Hi Brendan,
I don't think I understand your topology. A load balancer usually does
not require a keytab as the usually do only TCP load balancing and not
interact with the underlying protocol. Why do you have a keytab on your
load balancer/router ?
Markus
"brendan kearney" <bpk678@xxxxxxxxx> wrote in message
news:CAARxGtgWHEQ_6mnRDG1FCd7dDdgGpk80L=r7imEmrNdhFrookg@xxxxxxxxxxxxxx...
i have tried to get this working, and still have issues. i think it
might be related to my topology. i did add the HTTP/proxy.domain.tld
principal to the keytab on the load balancer, and have the -s
GSS_C_NO_NAME directive in each squid config. the two servers each
have a squid.keytab that has the same principal in it as the load
balancer. in essence, there is 3 copies of the same keytab on 3
boxes.
in looking at the logs, that the load balancer is making requests of
Kerberos on an IP that is not the VIP. log entries below:
2013-01-04T19:11:04.926696-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344664,
etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com@xxxxxxxx for
krbtgt/BPK2.COM@xxxxxxxx
2013-01-04T19:11:23.710855-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344683,
etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com@xxxxxxxx for
krbtgt/BPK2.COM@xxxxxxxx
now, the 192.168.25.254 address is the load balancer box, but on the
interface it has on segment with the Kerberos server. The Kerberos
server is one-in-the-same as one of the squid servers being load
balanced. it also happens to be that the load balancer is a router
for several other segments. the load balancer/router device has an
interface of 192.168.37.254 which is on the VIP network, and the VIP
of 192.168.37.1 is also on the load balancer / router. haproxy is
running with a listener on the 37.1 interface as the proxy VIP.
my theory is that i might be trying to do too much with too little,
and that i might have to break up some of the duties that all the
boxes are doing, unless someone can shed some light on what i could be
doing wrong. Please let me know if you further clarification is
needed.
On 8/31/12, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
You may need a third entry in the keytab for the VIP. IE will look for
a
HTTP/<vip> ticket.
Regards
Markus
"brendan" <bpk678@xxxxxxxxx> wrote in message
news:1346159765625-4656345.post@xxxxxxxxxxxxx...
i have two squid instances on two separate servers. each is configured
with
kerberos auth, and when i point at one or the other, the kerberos auth
works
fine. when i point to a load balanced VIP, the auth does not work. i
found
the below and tried the method using the one keytab file for both
instances
and the -s GSS_C_NO_NAME option in the conf file. this did not work as
expected.
the load balancing process i am using is the "balance" package for
fedora
16. it does a SNAT on all requests it handles. could this be part of
why
i
am having issues? i found a couple of packages that i might be able to
use
for load balancing in the repos, balance, ipvsadm and haproxy. does
anyone
have experience/success with any of these or might one be recommended
over
the others?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Kerberos-Configuration-tp4076779p4656345.html
Sent from the Squid - Users mailing list archive at Nabble.com.
