Hi Giorgi, It would be msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.domain.com --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mia.gov.ge -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 The -h value is not really used. So for the DNS RR you can use either name. Regards Markus "Giorgi Tepnadze" wrote in message news:53D219EA.1010504@xxxxxxxxxx... Hi Markus Excuse me for posting in old list, but I have a small question: So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how should I create keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 But there is problem with last one, which server name should I put in -s, -h, --upn and --computer-name? Many Thanks George On 07/02/14 01:26, Markus Moeller wrote:
Hi Joseph, it is all possible :-) Firstly I suggest not to use samba tools to create the squid keytab, but use msktutil (see http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). Then create a keytab for the loadbalancer name ( that is the one configured in IE or Firefox). use this keytab on both proxy servers and use negotiate_kerberos_auth with -s GSS_C_NO_NAME When you say multiple realms, do you have trust between the AD domains or are they separate ? If the domains do not have trust do you intend to use the same loadbalancer name for the users of both domains ? Markus "Joseph Spadavecchia" wrote in message news:2B43C569F8254A4E82C948CE4C247ED515891A@xxxxxxxxxxxxx.local... Hi there, What is the recommended way to configure Kerberos authentication behind two load balancers? AFAIK, based on the mailing lists, I should 1) Create a user account KrbUser on the AD server and add an SPN HTTP/loadbalancer.example.com for the load balancer 2) Join the domain with Kerberos and kinit 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser 4) update squid.conf with an auth helper like negotiate_kerberos_auth -s HTTP/loadbalancer.example.com@REALM Unfortunately, when I try this it fails. The only way I could get it to work at all was by removing the SPN from the KrbUser and associating the SPN with the machine trust account (of the proxy behind the loadbalancer) However, this is not a viable solution since there are two machines behind the load balancer and AD only allows you to associate a SPN with one account. Furthermore, given that I needed step (4) above, is it possible to have load balanced Kerberos authentication working with multiple realms? If so, then how? Many thanks.
