[Samba] KVNO of Exported Keytab out of Sync

Nick Cairncross Nick.Cairncross at condenast.co.uk
Tue Mar 30 08:20:43 MDT 2010

Hi All,

This is my first post, and I'm new to Samba...
I'm working on a Squid project running on RHEL5.3. Samba v 3.4.5-42 x86 and have run into a problem. I use Kerberos authentication on my Squid box. After configuring Squid I joined my RH to my AD domain and then used Samba to generate a Keytab and add an HTTP SPN to it:

- export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
- net ads keytab CREATE
- net ads keytab ADD HTTP
- unset KRB5_KTNAME

All this works perfectly however, at random times in the week my Squid reports that the KVNO is invalid. Users are prompted by an unsatisfiable login prompt  I check in AD and notice the number has incremented. I can create a new keytab, reload Squid and everything works again. I believe Samba is updating the AD account and thus invalidating the exported keytab.

Is there are way to auto-update the exported keytab? Or another way I can ensure that my Keytab stays in sync? Or am I approaching this wrongly..?

Many thanks for your help,

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is intended only for the addressee.  If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful.  Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality.  Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message.  Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900

More information about the samba mailing list