Search squid archive

Re: Re: Help with Kerberos Configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



i have tried to get this working, and still have issues.  i think it
might be related to my topology.  i did add the HTTP/proxy.domain.tld
principal to the keytab on the load balancer, and have the -s
GSS_C_NO_NAME directive in each squid config.  the two servers each
have a squid.keytab that has the same principal in it as the load
balancer.  in essence, there is 3 copies of the same keytab on 3
boxes.

in looking at the logs, that the load balancer is making requests of
Kerberos on an IP that is not the VIP.  log entries below:

2013-01-04T19:11:04.926696-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344664,
etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com@xxxxxxxx for
krbtgt/BPK2.COM@xxxxxxxx
2013-01-04T19:11:23.710855-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344683,
etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com@xxxxxxxx for
krbtgt/BPK2.COM@xxxxxxxx

now, the 192.168.25.254 address is the load balancer box, but on the
interface it has on segment with the Kerberos server.  The Kerberos
server is one-in-the-same as one of the squid servers being load
balanced.  it also happens to be that the load balancer is a router
for several other segments.  the load balancer/router device has an
interface of 192.168.37.254 which is on the VIP network, and the VIP
of 192.168.37.1 is also on the load balancer / router.  haproxy is
running with a listener on the 37.1 interface as the proxy VIP.

my theory is that i might be trying to do too much with too little,
and that i might have to break up some of the duties that all the
boxes are doing, unless someone can shed some light on what i could be
doing wrong.  Please let me know if you further clarification is
needed.


On 8/31/12, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
> You may need a third entry in the keytab for the VIP.  IE  will look for a
> HTTP/<vip> ticket.
>
> Regards
> Markus
>
>
> "brendan" <bpk678@xxxxxxxxx> wrote in message
> news:1346159765625-4656345.post@xxxxxxxxxxxxx...
>>i have two squid instances on two separate servers.  each is configured
>>with
>> kerberos auth, and when i point at one or the other, the kerberos auth
>> works
>> fine.  when i point to a load balanced VIP, the auth does not work.  i
>> found
>> the below and tried the method using the one keytab file for both
>> instances
>> and the -s GSS_C_NO_NAME option in the conf file.  this did not work as
>> expected.
>>
>> the load balancing process i am using is the "balance" package for fedora
>> 16.  it does a SNAT on all requests it handles.  could this be part of why
>>
>> i
>> am having issues?  i found a couple of packages that i might be able to
>> use
>> for load balancing in the repos, balance, ipvsadm and haproxy.  does
>> anyone
>> have experience/success with any of these or might one be recommended
>> over
>> the others?
>>
>>
>>
>> --
>> View this message in context:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Kerberos-Configuration-tp4076779p4656345.html
>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>
>
>
>


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux