Just to add: Thanks for this. I've successfully got RR working with Kerberos as you said. It's something I've been interested in as well. My test setup is:
SQUID1.domain.com 10.0.0.1
SQUID2.domain.com 10.0.0.2
RR DNS record SQUIDS.domain.com for each SQUIDx IP
Computer account in UnixPrincipals OU called SQUIDS
msktutil -u -b "OU=UnixPrincipals" -s HTTP/squids.domain.com -k /etc/squid/HTTP.keytab --computer-name squids --upn HTTP/squids --server dc1 --verbose -h squids.domain.com
Point browser to squids.domain.com.
Has anyone had success using Service Location records in DNS for different sites? I would be interested to hear about it..
On 20/05/2010 21:51, "Markus Moeller" <huaraz_at_moeller.plus.com> wrote:
It will work with the right setup (e.g. you have to copy the Kerberos keytab
to all machines and use the -s HTTP/<RR-DNS-name> or -s GSS_C_NO_NAME option
with squid_kerb_auth).
Regards
Markus
"Amos Jeffries" <squid3_at_treenet.co.nz> wrote in message
news:4BF52C87.9080904_at_treenet.co.nz...
> Emmanuel Lesouef wrote:
>> Hello,
>>
>> I'm currently satisfied with my round-robin DNS enabled "cluster" of
>> two Squid with ntlm authentication.
>>
>> But, with th appearance of Windows 7 and Windows 2008, I see by
>> searching for documentation on the web that I need to use Kerberos
>> Authentication if I would like Internet Explorer 8 from 2008 or 7 to
>> work.
>>
>> Do you have any advices for achieving this setup ? What clustering
>> mechanism do you use. Does the kerberos part of the install need to be
>> customized to support being put in cluster mode (which needs to be
>> defined) ?
>>
>> Thanks for your helps and docs.
>>
>> PS : Testing it will be easy so I thinks I'll enable Debian Backports
>> repository in order to have 2.7STABLE9.
>>
>
> Without havign used either, I expect if your clustering setup works with
> NTLM it will work equally well or better for Kerberos.
>
> The two protocols are very much similar, with Kerberos doing away with one
> of the handshake HTTP reject messages.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.3
>
** Please consider the environment before printing this e-mail **
The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.
Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU
Registered in London No. 226900
Received on Fri May 21 2010 - 10:34:08 MDT
This archive was generated by hypermail 2.2.0 : Sat May 22 2010 - 12:00:06 MDT