i have tried to get this working, and still have issues. i think it
might be related to my topology. i did add the HTTP/proxy.domain.tld
principal to the keytab on the load balancer, and have the -s
GSS_C_NO_NAME directive in each squid config. the two servers each
have a squid.keytab that has the same principal in it as the load
balancer. in essence, there is 3 copies of the same keytab on 3
boxes.
in looking at the logs, that the load balancer is making requests of
Kerberos on an IP that is not the VIP. log entries below:
2013-01-04T19:11:04.926696-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344664,
etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com_at_BPK2.COM for
krbtgt/BPK2.COM_at_BPK2.COM
2013-01-04T19:11:23.710855-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344683,
etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com_at_BPK2.COM for
krbtgt/BPK2.COM_at_BPK2.COM
now, the 192.168.25.254 address is the load balancer box, but on the
interface it has on segment with the Kerberos server. The Kerberos
server is one-in-the-same as one of the squid servers being load
balanced. it also happens to be that the load balancer is a router
for several other segments. the load balancer/router device has an
interface of 192.168.37.254 which is on the VIP network, and the VIP
of 192.168.37.1 is also on the load balancer / router. haproxy is
running with a listener on the 37.1 interface as the proxy VIP.
my theory is that i might be trying to do too much with too little,
and that i might have to break up some of the duties that all the
boxes are doing, unless someone can shed some light on what i could be
doing wrong. Please let me know if you further clarification is
needed.
On 8/31/12, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> You may need a third entry in the keytab for the VIP. IE will look for a
> HTTP/<vip> ticket.
>
> Regards
> Markus
>
>
> "brendan" <bpk678_at_gmail.com> wrote in message
> news:1346159765625-4656345.post_at_n4.nabble.com...
>>i have two squid instances on two separate servers. each is configured
>>with
>> kerberos auth, and when i point at one or the other, the kerberos auth
>> works
>> fine. when i point to a load balanced VIP, the auth does not work. i
>> found
>> the below and tried the method using the one keytab file for both
>> instances
>> and the -s GSS_C_NO_NAME option in the conf file. this did not work as
>> expected.
>>
>> the load balancing process i am using is the "balance" package for fedora
>> 16. it does a SNAT on all requests it handles. could this be part of why
>>
>> i
>> am having issues? i found a couple of packages that i might be able to
>> use
>> for load balancing in the repos, balance, ipvsadm and haproxy. does
>> anyone
>> have experience/success with any of these or might one be recommended
>> over
>> the others?
>>
>>
>>
>> --
>> View this message in context:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Kerberos-Configuration-tp4076779p4656345.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>
>
>
>
Received on Sat Jan 05 2013 - 00:40:37 MST
This archive was generated by hypermail 2.2.0 : Sat Jan 05 2013 - 12:00:04 MST