hi all,
Good news.
I was able to solve the problem yesterday.
I created a key tab for haproxy and added the following options to negotiate_kerberos_auth in squid.conf.
-s GSS_C_NO_NAME
(squid.conf)
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/krb5.keytab -s HTTP/c0528004l.wintest.example.co.jp@xxxxxxxxxxxxxxxxxxxxx -s GSS_C_NO_NAME
Kerberos authentication is also possible on the load balancer backend server.
Thank you,
kitamura
2020年10月12日(月) 20:31 m k <tamurin0525@xxxxxxxxx>:
hello,
Switching from NTLM certification to Kerberos certification.
Sure enough, I'm in trouble.
Kerberos authentication doesn't work.
Please let me know if there is a mistake in the settings.
SPN creation
WINTEST(Active Directory)
ktpass.exe /princ HTTP/c0528004l.wintest.example.co.jp@xxxxxxxxxxxxxxxxxxxxx /mapuser S139821admin@xxxxxxxxxxxxxxxxxxxxx /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab
PTR record setting
# nslookup 10.217.192.22
22.192.217.10.in-addr.arpa name = c0528004l.wintest.example.co.jp.
# klist
Ticket cache: KCM:1001
Default principal: lx17070028admin@xxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
10/12/2020 16:05:10 10/13/2020 02:04:04 ldap/a9413001l.win.example.co.jp@xxxxxxxxxxxxxxxxx
renew until 10/13/2020 02:04:04
10/12/2020 16:04:04 10/13/2020 02:04:04 krbtgt/WIN.EXAMPLE.CO.JP@xxxxxxxxxxxxxxxxx
renew until 10/13/2020 02:04:04
10/12/2020 16:07:21 10/13/2020 02:04:04 ldap/a9401002l.win.example.co.jp@xxxxxxxxxxxxxxxxx
renew until 10/13/2020 02:04:04
config setting
/etc/squid/squid.conf
# Kerberos Auth
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/c0528004l.wintest.example.co.jp@xxxxxxxxxxxxxxxxxxxxx
auth_param negotiate children 20
auth_param negotiate keep_alive on
acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth
--->I get a windows security pop-up in IE.
error message
/var/log/squid/cache.log
2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information. Service key not available; }}
Create SPN from server
c0528004l(CentOS8.1)
# net ads keytab create -U S139821admin@xxxxxxxxxxxxxxxxxxxxx
Warning: "kerberos method" must be set to a keytab method to use keytab functions.
Enter S139821admin@xxxxxxxxxxxxxxxxxxxxx's password:
ads_keytab_open: Invalid kerberos method set (0)
---> An error occurs and keytab cannot be created.
Please let me know if you have any other information you need.
Hi Eliezer,
docker is already installed.
We are considering a configuration of at least 6 servers.
Whether it will be 8 or 10 has not been verified.
thank you,
kitamura
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
