Re: [squid-users] Re: kerberos authentication with load balancers

From: Giorgi Tepnadze <giorgi_at_mia.gov.ge>
Date: Mon, 28 Jul 2014 17:23:45 +0400

Hello Markus

Thank you very much, everything works now. Only two question left
1) Is it necessary to run commands specified below every 30 day?

msktutil --auto-update --verbose --computer-name proxy1-k
msktutil --auto-update --verbose --computer-name proxy2-k
msktutil --auto-update --verbose --computer-name proxy-k

As I understand I should run them on one proxy1 and then copy updated
keytab file to proxy2 every month.

2) Can I use kerberos somehow to authenticate skype? All internet
browsers work but skype doesn't, only works by specifying user/pass in
configuration and as I think it uses basic ldap auth.
    When there was NTLM auth, it worked, but now I removed all NTLM from
squid, only kerberos negotiate and basic is left.

George

On 26/07/14 15:55, Markus Moeller wrote:
> Hi Giorgi,
>
> It would be
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h
> proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K
> --upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose
> --enctypes 28
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h
> proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K
> --upn HTTP/proxy2.domain.com --server addc03.domain.com --verbose
> --enctypes 28
>
> and one for DNS RR record
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mia.gov.ge -h
> proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY-K
> --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose
> --enctypes 28
>
> The -h value is not really used. So for the DNS RR you can use either
> name.
>
> Regards
> Markus
>
>
> "Giorgi Tepnadze" wrote in message news:53D219EA.1010504_at_mia.gov.ge...
>
> Hi Markus
>
> Excuse me for posting in old list, but I have a small question:
>
> So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and
> one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how
> should I create keytab file.
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h
> proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K
> --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose
> --enctypes 28
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h
> proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K
> --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose
> --enctypes 28
>
> and one for DNS RR record
>
> msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h
> proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K
> --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose
> --enctypes 28
>
> But there is problem with last one, which server name should I put in
> -s, -h, --upn and --computer-name?
>
> Many Thanks
>
> George
>
>
>
> On 07/02/14 01:26, Markus Moeller wrote:
>> Hi Joseph,
>>
>> it is all possible :-)
>>
>> Firstly I suggest not to use samba tools to create the squid keytab,
>> but use msktutil (see
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos).
>> Then create a keytab for the loadbalancer name ( that is the one
>> configured in IE or Firefox). use this keytab on both proxy servers
>> and use negotiate_kerberos_auth with -s GSS_C_NO_NAME
>>
>> When you say multiple realms, do you have trust between the AD
>> domains or are they separate ? If the domains do not have trust do
>> you intend to use the same loadbalancer name for the users of both
>> domains ?
>>
>> Markus
>>
>>
>>
>> "Joseph Spadavecchia" wrote in message
>> news:2B43C569F8254A4E82C948CE4C247ED515891A_at_BLX-EX01.alba.local...
>>
>> Hi there,
>>
>> What is the recommended way to configure Kerberos authentication
>> behind two load balancers?
>>
>> AFAIK, based on the mailing lists, I should
>>
>> 1) Create a user account KrbUser on the AD server and add an SPN
>> HTTP/loadbalancer.example.com for the load balancer
>> 2) Join the domain with Kerberos and kinit
>> 3) net ads keytab add HTTP/loadbalancer.example.com_at_REALM -U KrbUser
>> 4) update squid.conf with an auth helper like negotiate_kerberos_auth
>> -s HTTP/loadbalancer.example.com_at_REALM
>>
>> Unfortunately, when I try this it fails.
>>
>> The only way I could get it to work at all was by removing the SPN
>> from the KrbUser and associating the SPN with the machine trust
>> account (of the proxy behind the loadbalancer) However, this is not a
>> viable solution since there are two machines behind the load balancer
>> and AD only allows you to associate a SPN with one account.
>>
>> Furthermore, given that I needed step (4) above, is it possible to
>> have load balanced Kerberos authentication working with multiple
>> realms? If so, then how?
>>
>> Many thanks.
>>
>
>
Received on Mon Jul 28 2014 - 13:23:56 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 28 2014 - 12:00:05 MDT