[squid-users] Round robin DNS with two squid servers and squid_kerb_auth... from Essad Korkic on 2011-03-23 (squid-users)

From: Essad Korkic <essad.korkic_at_gmail.com>
Date: Wed, 23 Mar 2011 14:49:19 +0100

Hi All,

We have two squid proxy's running the same config, I want to implement
a round robin dns solution, so that the browser points to one hostname
entry, and is being directed to one of the two servers.

Before that i've fully configured the squid proxy server so that it
works with sqkuid_kerb_auth and squid_kerb_ldap, it works fine, but
when I enabled round robin dns, I noticed that users weren't being
authenticated by kerberos, instead it tried to use NTLM, which also
failed and eventually get a login box (basic).

I'm guessing that the browser parses the dns entry which is configured
as proxy to squid_kerb_auth, which then tries to use that principal
name to authenticate? Because its 1 dns entry for two hostnames I
can't give them both that hostname right?.

Is there another way to configure this?

Relevant Squid Configuration:
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s
host/proxy1.example.com_at_EXAMPLE.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth -d 1
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth -d 1
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Proxy 2 hase the same config, apart from the -s option for
squid_kerb_auth which is proxy2.example.com_at_EXAMPLE.COM
Also even if I don't provide a service principal name, it doesnt work
(Also with HTTP principals).

When I start a browser whic points to the round robin dns fqdn
(centralproxy.example.com). and go to which server it's being diverted
to, I can see this in the logs:

2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' from squid
(length: 59).
2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' (decoded
length: 40).
2011/03/23 14:24:53| squid_kerb_auth: WARNING: received type 1 NTLM token
2011/03/23 14:24:53| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'

If I change the browser to point directly to that proxy server, it
works like a charm.

Is there a way to fix this? Can round robin dns be used with squid_kerb_auth?

Thanks for your time.
Regards,
Essad
Received on Wed Mar 23 2011 - 13:49:25 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 23 2011 - 12:00:02 MDT