I'm not sure, but if you use a computer account instead of a user account, you will have not the "password never expires" option. I think is just two ways to do the same. I remember i read that the machine account used with msktutil is a better option than the user account with "password never expires". But I honestly didn't think much about that.
On Wed, Aug 21, 2013 at 1:22 AM, Kris Glynn <kris.gl...@virginaustralia.com> wrote: > Just curious.. what conditions might occur that would need the keytab updated? > > I've been running Kerberos auth squid for 6+ months now and have not had to > update the keytab ever. > > Is this because the Active Directory account name (proxytest) I used to > generate the keytab with has "Password never expires" > > I generate with ktpass on the Windows 2008r2 KDC and then copy to squid > directory.. > > ktpass.exe -princ HTTP/proxytest.company.internal@COMPANY.INTERNAL -mapuser > COMPANY\proxytest -crypto rc4-hmac-nt -ptype KRB5_NT_PRINCIPAL +rndpass -out > HTTP.keytab > > This has worked well for me. > > > > -----Original Message----- > From: Carlos Defoe [mailto:carlosde...@gmail.com] > Sent: Tuesday, 20 August 2013 7:12 AM > To: hel...@hullen.de > Cc: squid-users@squid-cache.org > Subject: Re: [squid-users] kerberos keytab > > thanks, Helmut. > > i made one script to check the file change and run "squid -k reconfigure". > > i'll wait till next change to see if it works correctly. > > thank you > > > On Mon, Aug 19, 2013 at 2:11 PM, Helmut Hullen <hul...@t-online.de> wrote: >> Hallo, Carlos, >> >> Du meintest am 19.08.13: >> >>> What is the best strategy to use a keytab file within multiple >>> servers? By now i'm using a NFS share to export the keytab. >>> Every day msktutil runs to update the file if necessary. The job is >>> schedule in one server only. >> >>> Also, after the update of the keytab file, is it necessary to reload >>> squid? >> >> I'd prefer "incron" for watching the keytab. >> >> Rule (pseudo code): >> if the original keytab is changed: >> copy it to the necessary places >> run "squid -k reconfigure" >> >> Viele Gruesse! >> Helmut > The content of this e-mail, including any attachments, is a confidential > communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or > its related entities (or the sender if this email is a private communication) > and the intended addressee and is for the sole use of that intended > addressee. If you are not the intended addressee, any use, interference with, > disclosure or copying of this material is unauthorized and prohibited. If you > have received this e-mail in error please contact the sender immediately and > then delete the message and any attachment(s). There is no warranty that this > email is error, virus or defect free. This email is also subject to > copyright. No part of it should be reproduced, adapted or communicated > without the written consent of the copyright owner. If this is a private > communication it does not represent the views of Virgin Australia or its > related entities. Please be aware that the contents of any emails sent to or > from Virgin Australia or its related entities may be periodically monitored > and reviewed. Virgin Australia and its related entities respect your privacy. > Our privacy policy can be accessed from our website: www.virginaustralia.com
