On Thu, 2015-03-19 at 19:32 -0600, Samuel Anderson wrote: > Hey, I actually just figured it out. literally about 2 minutes ago. > > > I changed the mode from (http) to (tcp) in the HAPROXY.CFG > > > It looks like its able to authenticate again. Thanks for the > response. > > On Thu, Mar 19, 2015 at 7:27 PM, Brendan Kearney <bpk678@xxxxxxxxx> > wrote: > On Thu, 2015-03-19 at 19:01 -0600, Samuel Anderson wrote: > > Hello All, > > > > > > I have 2 squid servers that authenticate correctly when you > point your > > browser to either of them. I'm using a negotiate_wrapper. I > set it up > > following this > > > (http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory) > > > > > > I would like to set both servers behind a haproxy load > balancer, > > however when you try to utilize the haproxy load balancer, > it will not > > authenticate anymore. It just gives an error asking to > authenticate. > > > > > > Any ideas? > > > > > > Thanks in advance. > > > > > > > > > > > > > > ##HAPROXY.CFG## > > > > > > global > > log /dev/log local0 > > log /dev/log local1 notice > > chroot /var/lib/haproxy > > user haproxy > > group haproxy > > daemon > > > > > > defaults > > log global > > mode http > > option httplog > > option dontlognull > > contimeout 5000 > > clitimeout 50000 > > srvtimeout 50000 > > > > > > # reverse proxy-squid > > listen proxy 10.10.0.254:3128 > > mode http > > cookie SERVERID insert indirect nocache > > balance roundrobin > > option httpclose > > option forwardfor header X-Client > > server squid1 10.10.0.253:3128 check inter 2000 > rise 2 fall 5 > > server squid2 10.10.0.252:3128 check inter 2000 > rise 2 fall 5 > > > > > > > > > > > > > > > > > > ##SQUID.CONF## > > > > > > > > > > #Kerberos and NTLM authentication > > auth_param negotiate > program /usr/local/bin/negotiate_wrapper > > --ntlm /usr/bin/ntlm_auth --diagnostics > > --helper-protocol=squid-2.5-ntlmssp --domain=****.LOCAL > > --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s > GSS_C_NO_NAME > > auth_param negotiate children 30 > > auth_param negotiate keep_alive off > > > > > > # LDAP authentication > > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R > -b > > "DC=****,DC=local" -D "CN=SQUID,OU=Service > Accounts,DC=****,DC=local" > > -w "****" -f sAMAccountName=%s -h > > 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193 > > auth_param basic children 150 > > auth_param basic realm Please enter your Domain credentials > to > > continue > > auth_param basic credentialsttl 1 hour > > > > > > # AD group membership commands > > external_acl_type ldap_group ttl=60 children-startup=10 > > children-max=50 children-idle=2 % > > LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b > > "DC=****,DC=local" -D "CN=SQUID,OU=Service > Accounts,DC=****,DC=local" > > -w "****" -f "(&(objectclass=person) (sAMAccountname=% > v)(memberof=CN=% > > a,OU=PROXY,ou=ALL Groups,DC=****,DC=local))" -h > > dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local > > > > > > acl auth proxy_auth REQUIRED > > > > > > > > acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE > > PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE > PROXY-UNRESTRICTED > > PROXY-DEV PROXY-SALES > > > > > > http_access deny !auth all > > http_access deny !REQGROUPS all > > > > > > > > > > > > > > > > > > > > -- > > Samuel Anderson | Information Technology Administrator | > > International Document Services > > > > > > IDS | 11629 South 700 East, Suite 200 | Draper, UT > 84020-4607 > > > > > > > > > CONFIDENTIALITY NOTICE: > > This e-mail and any attachments are confidential. If you are > not an > > intended recipient, please contact the sender to report the > error and > > delete all copies of this message from your system. Any > unauthorized > > review, use, disclosure or distribution is prohibited. > > how did you create and distribute the keytab for the proxies? > you must > create one keytab and put the same exact one on each of the > proxies. > the KVNO numbers must match on every proxy. run "klist > -Kket /path/to/the.keytab" on the proxies to check. > > kerberos is heavily dependent on DNS. the keytab should > contain > PRIMARY/instance.domain.tld@REALM where PRIMARY is HTTP, > instance.domain.tld is the FQDN of the 10.10.0.254 IP, not > either or > both of the individual proxies, and REALM should be the > Kerberos REALM. > > did you export the environment variable for the keytab? on > fedora, i > put the following in /etc/sysconfig/squid: > > KRB5_KTNAME=/etc/squid/squid.keytab > export KRB5_KTNAME > > do you get a HTTP ticket from the directory? from a command > prompt, > what does "klist tickets" show? you can also install the XP > resource > kit and run kerbtray.exe to get that info. win7 and newer may > have it > built in. > > > > > > -- > Samuel Anderson | Information Technology Administrator | > International Document Services > > > IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 > > > > CONFIDENTIALITY NOTICE: > This e-mail and any attachments are confidential. If you are not an > intended recipient, please contact the sender to report the error and > delete all copies of this message from your system. Any unauthorized > review, use, disclosure or distribution is prohibited. you will benefit from using the HTTP profile in HAProxy. if HTTP vs TCP is causing you grief, then you may want to review the config. i am using (mind the wrap): global #debug daemon log localhost local1 notice log-send-hostname router #uid 996 #gid 995 pidfile /var/run/haproxy.pid stats socket /var/run/haproxy.sock level admin stats maxconn 2 defaults balance leastconn log global mode http option httplog option http-server-close option forwardfor except 127.0.0.0/8 stats enable stats hide-version stats refresh 5s stats scope . stats show-legends stats uri /admin?stats timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s listen proxy 192.168.37.1:8080 # option to HTTP/1.1 should be on one line option httpchk GET /squid-internal-periodic/store_digest HTTP/1.1 server proxy1 192.168.88.1:3128 check inter 10000 server proxy2 192.168.88.2:3128 check inter 10000 listen proxy1 192.168.37.1:8081 # option to HTTP/1.1 should be on one line option httpchk GET /squid-internal-periodic/store_digest HTTP/1.1 server proxy1 192.168.88.1:3128 check inter 10000 listen proxy2 192.168.37.1:8082 # option to HTTP/1.1 should be on one line option httpchk GET /squid-internal-periodic/store_digest HTTP/1.1 server proxy2 192.168.88.2:3128 check inter 10000 by using the HTTP mode, you can get more intelligent service checking, and more reliably determine a devices status. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
