Hi Nick, what I don't get in your question is this: if squid is already joined to your domain as squid1, why create another machine account auth1? Maybe I missed out on something.
Your msktutil parameters look fine though. Regards, Khaled 2010/4/14 Nick Cairncross <[email protected]>: > Hi, > > I'd like confirmation of something is possible, but first best to detail what > I want: > > I want to use a separate computer account to authenticate my users against. I > know that this requires an HTTP.keytab and computer in AD with SPN. I would > like to use MKTSUTIL for this. > If my proxy server is called SQUID1 and is already happily joined to the > domain then I need to create a new machine account which I will call AUTH1. > > 1) Do I need to create a DNS entry for AUTH1 (with the same IP as SQUID1)? > 2) If so, do I need just an A record? > 3) I have evidently got confused over the msktutil switches and values and so > I'm specifying something wrong. What have I done? See below... > > I used this command after a kinit myusername: > msktutil -c -b "CN=COMPUTERS" -s HTTP/squid1.[mydomain] iz -k > /etc/squid/HTTP.keytab --computer-name auth1 --upn HTTP/squid1 --server dc1 > -verbose > > This created the computer account auth1 in the computers ou, added > HTTP/squid1.mydomain to SPN and HTTP/squid1.mydom...@mydomain to the UPN. > It also created the keytab HTTP.keytab. Klist reports: > > 2 HTTP/squid1.[mydoma...@[mydomain] > 2 HTTP/squid1.[mydoma...@[mydomain] > 2 HTTP/squid1.[mydoma...@[mydomain] > > However cache.log shows this when I then fire up me IE > > 2010/04/14 14:52:46| authenticateNegotiateHandleReply: Error validating user > via Negotiate. Error returned 'BH gss_acquire_cred() failed: Unspecified GSS > failure. Minor code may provide more information. No principal in keytab > matches desired name' > > Thanks as always, > Nick > > > > > ** Please consider the environment before printing this e-mail ** > > The information contained in this e-mail is of a confidential nature and is > intended only for the addressee. If you are not the intended addressee, any > disclosure, copying or distribution by you is prohibited and may be unlawful. > Disclosure to any party other than the addressee, whether inadvertent or > otherwise, is not intended to waive privilege or confidentiality. Internet > communications are not secure and therefore Conde Nast does not accept legal > responsibility for the contents of this message. Any views or opinions > expressed are those of the author. > > Company Registration details: > The Conde Nast Publications Ltd > Vogue House > Hanover Square > London W1S 1JU > > Registered in London No. 226900 >
