[squid-users] Re: Help with Kerberos Configuration

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 18 Nov 2011 22:52:15 -0000

Hi Bhavesh,

"Bhavesh Patel" <patelb88_at_yahoo.com> wrote in message
news:1321458350063-4076779.post_at_n4.nabble.com...
> Hi All,
>
> Was looking through the archives and kind of found some answers but I
> wanted
> to make sure. I had a few questions actually.
>
> 1) Looks like Squid supports Single Forest Multiple domain setup and I
> found
> the following thread.
>
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Single-Forest-Multiple-Domains-kebreos-setup-squid-kerb-ldap-td2021022.html
>
> But in the krb5.conf I don't see any mention of domain c. Is the config
> incomplete?

Firstly the msktutil command should be done for domain B and C instead of A
and B. The krb5.conf is incomplete if you do not want to use DNS based kdc
discovery and if you use squid_kerb_ldap . For Kerberos authentication with
squid_kerb_auth this is not required.

>
> 2) Does Squid support kerberos with multiple domains on multiple forests?
> I
> read something somewhere but didn't find a concrete answer and a sample
> configuration either. I found a something that said you have to merge the
> keytab files but how do you merge them? Here is the link I found
>
> http://www.mail-archive.com/search?q=kerberos&l=squid-users@squid-cache.org&o=relevance&start=30

Yes you can do that in the same way as described on the link under 1). Use
msktutil and when you run it the second time the -k option points to the
existing keytab and appends the new information. Another tool is part of the
MIT kerberos package called ktutil. Heimdal has a similar tool to manage
keytabs.

>
> 3) Does Squid support redundancy for kerberos?

In which sense ? When you look at how Kerberos works the client will do
all the Kerberos communication. squid is just locally verifying the ticket.
squid_kerb_ldap will use the standard Kerberos redundancy either via DNS or
multiple entries in krb5.conf. squid_kerb_ldap works like a Unix Kerberos
client. For more details you need to read maybe the MIT Kerberos pages.
>
> 4) What if you have squid in a cluster with load balancing? Are there any
> issues and again any sample configuration files?

It depends what type of load balancing you do.

For DNS based load balancing you need to have on each server two keytab
entries. One for the real hostname and one for the load balanced name. For
example if the load balanced name is squid.server.com and points to either
s1.server.com and s2.server.com then on server s1 you need a keytab with an
entry for s1.server.com and squid.server.com and on server s2 you need
s2.server.com and squid.server.com where squid.server.com must be the same
key as on s1. So you must create the key for squid.server.comn only once.

For a Server Load Balancing solution with F5 or similar you just need one
keytab e.g. for squid.server.com and distributed to all servers.

In both cases squid_kerb_auth needs the option -s GSS_C_NO_NAME.

>
> Thanks.
>
> --
> View this message in context:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Kerberos-Configuration-tp4076779p4076779.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
>
Received on Fri Nov 18 2011 - 22:52:33 MST

This archive was generated by hypermail 2.2.0 : Sat Nov 19 2011 - 12:00:03 MST