Search squid archive

Re: Kerberos: HTTP/<host> and not HTTP/<host.fqdn>@FQDN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Nick,

This is a unusual setup. I wonder how you could get it to work as a keytab extraction changes usually the AD entry and therefore the key for your 2nd/3rd squid server. I suggest to create three separate AD entries and remove any SPN for HTTP/<short-hostname>.

Regards
Markus


"Nick Cairncross" <Nick.Cairncross@xxxxxxxxxxxxxxx> wrote in message news:C8665961.B8AC%nick.cairncross@xxxxxxxxxxxxxxxxxx
Hi list,

I think I have a problem with one of my SPNs/keytab - wondered if someone could confirm this:

3 x squid boxes on different sites, squid1, squid2 and squid3 are their hostnames. I have one AD account with the SPNs of all on it. Using fqdn for the proxy address to 2 of them results in Kerberos tickets: HTTP/<squid1>.fqdn@FQDN and HTTP/<squid2>.fqdn@FQDN and everything is fine.

However on the third one I get a ticket: HTTP/squid3@  i.e. No fqdn or @FQDN

I have both 'squidx' and 'squidx.fqdn' in my AD SPN for all boxes. I'm thinking the working two are using the squid.fqdn and the non-working one is using just 'squid3' hence the issue. Does this sound feasible. I think the answer is drop the 'squidx' from my SPNs and stick with the 'squidx.fqdn', regenerate my keytab and that's it.

I have cloned one of the working squid boxes and replaced the non-working one, so this leads me to believe it is the SPN/keytab and not the server.

Thoughts welcome!

Nickcx

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux