[squid-users] Re: kerberos authentication with load balancers

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 26 Jul 2014 12:55:20 +0100

Hi Giorgi,

   It would be

msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h
proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K
--upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose
--enctypes 28

msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h
proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K
--upn HTTP/proxy2.domain.com --server addc03.domain.com --verbose
--enctypes 28

and one for DNS RR record

msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mia.gov.ge -h
proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY-K
--upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose
--enctypes 28

The -h value is not really used. So for the DNS RR you can use either name.

Regards
Markus

"Giorgi Tepnadze" wrote in message news:53D219EA.1010504_at_mia.gov.ge...

Hi Markus

Excuse me for posting in old list, but I have a small question:

So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and
one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how
should I create keytab file.

msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h
proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K
--upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose
--enctypes 28
msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h
proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K
--upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose
--enctypes 28

and one for DNS RR record

msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h
proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K
--upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose
--enctypes 28

But there is problem with last one, which server name should I put in
-s, -h, --upn and --computer-name?

Many Thanks

George

On 07/02/14 01:26, Markus Moeller wrote:
> Hi Joseph,
>
> it is all possible :-)
>
> Firstly I suggest not to use samba tools to create the squid keytab,
> but use msktutil (see
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos).
> Then create a keytab for the loadbalancer name ( that is the one
> configured in IE or Firefox). use this keytab on both proxy servers
> and use negotiate_kerberos_auth with -s GSS_C_NO_NAME
>
> When you say multiple realms, do you have trust between the AD
> domains or are they separate ? If the domains do not have trust do
> you intend to use the same loadbalancer name for the users of both
> domains ?
>
> Markus
>
>
>
> "Joseph Spadavecchia" wrote in message
> news:2B43C569F8254A4E82C948CE4C247ED515891A_at_BLX-EX01.alba.local...
>
> Hi there,
>
> What is the recommended way to configure Kerberos authentication
> behind two load balancers?
>
> AFAIK, based on the mailing lists, I should
>
> 1) Create a user account KrbUser on the AD server and add an SPN
> HTTP/loadbalancer.example.com for the load balancer
> 2) Join the domain with Kerberos and kinit
> 3) net ads keytab add HTTP/loadbalancer.example.com_at_REALM -U KrbUser
> 4) update squid.conf with an auth helper like negotiate_kerberos_auth
> -s HTTP/loadbalancer.example.com_at_REALM
>
> Unfortunately, when I try this it fails.
>
> The only way I could get it to work at all was by removing the SPN
> from the KrbUser and associating the SPN with the machine trust
> account (of the proxy behind the loadbalancer) However, this is not a
> viable solution since there are two machines behind the load balancer
> and AD only allows you to associate a SPN with one account.
>
> Furthermore, given that I needed step (4) above, is it possible to
> have load balanced Kerberos authentication working with multiple
> realms? If so, then how?
>
> Many thanks.
>
Received on Sat Jul 26 2014 - 11:55:40 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 28 2014 - 12:00:05 MDT