i have tried to get this working, and still have issues. i think it might be related to my topology. i did add the HTTP/proxy.domain.tld principal to the keytab on the load balancer, and have the -s GSS_C_NO_NAME directive in each squid config. the two servers each have a squid.keytab that has the same principal in it as the load balancer. in essence, there is 3 copies of the same keytab on 3 boxes. in looking at the logs, that the load balancer is making requests of Kerberos on an IP that is not the VIP. log entries below: 2013-01-04T19:11:04.926696-05:00 server krb5kdc[12337]: AS_REQ (4 etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344664, etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com@xxxxxxxx for krbtgt/BPK2.COM@xxxxxxxx 2013-01-04T19:11:23.710855-05:00 server krb5kdc[12337]: AS_REQ (4 etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344683, etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com@xxxxxxxx for krbtgt/BPK2.COM@xxxxxxxx now, the 192.168.25.254 address is the load balancer box, but on the interface it has on segment with the Kerberos server. The Kerberos server is one-in-the-same as one of the squid servers being load balanced. it also happens to be that the load balancer is a router for several other segments. the load balancer/router device has an interface of 192.168.37.254 which is on the VIP network, and the VIP of 192.168.37.1 is also on the load balancer / router. haproxy is running with a listener on the 37.1 interface as the proxy VIP. my theory is that i might be trying to do too much with too little, and that i might have to break up some of the duties that all the boxes are doing, unless someone can shed some light on what i could be doing wrong. Please let me know if you further clarification is needed. On 8/31/12, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > You may need a third entry in the keytab for the VIP. IE will look for a > HTTP/<vip> ticket. > > Regards > Markus > > > "brendan" <bpk678@xxxxxxxxx> wrote in message > news:1346159765625-4656345.post@xxxxxxxxxxxxx... >>i have two squid instances on two separate servers. each is configured >>with >> kerberos auth, and when i point at one or the other, the kerberos auth >> works >> fine. when i point to a load balanced VIP, the auth does not work. i >> found >> the below and tried the method using the one keytab file for both >> instances >> and the -s GSS_C_NO_NAME option in the conf file. this did not work as >> expected. >> >> the load balancing process i am using is the "balance" package for fedora >> 16. it does a SNAT on all requests it handles. could this be part of why >> >> i >> am having issues? i found a couple of packages that i might be able to >> use >> for load balancing in the repos, balance, ipvsadm and haproxy. does >> anyone >> have experience/success with any of these or might one be recommended >> over >> the others? >> >> >> >> -- >> View this message in context: >> http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Kerberos-Configuration-tp4076779p4656345.html >> Sent from the Squid - Users mailing list archive at Nabble.com. >> > > >