Is the AD account which you used for the HTTP principal used for samba too or used in any other way ? (e.g. do you use net ads join and msktutil --computer-name <hostname> ?) Is the kvno in AD still the same ?
Markus "Dan Searle" <[email protected]> wrote in message news:[email protected]... > Hi, > > I'm new to Kerberos and don't fully appreciate it's complexities so > please excuse my ignorance. > > I'm using msktutil to create a service principal for authenticating > users of a squid proxy server with Active Directory (server version 2008 > R2) using the Negotiate (Kerberos) method. > > This all works fine, however I'm at a loss as to whether I should be or > need to periodically refresh (update) the HTTP service principal keytab. > > I have had some instances where the keytab generated by msktutil > seemingly works indefinably (for days at a time) without the need to > refresh the keytab. However, in other instances (different AD servers), > after a while (a few hours or days) the authentication stops working and > I have to refresh (update) the keytab using msktutil again. In the > failed instances, I use the squid negotiate auth test program, then run > the token through the squid helper process and I get an error similar > to: Token header is malformed or corrupt. > > Why is this? Should the service principal keys in a keytab file last > forever? What settings in AD would effect this? > > Regards, Dan... > > -- > > Dan Searle > > CensorNet Ltd - professional & affordable Web & E-mail filtering > email: [email protected] web: www.censornet.com > tel: 0845 230 9590 / fax: 0845 230 9591 / support: 0845 230 9592 > snail: The Old Post Office, Bristol Rd, Hambrook, Bristol BS16 1RY. UK. > > CensorNet Ltd is a registered company in England & Wales No. 05518629 > VAT registration number 901-2048-78 > Any views expressed in this email communication are those of the > individual sender, except where the sender specifically states them to > be the views of a member of Censornet Ltd. Censornet Ltd. does not > represent, warrant or guarantee that the integrity of this > communication has been maintained nor that the communication is free of > errors or interference. > > ------------------------------------------------------------------------------------ > Scanned for viruses, spam and offensive content by CensorNet MailSafe > > Try CensorNet free for 14 days. Provide Internet access on your terms. > Visit www.censornet.com for more information. > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
