Search squid archive

Re: Re: Help with Kerberos Configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Brendan,

I don't think I understand your topology. A load balancer usually does not require a keytab as the usually do only TCP load balancing and not interact with the underlying protocol. Why do you have a keytab on your load balancer/router ?

Markus


"brendan kearney" <bpk678@xxxxxxxxx> wrote in message news:CAARxGtgWHEQ_6mnRDG1FCd7dDdgGpk80L=r7imEmrNdhFrookg@xxxxxxxxxxxxxx...
i have tried to get this working, and still have issues.  i think it
might be related to my topology.  i did add the HTTP/proxy.domain.tld
principal to the keytab on the load balancer, and have the -s
GSS_C_NO_NAME directive in each squid config.  the two servers each
have a squid.keytab that has the same principal in it as the load
balancer.  in essence, there is 3 copies of the same keytab on 3
boxes.

in looking at the logs, that the load balancer is making requests of
Kerberos on an IP that is not the VIP.  log entries below:

2013-01-04T19:11:04.926696-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344664,
etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com@xxxxxxxx for
krbtgt/BPK2.COM@xxxxxxxx
2013-01-04T19:11:23.710855-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344683,
etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com@xxxxxxxx for
krbtgt/BPK2.COM@xxxxxxxx

now, the 192.168.25.254 address is the load balancer box, but on the
interface it has on segment with the Kerberos server.  The Kerberos
server is one-in-the-same as one of the squid servers being load
balanced.  it also happens to be that the load balancer is a router
for several other segments.  the load balancer/router device has an
interface of 192.168.37.254 which is on the VIP network, and the VIP
of 192.168.37.1 is also on the load balancer / router.  haproxy is
running with a listener on the 37.1 interface as the proxy VIP.

my theory is that i might be trying to do too much with too little,
and that i might have to break up some of the duties that all the
boxes are doing, unless someone can shed some light on what i could be
doing wrong.  Please let me know if you further clarification is
needed.


On 8/31/12, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
You may need a third entry in the keytab for the VIP. IE will look for a
HTTP/<vip> ticket.

Regards
Markus


"brendan" <bpk678@xxxxxxxxx> wrote in message
news:1346159765625-4656345.post@xxxxxxxxxxxxx...
i have two squid instances on two separate servers.  each is configured
with
kerberos auth, and when i point at one or the other, the kerberos auth
works
fine.  when i point to a load balanced VIP, the auth does not work.  i
found
the below and tried the method using the one keytab file for both
instances
and the -s GSS_C_NO_NAME option in the conf file.  this did not work as
expected.

the load balancing process i am using is the "balance" package for fedora 16. it does a SNAT on all requests it handles. could this be part of why

i
am having issues?  i found a couple of packages that i might be able to
use
for load balancing in the repos, balance, ipvsadm and haproxy.  does
anyone
have experience/success with any of these or might one be recommended
over
the others?



--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Kerberos-Configuration-tp4076779p4656345.html
Sent from the Squid - Users mailing list archive at Nabble.com.









[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux