_moeller.plus.com> wrote:

> How did you create the keytab ?
>
> Markus
>
> "Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
> news:C7CE8144.1D5E1%Nick.Cairncross_at_condenast.co.uk...
> Hi,
>
> I'm concerned by a problem with my HTTP.keytab 'expiring'. My test base
> have
> reported a problem to me that they are prompted repeatedly for an
> unsatisfiable username and password. When I checked cache.log I noticed
> that
> there was a KVNO mismatch being reported. I regenerated my keytab and all
> was well again. However, I was worried by this so I looked back over my
> emails and I noticed the same problem occurred 7 days ago (almost to the
> hour). Does anyone have a suggestion as to what might have caused
> this/things to check? There haven't been any AD changes.
>
> Thanks,
>
>
> Nick
>
>
>

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee, any
disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore Conde
Nast does not accept legal responsibility for the contents of this message.
Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900
Received on Thu Mar 25 2010 - 19:42:06 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 26 2010 - 12:00:06 MDT