i have removed the keytab from the load balancer, and added the proxy
principal to the keytab file on each server. the keytab file for
server1 has entries for HTTP/proxy.bpk2.com (the VIP) and
HTTP/server.bpk2.com. server2 has entries for HTTP/proxy.bpk2.com and
HTTP/vpn.bpk2.com (matching hostnames and DNS names in both cases).
i get one squid instance denying access for some time, then they
switch and the other is denying access. after several page loads and
refreshes, etc both instances begin denying all access even though i
have valid tickets.
i must be missing something... i checked permissions on the keytab
files. squid is owner and group, with 600 ownership (-rw-------).
below are some krb logs that seem to indicate the tickets are ok and
valid:
2013-01-09T20:34:30.268856-05:00 server krb5kdc[12337]: AS_REQ (4
etypes {18 17 16 23}) 192.168.1.97: ISSUE: authtime 1357781670, etypes
{rep=18 tkt=18 ses=18}, brendan_at_BPK2.COM for krbtgt/BPK2.COM_at_BPK2.COM
2013-01-09T20:34:38.779822-05:00 server krb5kdc[12337]: TGS_REQ (4
etypes {18 17 16 23}) 192.168.1.97: ISSUE: authtime 1357781670, etypes
{rep=18 tkt=18 ses=18}, brendan_at_BPK2.COM for
HTTP/proxy.bpk2.com_at_BPK2.COM
what would i be missing?
On 1/9/13, brendan kearney <bpk678_at_gmail.com> wrote:
> i must have misunderstood you when you said that i need a third entry in
> the keytab for the VIP. I took that to mean that the device hosting the
> VIP should have a keytab on it with the HTTP principal in the keytab.
>
> from what you are saying now, it looks like i just need the squid instances
> to have 2 HTTP principals in each of their keytabs, one for the local proxy
> instance and one for the VIP instance. I'll give that a shot. Thanks.
>
Received on Thu Jan 10 2013 - 01:45:10 MST
This archive was generated by hypermail 2.2.0 : Sat Jan 12 2013 - 12:00:03 MST