Re: [squid-users] kerberos and cname

From: Carlos Defoe <carlosdefoe_at_gmail.com>
Date: Fri, 11 Oct 2013 03:10:31 -0300

You have to add principals for each hostname on your keytab
(HTTP/squid01.example.com, HTTP/squid03.example.com,
HTTP/proxy.example.com), creating user or computer accounts to hold
each kerberos principal. If you're load balancing, copy your keytab
file to all servers.

Then you have to set the flag "GSS_C_NO_NAME" in the helper line at squid.conf.

http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

On Fri, Oct 11, 2013 at 2:10 AM, Marko Cupać <marko.cupac_at_mimar.rs> wrote:
> I have squid box named squid01.example.com, but all the clients' browsers
> are configured to access it by its CNAME which is proxy.example.com. This
> way I am able to install new server named squidXX, test it, and once
> everything is fine I can change CNAME to point to the new server.
>
> This worked fine when I was switching from no auth to NTLM, but not now
> when I am switching to kerberos. I have created keytab for
> HTTP/squid03.example.com_at_EXAMPLE.COM and clients are authenticated fine
> if their browsers are configured with squid03.example.com, but not with
> proxy.example.com.
>
> Is it possible to make kerberos work with CNAME?
> --
> Marko Cupać
Received on Fri Oct 11 2013 - 06:10:44 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 11 2013 - 12:00:04 MDT