Re: [squid-users] Re: Advices for a squid cluster with kerberos auth

From: Nick Cairncross <>
Date: Fri, 21 May 2010 11:31:39 +0100

Just to add: Thanks for this. I've successfully got RR working with Kerberos as you said. It's something I've been interested in as well. My test setup is:

RR DNS record for each SQUIDx IP

Computer account in UnixPrincipals OU called SQUIDS

msktutil -u -b "OU=UnixPrincipals" -s HTTP/ -k /etc/squid/HTTP.keytab --computer-name squids --upn HTTP/squids --server dc1 --verbose -h

Point browser to

Has anyone had success using Service Location records in DNS for different sites? I would be interested to hear about it..

On 20/05/2010 21:51, "Markus Moeller" <> wrote:

It will work with the right setup (e.g. you have to copy the Kerberos keytab
to all machines and use the -s HTTP/<RR-DNS-name> or -s GSS_C_NO_NAME option
with squid_kerb_auth).


"Amos Jeffries" <> wrote in message
> Emmanuel Lesouef wrote:
>> Hello,
>> I'm currently satisfied with my round-robin DNS enabled "cluster" of
>> two Squid with ntlm authentication.
>> But, with th appearance of Windows 7 and Windows 2008, I see by
>> searching for documentation on the web that I need to use Kerberos
>> Authentication if I would like Internet Explorer 8 from 2008 or 7 to
>> work.
>> Do you have any advices for achieving this setup ? What clustering
>> mechanism do you use. Does the kerberos part of the install need to be
>> customized to support being put in cluster mode (which needs to be
>> defined) ?
>> Thanks for your helps and docs.
>> PS : Testing it will be easy so I thinks I'll enable Debian Backports
>> repository in order to have 2.7STABLE9.
> Without havign used either, I expect if your clustering setup works with
> NTLM it will work equally well or better for Kerberos.
> The two protocols are very much similar, with Kerberos doing away with one
> of the handshake HTTP reject messages.
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.3

** Please consider the environment before printing this e-mail **

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU

Registered in London No. 226900
Received on Fri May 21 2010 - 10:34:08 MDT

This archive was generated by hypermail 2.2.0 : Sat May 22 2010 - 12:00:06 MDT