Re: [squid-users] Re: Advices for a squid cluster with kerberos auth
Le Fri, 21 May 2010 10:03:57 +0200, Emmanuel Lesouef e.leso...@crbn.fr a écrit : Le Thu, 20 May 2010 21:51:08 +0100, Markus Moeller hua...@moeller.plus.com a écrit : It will work with the right setup (e.g. you have to copy the Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name or -s GSS_C_NO_NAME option with squid_kerb_auth). Regards Markus Understood. Thanks Markus. I didn't know it was possible to have a RR DNS Name in the service name. I'm raising this topic up because it seems that there is a problem creating the keytab : r...@server1:~# msktutil -c -b CN=COMPUTERS -s HTTP/proxy.xx.yy -h proxy.xx.yy -k /etc/squid/HTTP.keytab --computer-name proxy --upn HTTP/proxy.xx.yy --server dc1.xx.yy --verbose --enctypes 28 [...] -- ldap_get_base_dn: Determining default LDAP base: dc=xx,dc=yy Error: No reverse DNS entry found for %2prox Error: complete_hostname failed Error: finalize_exec failed -- krb5_cleanup: Destroying Kerberos Context -- ldap_cleanup: Disconnecting from LDAP server -- init_password: Wiping the computer password structure Any advices ? -- Emmanuel Lesouef
Re: [squid-users] Re: Advices for a squid cluster with kerberos auth
Le Thu, 20 May 2010 21:51:08 +0100, Markus Moeller hua...@moeller.plus.com a écrit : It will work with the right setup (e.g. you have to copy the Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name or -s GSS_C_NO_NAME option with squid_kerb_auth). Regards Markus Understood. Thanks Markus. I didn't know it was possible to have a RR DNS Name in the service name. -- Emmanuel Lesouef
Re: [squid-users] Re: Advices for a squid cluster with kerberos auth
Just to add: Thanks for this. I've successfully got RR working with Kerberos as you said. It's something I've been interested in as well. My test setup is: SQUID1.domain.com 10.0.0.1 SQUID2.domain.com 10.0.0.2 RR DNS record SQUIDS.domain.com for each SQUIDx IP Computer account in UnixPrincipals OU called SQUIDS msktutil -u -b OU=UnixPrincipals -s HTTP/squids.domain.com -k /etc/squid/HTTP.keytab --computer-name squids --upn HTTP/squids --server dc1 --verbose -h squids.domain.com Point browser to squids.domain.com. Has anyone had success using Service Location records in DNS for different sites? I would be interested to hear about it.. On 20/05/2010 21:51, Markus Moeller hua...@moeller.plus.com wrote: It will work with the right setup (e.g. you have to copy the Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name or -s GSS_C_NO_NAME option with squid_kerb_auth). Regards Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4bf52c87.9080...@treenet.co.nz... Emmanuel Lesouef wrote: Hello, I'm currently satisfied with my round-robin DNS enabled cluster of two Squid with ntlm authentication. But, with th appearance of Windows 7 and Windows 2008, I see by searching for documentation on the web that I need to use Kerberos Authentication if I would like Internet Explorer 8 from 2008 or 7 to work. Do you have any advices for achieving this setup ? What clustering mechanism do you use. Does the kerberos part of the install need to be customized to support being put in cluster mode (which needs to be defined) ? Thanks for your helps and docs. PS : Testing it will be easy so I thinks I'll enable Debian Backports repository in order to have 2.7STABLE9. Without havign used either, I expect if your clustering setup works with NTLM it will work equally well or better for Kerberos. The two protocols are very much similar, with Kerberos doing away with one of the handshake HTTP reject messages. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3 ** Please consider the environment before printing this e-mail ** The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author. Company Registration details: The Conde Nast Publications Ltd Vogue House Hanover Square London W1S 1JU Registered in London No. 226900
Re: [squid-users] Re: Advices for a squid cluster with kerberos auth
Le Fri, 21 May 2010 11:31:39 +0100, Nick Cairncross nick.cairncr...@condenast.co.uk a écrit : Has anyone had success using Service Location records in DNS for different sites? I would be interested to hear about it.. Service location ? DNS discovery with _tcp zones ? What do you try to configure ? -- Emmanuel Lesouef
Re: [squid-users] Re: Advices for a squid cluster with kerberos auth
fre 2010-05-21 klockan 11:31 +0100 skrev Nick Cairncross: Has anyone had success using Service Location records in DNS for different sites? I would be interested to hear about it.. Do you mean SRV records? HTTP is not yet using an SRV profile, and I don't see it likely that SRV support will generally appear any time soon for HTTP (where soon is a decade) even if most other protocols have by now switched over to using SRV to locate it's servers. Regards Henrik
[squid-users] Re: Advices for a squid cluster with kerberos auth
It will work with the right setup (e.g. you have to copy the Kerberos keytab to all machines and use the -s HTTP/RR-DNS-name or -s GSS_C_NO_NAME option with squid_kerb_auth). Regards Markus Amos Jeffries squ...@treenet.co.nz wrote in message news:4bf52c87.9080...@treenet.co.nz... Emmanuel Lesouef wrote: Hello, I'm currently satisfied with my round-robin DNS enabled cluster of two Squid with ntlm authentication. But, with th appearance of Windows 7 and Windows 2008, I see by searching for documentation on the web that I need to use Kerberos Authentication if I would like Internet Explorer 8 from 2008 or 7 to work. Do you have any advices for achieving this setup ? What clustering mechanism do you use. Does the kerberos part of the install need to be customized to support being put in cluster mode (which needs to be defined) ? Thanks for your helps and docs. PS : Testing it will be easy so I thinks I'll enable Debian Backports repository in order to have 2.7STABLE9. Without havign used either, I expect if your clustering setup works with NTLM it will work equally well or better for Kerberos. The two protocols are very much similar, with Kerberos doing away with one of the handshake HTTP reject messages. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3