You have to add principals for each hostname on your keytab (HTTP/squid01.example.com, HTTP/squid03.example.com, HTTP/proxy.example.com), creating user or computer accounts to hold each kerberos principal. If you're load balancing, copy your keytab file to all servers. Then you have to set the flag "GSS_C_NO_NAME" in the helper line at squid.conf. http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory On Fri, Oct 11, 2013 at 2:10 AM, Marko Cupać <marko.cupac@xxxxxxxx> wrote: > I have squid box named squid01.example.com, but all the clients' browsers > are configured to access it by its CNAME which is proxy.example.com. This > way I am able to install new server named squidXX, test it, and once > everything is fine I can change CNAME to point to the new server. > > This worked fine when I was switching from no auth to NTLM, but not now > when I am switching to kerberos. I have created keytab for > HTTP/squid03.example.com@xxxxxxxxxxx and clients are authenticated fine > if their browsers are configured with squid03.example.com, but not with > proxy.example.com. > > Is it possible to make kerberos work with CNAME? > -- > Marko Cupać
