-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eugene M. Zheganin wrote: > > > > Hopefully I can interest our Windows admin to enable Kerberos event > > logging per KB262177. > > > > But for the present I have found an ugly workaround. In squid's keytab, I > > created another principal called 'squiduser' with the same hex key and > > kvno as that of the principal 'HTTP/proxy.sibptus.transneft.ru.' > > > (This may sound like a dumb question, but anyway) Did you initially map > any AD user to the SPN with a hostname that clients know your proxy under ?
That's what we did. 1. Created an AD user called squiduser. 2. Extracted its keytab with something like ktpass -princ HTTP/proxy.sibptus.transneft...@sibptus.transneft.ru -mapuser squiduser +rndPass -out squid.keytab -ptype KRB5_NT_PRINCIPAL /target dc01-sibptus -kvno 1 -crypto All 3. Checked the mapping with "setspn -Q HTTP/*" (positive) and checked for duplicate SPNs with "setspn -X" (negative). 4. Transferred squid.keytab to the proxy host. Does it agree with your understanding of the right way? - -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJURThrAAoJEA2k8lmbXsY04twH/icn4ERHooRh+SihptuYTvPk WO99RZh816EkSBGeTkNkOinEVnYqYwFn8UbL9wqlog6vVqS67EVGGFNEbLZ6kNOC nP6kCFdND+LPGoZd+UQpd0nQDoTpN7pWfYzjDwPJaZ6o8pRY6HPqylJNVo28D2SD so1phB3QVzeF/du/gxXxZQk8OAwGhOVZz06+90RQ0eaFLhp6Q86Vx1ndMI9EVv5F 7/9UoelcvXxZbO7YVmpMXWZR8yGnP0uYJ0NmVulz9YvJPcunbTxRWvZS/BUn/CAL gSVlH8SHQIEWsmBp3pF2lWDl5+NRH8yXxLqAxtPePF6a4BuDD8ZOBlh05A1sObo= =RSIh -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
