Hi Giorgi,
You do not need to renew the keytab every 30 days. It is more a best
practice to change them after some period but I think 30 days is a bit too
frequent. At the end you need to determine how high the risk is that
someone got hold of the keytab to impersonate someone else.
R
Hello Markus
Thank you very much, everything works now. Only two question left
1) Is it necessary to run commands specified below every 30 day?
msktutil --auto-update --verbose --computer-name proxy1-k
msktutil --auto-update --verbose --computer-name proxy2-k
msktutil --auto-update --verbose --co
Hi Giorgi,
It would be
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h
proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K
--upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose
--enctypes 28
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h
p
Hi Markus
Excuse me for posting in old list, but I have a small question:
So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and
one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how
should I create keytab file.
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.doma
Hi Joseph,
it is all possible :-)
Firstly I suggest not to use samba tools to create the squid keytab, but
use msktutil (see
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). Then
create a keytab for the loadbalancer name ( that is the one configured in IE
or Firefox).