Hi Brendan,
I don't think I understand your topology. A load balancer usually does
not require a keytab as the usually do only TCP load balancing and not
interact with the underlying protocol. Why do you have a keytab on your
load balancer/router ?
Markus
"brendan kearney" <bpk678_at_gmail.com> wrote in message
news:CAARxGtgWHEQ_6mnRDG1FCd7dDdgGpk80L=r7imEmrNdhFrookg_at_mail.gmail.com...
>i have tried to get this working, and still have issues. i think it
> might be related to my topology. i did add the HTTP/proxy.domain.tld
> principal to the keytab on the load balancer, and have the -s
> GSS_C_NO_NAME directive in each squid config. the two servers each
> have a squid.keytab that has the same principal in it as the load
> balancer. in essence, there is 3 copies of the same keytab on 3
> boxes.
>
> in looking at the logs, that the load balancer is making requests of
> Kerberos on an IP that is not the VIP. log entries below:
>
> 2013-01-04T19:11:04.926696-05:00 server krb5kdc[12337]: AS_REQ (4
> etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344664,
> etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com_at_BPK2.COM for
> krbtgt/BPK2.COM_at_BPK2.COM
> 2013-01-04T19:11:23.710855-05:00 server krb5kdc[12337]: AS_REQ (4
> etypes {18 17 16 23}) 192.168.25.254: ISSUE: authtime 1357344683,
> etypes {rep=18 tkt=18 ses=18}, HTTP/proxy.bpk2.com_at_BPK2.COM for
> krbtgt/BPK2.COM_at_BPK2.COM
>
> now, the 192.168.25.254 address is the load balancer box, but on the
> interface it has on segment with the Kerberos server. The Kerberos
> server is one-in-the-same as one of the squid servers being load
> balanced. it also happens to be that the load balancer is a router
> for several other segments. the load balancer/router device has an
> interface of 192.168.37.254 which is on the VIP network, and the VIP
> of 192.168.37.1 is also on the load balancer / router. haproxy is
> running with a listener on the 37.1 interface as the proxy VIP.
>
> my theory is that i might be trying to do too much with too little,
> and that i might have to break up some of the duties that all the
> boxes are doing, unless someone can shed some light on what i could be
> doing wrong. Please let me know if you further clarification is
> needed.
>
>
> On 8/31/12, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>> You may need a third entry in the keytab for the VIP. IE will look for
>> a
>> HTTP/<vip> ticket.
>>
>> Regards
>> Markus
>>
>>
>> "brendan" <bpk678_at_gmail.com> wrote in message
>> news:1346159765625-4656345.post_at_n4.nabble.com...
>>>i have two squid instances on two separate servers. each is configured
>>>with
>>> kerberos auth, and when i point at one or the other, the kerberos auth
>>> works
>>> fine. when i point to a load balanced VIP, the auth does not work. i
>>> found
>>> the below and tried the method using the one keytab file for both
>>> instances
>>> and the -s GSS_C_NO_NAME option in the conf file. this did not work as
>>> expected.
>>>
>>> the load balancing process i am using is the "balance" package for
>>> fedora
>>> 16. it does a SNAT on all requests it handles. could this be part of
>>> why
>>>
>>> i
>>> am having issues? i found a couple of packages that i might be able to
>>> use
>>> for load balancing in the repos, balance, ipvsadm and haproxy. does
>>> anyone
>>> have experience/success with any of these or might one be recommended
>>> over
>>> the others?
>>>
>>>
>>>
>>> --
>>> View this message in context:
>>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Help-with-Kerberos-Configuration-tp4076779p4656345.html
>>> Sent from the Squid - Users mailing list archive at Nabble.com.
>>>
>>
>>
>>
>
Received on Sat Jan 05 2013 - 14:05:31 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 10 2013 - 12:00:03 MST