[squid-users] Re: Re: Advices for a squid cluster with kerberos auth

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 8 Jun 2010 00:21:11 +0100

Hi Emmanuel,

   Can you resolve proxy.xx.yy and then resolve the ip-address you get to a
name ?

Markus

"Emmanuel Lesouef" <e.lesouef_at_crbn.fr> wrote in message
news:20100607153001.53b908cc_at_nienor.local...
Le Fri, 21 May 2010 10:03:57 +0200,
Emmanuel Lesouef <e.lesouef_at_crbn.fr> a écrit :

> Le Thu, 20 May 2010 21:51:08 +0100,
> "Markus Moeller" <huaraz_at_moeller.plus.com> a écrit :
>
> > It will work with the right setup (e.g. you have to copy the
> > Kerberos keytab to all machines and use the -s HTTP/<RR-DNS-name>
> > or -s GSS_C_NO_NAME option with squid_kerb_auth).
> >
> > Regards
> > Markus
> >
>
> Understood. Thanks Markus. I didn't know it was possible to have a RR
> DNS Name in the service name.
>

I'm raising this topic up because it seems that there is a problem
creating the keytab :

root_at_server1:~# msktutil -c -b "CN=COMPUTERS" -s
HTTP/proxy.xx.yy -h proxy.xx.yy -k /etc/squid/HTTP.keytab
--computer-name proxy --upn HTTP/proxy.xx.yy --server
dc1.xx.yy --verbose --enctypes 28

[...]

 -- ldap_get_base_dn: Determining default LDAP base: dc=xx,dc=yy
Error: No reverse DNS entry found for
%2prox
Error: complete_hostname failed
Error: finalize_exec failed
 -- krb5_cleanup: Destroying Kerberos Context
 -- ldap_cleanup: Disconnecting from LDAP server
 -- init_password: Wiping the computer password structure

Any advices ?

-- 
Emmanuel Lesouef
Received on Mon Jun 07 2010 - 23:21:39 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 08 2010 - 12:00:05 MDT