[squid-users] kerberos keytab
Hello, What is the best strategy to use a keytab file within multiple servers? By now i'm using a NFS share to export the keytab. Every day msktutil runs to update the file if necessary. The job is schedule in one server only. Also, after the update of the keytab file, is it necessary to reload squid? thanks!
Re: [squid-users] kerberos keytab
Hallo, Carlos, Du meintest am 19.08.13: > What is the best strategy to use a keytab file within multiple > servers? By now i'm using a NFS share to export the keytab. > Every day msktutil runs to update the file if necessary. The job is > schedule in one server only. > Also, after the update of the keytab file, is it necessary to reload > squid? I'd prefer "incron" for watching the keytab. Rule (pseudo code): if the original keytab is changed: copy it to the necessary places run "squid -k reconfigure" Viele Gruesse! Helmut
Re: [squid-users] kerberos keytab
thanks, Helmut. i made one script to check the file change and run "squid -k reconfigure". i'll wait till next change to see if it works correctly. thank you On Mon, Aug 19, 2013 at 2:11 PM, Helmut Hullen wrote: > Hallo, Carlos, > > Du meintest am 19.08.13: > >> What is the best strategy to use a keytab file within multiple >> servers? By now i'm using a NFS share to export the keytab. >> Every day msktutil runs to update the file if necessary. The job is >> schedule in one server only. > >> Also, after the update of the keytab file, is it necessary to reload >> squid? > > I'd prefer "incron" for watching the keytab. > > Rule (pseudo code): > if the original keytab is changed: > copy it to the necessary places > run "squid -k reconfigure" > > Viele Gruesse! > Helmut
RE: [squid-users] kerberos keytab
Just curious.. what conditions might occur that would need the keytab updated? I've been running Kerberos auth squid for 6+ months now and have not had to update the keytab ever. Is this because the Active Directory account name (proxytest) I used to generate the keytab with has "Password never expires" I generate with ktpass on the Windows 2008r2 KDC and then copy to squid directory.. ktpass.exe -princ HTTP/proxytest.company.internal@COMPANY.INTERNAL -mapuser COMPANY\proxytest -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL +rndpass -out HTTP.keytab This has worked well for me. -Original Message- From: Carlos Defoe [mailto:carlosde...@gmail.com] Sent: Tuesday, 20 August 2013 7:12 AM To: hel...@hullen.de Cc: squid-users@squid-cache.org Subject: Re: [squid-users] kerberos keytab thanks, Helmut. i made one script to check the file change and run "squid -k reconfigure". i'll wait till next change to see if it works correctly. thank you On Mon, Aug 19, 2013 at 2:11 PM, Helmut Hullen wrote: > Hallo, Carlos, > > Du meintest am 19.08.13: > >> What is the best strategy to use a keytab file within multiple >> servers? By now i'm using a NFS share to export the keytab. >> Every day msktutil runs to update the file if necessary. The job is >> schedule in one server only. > >> Also, after the update of the keytab file, is it necessary to reload >> squid? > > I'd prefer "incron" for watching the keytab. > > Rule (pseudo code): > if the original keytab is changed: > copy it to the necessary places > run "squid -k reconfigure" > > Viele Gruesse! > Helmut The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
Re: [squid-users] kerberos keytab
I'm not sure, but if you use a computer account instead of a user account, you will have not the "password never expires" option. I think is just two ways to do the same. I remember i read that the machine account used with msktutil is a better option than the user account with "password never expires". But I honestly didn't think much about that. On Wed, Aug 21, 2013 at 1:22 AM, Kris Glynn wrote: > Just curious.. what conditions might occur that would need the keytab updated? > > I've been running Kerberos auth squid for 6+ months now and have not had to > update the keytab ever. > > Is this because the Active Directory account name (proxytest) I used to > generate the keytab with has "Password never expires" > > I generate with ktpass on the Windows 2008r2 KDC and then copy to squid > directory.. > > ktpass.exe -princ HTTP/proxytest.company.internal@COMPANY.INTERNAL -mapuser > COMPANY\proxytest -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL +rndpass -out > HTTP.keytab > > This has worked well for me. > > > > -Original Message- > From: Carlos Defoe [mailto:carlosde...@gmail.com] > Sent: Tuesday, 20 August 2013 7:12 AM > To: hel...@hullen.de > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] kerberos keytab > > thanks, Helmut. > > i made one script to check the file change and run "squid -k reconfigure". > > i'll wait till next change to see if it works correctly. > > thank you > > > On Mon, Aug 19, 2013 at 2:11 PM, Helmut Hullen wrote: >> Hallo, Carlos, >> >> Du meintest am 19.08.13: >> >>> What is the best strategy to use a keytab file within multiple >>> servers? By now i'm using a NFS share to export the keytab. >>> Every day msktutil runs to update the file if necessary. The job is >>> schedule in one server only. >> >>> Also, after the update of the keytab file, is it necessary to reload >>> squid? >> >> I'd prefer "incron" for watching the keytab. >> >> Rule (pseudo code): >> if the original keytab is changed: >> copy it to the necessary places >> run "squid -k reconfigure" >> >> Viele Gruesse! >> Helmut > The content of this e-mail, including any attachments, is a confidential > communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or > its related entities (or the sender if this email is a private communication) > and the intended addressee and is for the sole use of that intended > addressee. If you are not the intended addressee, any use, interference with, > disclosure or copying of this material is unauthorized and prohibited. If you > have received this e-mail in error please contact the sender immediately and > then delete the message and any attachment(s). There is no warranty that this > email is error, virus or defect free. This email is also subject to > copyright. No part of it should be reproduced, adapted or communicated > without the written consent of the copyright owner. If this is a private > communication it does not represent the views of Virgin Australia or its > related entities. Please be aware that the contents of any emails sent to or > from Virgin Australia or its related entities may be periodically monitored > and reviewed. Virgin Australia and its related entities respect your privacy. > Our privacy policy can be accessed from our website: www.virginaustralia.com
