-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eugene M. Zheganin wrote:
> >
> > Hopefully I can interest our Windows admin to enable Kerberos event
> > logging per KB262177.
> >
> > But for the present I have found an ugly workaround. In squid's keytab, I
> > created another principal called 'squiduser' with the same hex key and
> > kvno as that of the principal 'HTTP/proxy.sibptus.transneft.ru.'
> >
> (This may sound like a dumb question, but anyway) Did you initially map
> any AD user to the SPN with a hostname that clients know your proxy under ?

That's what we did.

1. Created an AD user called squiduser.

2. Extracted its keytab with something like 

ktpass -princ HTTP/proxy.sibptus.transneft...@sibptus.transneft.ru -mapuser 
squiduser +rndPass  -out squid.keytab -ptype KRB5_NT_PRINCIPAL /target 
dc01-sibptus -kvno 1 -crypto All 

3. Checked the mapping with "setspn -Q HTTP/*" (positive) and checked
for duplicate SPNs with "setspn -X" (negative).

4. Transferred squid.keytab to the proxy host.

Does it agree with your understanding of the right way?

- -- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJURThrAAoJEA2k8lmbXsY04twH/icn4ERHooRh+SihptuYTvPk
WO99RZh816EkSBGeTkNkOinEVnYqYwFn8UbL9wqlog6vVqS67EVGGFNEbLZ6kNOC
nP6kCFdND+LPGoZd+UQpd0nQDoTpN7pWfYzjDwPJaZ6o8pRY6HPqylJNVo28D2SD
so1phB3QVzeF/du/gxXxZQk8OAwGhOVZz06+90RQ0eaFLhp6Q86Vx1ndMI9EVv5F
7/9UoelcvXxZbO7YVmpMXWZR8yGnP0uYJ0NmVulz9YvJPcunbTxRWvZS/BUn/CAL
gSVlH8SHQIEWsmBp3pF2lWDl5+NRH8yXxLqAxtPePF6a4BuDD8ZOBlh05A1sObo=
=RSIh
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to