[squid-users] Re: Re: Re: Help with Kerberos Configuration from Markus Moeller on 2013-01-11 (squid-users)

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Fri, 11 Jan 2013 19:18:03 -0000

Which error do you see in the squid log ? Can you run the squid_kerb_auth
helper with -d ?

Markus

"brendan kearney" <bpk678_at_gmail.com> wrote in message
news:CAARxGtgzUOc5u0rQ=Mhbxw25RP=DKODdOKwiqRe9FCzj7jetUA_at_mail.gmail.com...
>i have removed the keytab from the load balancer, and added the proxy
> principal to the keytab file on each server. the keytab file for
> server1 has entries for HTTP/proxy.bpk2.com (the VIP) and
> HTTP/server.bpk2.com. server2 has entries for HTTP/proxy.bpk2.com and
> HTTP/vpn.bpk2.com (matching hostnames and DNS names in both cases).
>
> i get one squid instance denying access for some time, then they
> switch and the other is denying access. after several page loads and
> refreshes, etc both instances begin denying all access even though i
> have valid tickets.
>
> i must be missing something... i checked permissions on the keytab
> files. squid is owner and group, with 600 ownership (-rw-------).
> below are some krb logs that seem to indicate the tickets are ok and
> valid:
>
> 2013-01-09T20:34:30.268856-05:00 server krb5kdc[12337]: AS_REQ (4
> etypes {18 17 16 23}) 192.168.1.97: ISSUE: authtime 1357781670, etypes
> {rep=18 tkt=18 ses=18}, brendan_at_BPK2.COM for krbtgt/BPK2.COM_at_BPK2.COM
> 2013-01-09T20:34:38.779822-05:00 server krb5kdc[12337]: TGS_REQ (4
> etypes {18 17 16 23}) 192.168.1.97: ISSUE: authtime 1357781670, etypes
> {rep=18 tkt=18 ses=18}, brendan_at_BPK2.COM for
> HTTP/proxy.bpk2.com_at_BPK2.COM
>
> what would i be missing?
>
> On 1/9/13, brendan kearney <bpk678_at_gmail.com> wrote:
>> i must have misunderstood you when you said that i need a third entry in
>> the keytab for the VIP. I took that to mean that the device hosting the
>> VIP should have a keytab on it with the HTTP principal in the keytab.
>>
>> from what you are saying now, it looks like i just need the squid
>> instances
>> to have 2 HTTP principals in each of their keytabs, one for the local
>> proxy
>> instance and one for the VIP instance. I'll give that a shot. Thanks.
>>
>
Received on Fri Jan 11 2013 - 19:18:26 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 19 2013 - 12:00:06 MST