[squid-users] Re: Re: Kerberos setup with RR DNS

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 9 Sep 2011 19:49:43 +0100

Hi,

   Good to hear. BTW you need to do a bit more if you use other Browsers
than IE. It works with IE because IE does not do a canonicalization of the
proxyname i.e. gethostbaddr(gethostbyname(proxyname))) to create the
Kerberos token. So independent of the resolved IP it is HTTP/proxyname.

 If canonicalization is done it would be HTTP/realname-1 and HTTP/realname-2
and you have to create three AD entries:

1) for proxyname
2) for realname-1
3) for realname-2

The three keytabs can be merged with tools like ktutil and the merged keytab
need to be installed on the 2 proxies plus you need to use -s GSS_C_NO_NAME.

Regards
Markus

"Emmanuel Lacour" <elacour_at_easter-eggs.com> wrote in message
news:20110909150149.GF2669_at_easter-eggs.com...
> On Fri, Sep 09, 2011 at 03:42:21PM +0100, Markus Moeller wrote:
>> You need to create one AD entry for proxy.domain.tld and copy the
>> same keytab to both squid servers and use the -s GSS_C_NO_NAME
>> option for squid_kerb_auth or negotiate_kerberos_auth.
>>
>
> at a first glance, it seems to works like a charm, many thanks :)
>
>
Received on Fri Sep 09 2011 - 18:50:17 MDT

This archive was generated by hypermail 2.2.0 : Sat Sep 10 2011 - 12:00:02 MDT