[squid-users] Re: squid kerberos auth for multiple proxy servers

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 26 Apr 2012 00:14:59 +0100

Hi Markus,

  The answers are:
  1) Yes
  2) The keytab contains the hostname of the squid server. So you would
need multiple keytabs
  3) The principal name will be based on a fixed part HTTP and the name you
use in the Browser configuration. If you use in IE squid1.domain.com then
you must have a principal HTTP/squid1.domain.com
  4) You must use the same if apache runs on the same server as squid as
both require HTTP/<hostname>

Regards
Markus

"Rietzler, Markus (RZF, SG 324 / <RIETZLER_SOFTWARE>)"
<markus.rietzler_at_fv.nrw.de> wrote in message
news:1FCF9DA5B29068478ECF15896F19F0844B8BE65A_at_Z390101.bk.fin.local...
i am planing to setup kerberos auth in squid. At the moment we are using
ntlm auth but want also to provide Kerberos/negotiate auth.

A few questions:

1) Do we need a keytab file?
2) We have multiple squid-servers, do I need an individual keytab-file for
each server or would it be enough to have one keytab file and then copy this
to the servers. In each of our subsidiary there is working one single squid.
so the users would see and use only this squid proxy.
3) I have to setup the principal as HTTP/squid.local (squid is here only a
name, not a hostname or such), right or do I need the host
HTTP/squid.host.local
4) Can I use the same keytab for apache and squid-auth?

thanxs

mfg

Markus Rietzler
<rietzler_software/>
Rechenzentrum der Finanzverwaltung

Tel: 0211/4572-2130

mfg

Markus Rietzler
<rietzler_software/>
Rechenzentrum der Finanzverwaltung

Tel: 0211/4572-2130
Received on Wed Apr 25 2012 - 23:15:26 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 26 2012 - 12:00:04 MDT