Re: [squid-users] Re: Re: Help with Kerberos Configuration from Brett Lymn on 2013-01-09 (squid-users)

From: Brett Lymn <brett.lymn_at_baesystems.com>
Date: Thu, 10 Jan 2013 12:20:38 +1030

On Wed, Jan 09, 2013 at 08:45:02PM -0500, brendan kearney wrote:
> i have removed the keytab from the load balancer, and added the proxy
> principal to the keytab file on each server. the keytab file for
> server1 has entries for HTTP/proxy.bpk2.com (the VIP) and
> HTTP/server.bpk2.com. server2 has entries for HTTP/proxy.bpk2.com and
> HTTP/vpn.bpk2.com (matching hostnames and DNS names in both cases).
>
> i get one squid instance denying access for some time, then they
> switch and the other is denying access. after several page loads and
> refreshes, etc both instances begin denying all access even though i
> have valid tickets.
>
> i must be missing something... i checked permissions on the keytab
> files. squid is owner and group, with 600 ownership (-rw-------).
> below are some krb logs that seem to indicate the tickets are ok and
> valid:
>
> 2013-01-09T20:34:30.268856-05:00 server krb5kdc[12337]: AS_REQ (4
> etypes {18 17 16 23}) 192.168.1.97: ISSUE: authtime 1357781670, etypes
> {rep=18 tkt=18 ses=18}, brendan_at_BPK2.COM for krbtgt/BPK2.COM_at_BPK2.COM
> 2013-01-09T20:34:38.779822-05:00 server krb5kdc[12337]: TGS_REQ (4
> etypes {18 17 16 23}) 192.168.1.97: ISSUE: authtime 1357781670, etypes
> {rep=18 tkt=18 ses=18}, brendan_at_BPK2.COM for
> HTTP/proxy.bpk2.com_at_BPK2.COM
>
> what would i be missing?
>

I have a load balanced set up using kerberos. I ended up setting up
principals for all my proxies and the load balancer, then added into the
keytab file for each proxy entries for the load balancer and the proxy
server itself.

-- 
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Received on Thu Jan 10 2013 - 01:50:52 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 10 2013 - 12:00:03 MST