[squid-users] Re: kerberos authentication with load balancers
Hi Giorgi, You do not need to renew the keytab every 30 days. It is more a best practice to change them after some period but I think 30 days is a bit too frequent. At the end you need to determine how high the risk is that someone got hold of the keytab to impersonate someone else. Regards Markus "Giorgi Tepnadze" wrote in message news:53d64ee1.4060...@mia.gov.ge... Hello Markus Thank you very much, everything works now. Only two question left 1) Is it necessary to run commands specified below every 30 day? msktutil --auto-update --verbose --computer-name proxy1-k msktutil --auto-update --verbose --computer-name proxy2-k msktutil --auto-update --verbose --computer-name proxy-k As I understand I should run them on one proxy1 and then copy updated keytab file to proxy2 every month. 2) Can I use kerberos somehow to authenticate skype? All internet browsers work but skype doesn't, only works by specifying user/pass in configuration and as I think it uses basic ldap auth. When there was NTLM auth, it worked, but now I removed all NTLM from squid, only kerberos negotiate and basic is left. George On 26/07/14 15:55, Markus Moeller wrote: Hi Giorgi, It would be msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.domain.com --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mia.gov.ge -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 The -h value is not really used. So for the DNS RR you can use either name. Regards Markus "Giorgi Tepnadze" wrote in message news:53d219ea.1010...@mia.gov.ge... Hi Markus Excuse me for posting in old list, but I have a small question: So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how should I create keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 But there is problem with last one, which server name should I put in -s, -h, --upn and --computer-name? Many Thanks George On 07/02/14 01:26, Markus Moeller wrote: Hi Joseph, it is all possible :-) Firstly I suggest not to use samba tools to create the squid keytab, but use msktutil (see http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). Then create a keytab for the loadbalancer name ( that is the one configured in IE or Firefox). use this keytab on both proxy servers and use negotiate_kerberos_auth with -s GSS_C_NO_NAME When you say multiple realms, do you have trust between the AD domains or are they separate ? If the domains do not have trust do you intend to use the same loadbalancer name for the users of both domains ? Markus "Joseph Spadavecchia" wrote in message news:2b43c569f8254a4e82c948ce4c247ed5158...@blx-ex01.alba.local... Hi there, What is the recommended way to configure Kerberos authentication behind two load balancers? AFAIK, based on the mailing lists, I should 1) Create a user account KrbUser on the AD server and add an SPN HTTP/loadbalancer.example.com for the load balancer 2) Join the domain with Kerberos and kinit 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser 4) update squid.conf with an auth helper like negotiate_kerberos_auth -s HTTP/loadbalancer.example.com@REALM Unfortunately, when I try this it fails. The only way I could get it to work at all was by removing the SPN from the KrbUser and associating the SPN with the machine trust account (of the proxy behind the loadbalancer) However, this is not a viable solution since there are two machines behind the load balancer and AD only allows you to associate a SPN with one account. Furthermore, given that I needed step (4) above, is it possible to have load balanced Kerberos authentication working with multiple realms? If so, then how? Many thanks.
Re: [squid-users] Re: kerberos authentication with load balancers
Hello Markus Thank you very much, everything works now. Only two question left 1) Is it necessary to run commands specified below every 30 day? msktutil --auto-update --verbose --computer-name proxy1-k msktutil --auto-update --verbose --computer-name proxy2-k msktutil --auto-update --verbose --computer-name proxy-k As I understand I should run them on one proxy1 and then copy updated keytab file to proxy2 every month. 2) Can I use kerberos somehow to authenticate skype? All internet browsers work but skype doesn't, only works by specifying user/pass in configuration and as I think it uses basic ldap auth. When there was NTLM auth, it worked, but now I removed all NTLM from squid, only kerberos negotiate and basic is left. George On 26/07/14 15:55, Markus Moeller wrote: > Hi Giorgi, > > It would be > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h > proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K > --upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose > --enctypes 28 > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h > proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K > --upn HTTP/proxy2.domain.com --server addc03.domain.com --verbose > --enctypes 28 > > and one for DNS RR record > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mia.gov.ge -h > proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY-K > --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose > --enctypes 28 > > The -h value is not really used. So for the DNS RR you can use either > name. > > Regards > Markus > > > "Giorgi Tepnadze" wrote in message news:53d219ea.1010...@mia.gov.ge... > > Hi Markus > > Excuse me for posting in old list, but I have a small question: > > So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and > one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how > should I create keytab file. > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h > proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K > --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose > --enctypes 28 > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h > proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K > --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose > --enctypes 28 > > and one for DNS RR record > > msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h > proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K > --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose > --enctypes 28 > > But there is problem with last one, which server name should I put in > -s, -h, --upn and --computer-name? > > Many Thanks > > George > > > > On 07/02/14 01:26, Markus Moeller wrote: >> Hi Joseph, >> >> it is all possible :-) >> >> Firstly I suggest not to use samba tools to create the squid keytab, >> but use msktutil (see >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). >> Then create a keytab for the loadbalancer name ( that is the one >> configured in IE or Firefox). use this keytab on both proxy servers >> and use negotiate_kerberos_auth with -s GSS_C_NO_NAME >> >> When you say multiple realms, do you have trust between the AD >> domains or are they separate ? If the domains do not have trust do >> you intend to use the same loadbalancer name for the users of both >> domains ? >> >> Markus >> >> >> >> "Joseph Spadavecchia" wrote in message >> news:2b43c569f8254a4e82c948ce4c247ed5158...@blx-ex01.alba.local... >> >> Hi there, >> >> What is the recommended way to configure Kerberos authentication >> behind two load balancers? >> >> AFAIK, based on the mailing lists, I should >> >> 1) Create a user account KrbUser on the AD server and add an SPN >> HTTP/loadbalancer.example.com for the load balancer >> 2) Join the domain with Kerberos and kinit >> 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser >> 4) update squid.conf with an auth helper like negotiate_kerberos_auth >> -s HTTP/loadbalancer.example.com@REALM >> >> Unfortunately, when I try this it fails. >> >> The only way I could get it to work at all was by removing the SPN >> from the KrbUser and associating the SPN with the machine trust >> account (of the proxy behind the loadbalancer) However, this is not a >> viable solution since there are two machines behind the load balancer >> and AD only allows you to associate a SPN with one account. >> >> Furthermore, given that I needed step (4) above, is it possible to >> have load balanced Kerberos authentication working with multiple >> realms? If so, then how? >> >> Many thanks. >> > >
[squid-users] Re: kerberos authentication with load balancers
Hi Giorgi, It would be msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.domain.com--server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.domain.com --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.mia.gov.ge -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 The -h value is not really used. So for the DNS RR you can use either name. Regards Markus "Giorgi Tepnadze" wrote in message news:53d219ea.1010...@mia.gov.ge... Hi Markus Excuse me for posting in old list, but I have a small question: So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how should I create keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 But there is problem with last one, which server name should I put in -s, -h, --upn and --computer-name? Many Thanks George On 07/02/14 01:26, Markus Moeller wrote: Hi Joseph, it is all possible :-) Firstly I suggest not to use samba tools to create the squid keytab, but use msktutil (see http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). Then create a keytab for the loadbalancer name ( that is the one configured in IE or Firefox). use this keytab on both proxy servers and use negotiate_kerberos_auth with -s GSS_C_NO_NAME When you say multiple realms, do you have trust between the AD domains or are they separate ? If the domains do not have trust do you intend to use the same loadbalancer name for the users of both domains ? Markus "Joseph Spadavecchia" wrote in message news:2b43c569f8254a4e82c948ce4c247ed5158...@blx-ex01.alba.local... Hi there, What is the recommended way to configure Kerberos authentication behind two load balancers? AFAIK, based on the mailing lists, I should 1) Create a user account KrbUser on the AD server and add an SPN HTTP/loadbalancer.example.com for the load balancer 2) Join the domain with Kerberos and kinit 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser 4) update squid.conf with an auth helper like negotiate_kerberos_auth -s HTTP/loadbalancer.example.com@REALM Unfortunately, when I try this it fails. The only way I could get it to work at all was by removing the SPN from the KrbUser and associating the SPN with the machine trust account (of the proxy behind the loadbalancer) However, this is not a viable solution since there are two machines behind the load balancer and AD only allows you to associate a SPN with one account. Furthermore, given that I needed step (4) above, is it possible to have load balanced Kerberos authentication working with multiple realms? If so, then how? Many thanks.
Re: [squid-users] Re: kerberos authentication with load balancers
Hi Markus Excuse me for posting in old list, but I have a small question: So I have 2 squid servers (proxy1.domain.com and proxy2.domain.com) and one DNS RR record (proxy.mia.gov.ge). Regarding your recommendation how should I create keytab file. msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy1.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY1-K --upn HTTP/proxy1.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy2.domain.com -h proxy2.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy2.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 and one for DNS RR record msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy.domain.com -h proxy1.domain.com -k /root/keytab/PROXY.keytab --computer-name PROXY2-K --upn HTTP/proxy.mia.gov.ge --server addc03.domain.com --verbose --enctypes 28 But there is problem with last one, which server name should I put in -s, -h, --upn and --computer-name? Many Thanks George On 07/02/14 01:26, Markus Moeller wrote: > Hi Joseph, > > it is all possible :-) > > Firstly I suggest not to use samba tools to create the squid keytab, > but use msktutil (see > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). > Then create a keytab for the loadbalancer name ( that is the one > configured in IE or Firefox). use this keytab on both proxy servers > and use negotiate_kerberos_auth with -s GSS_C_NO_NAME > > When you say multiple realms, do you have trust between the AD > domains or are they separate ? If the domains do not have trust do > you intend to use the same loadbalancer name for the users of both > domains ? > > Markus > > > > "Joseph Spadavecchia" wrote in message > news:2b43c569f8254a4e82c948ce4c247ed5158...@blx-ex01.alba.local... > > Hi there, > > What is the recommended way to configure Kerberos authentication > behind two load balancers? > > AFAIK, based on the mailing lists, I should > > 1) Create a user account KrbUser on the AD server and add an SPN > HTTP/loadbalancer.example.com for the load balancer > 2) Join the domain with Kerberos and kinit > 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser > 4) update squid.conf with an auth helper like negotiate_kerberos_auth > -s HTTP/loadbalancer.example.com@REALM > > Unfortunately, when I try this it fails. > > The only way I could get it to work at all was by removing the SPN > from the KrbUser and associating the SPN with the machine trust > account (of the proxy behind the loadbalancer) However, this is not a > viable solution since there are two machines behind the load balancer > and AD only allows you to associate a SPN with one account. > > Furthermore, given that I needed step (4) above, is it possible to > have load balanced Kerberos authentication working with multiple > realms? If so, then how? > > Many thanks. >
[squid-users] Re: kerberos authentication with load balancers
Hi Joseph, it is all possible :-) Firstly I suggest not to use samba tools to create the squid keytab, but use msktutil (see http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos). Then create a keytab for the loadbalancer name ( that is the one configured in IE or Firefox). use this keytab on both proxy servers and use negotiate_kerberos_auth with -s GSS_C_NO_NAME When you say multiple realms, do you have trust between the AD domains or are they separate ? If the domains do not have trust do you intend to use the same loadbalancer name for the users of both domains ? Markus "Joseph Spadavecchia" wrote in message news:2b43c569f8254a4e82c948ce4c247ed5158...@blx-ex01.alba.local... Hi there, What is the recommended way to configure Kerberos authentication behind two load balancers? AFAIK, based on the mailing lists, I should 1) Create a user account KrbUser on the AD server and add an SPN HTTP/loadbalancer.example.com for the load balancer 2) Join the domain with Kerberos and kinit 3) net ads keytab add HTTP/loadbalancer.example.com@REALM -U KrbUser 4) update squid.conf with an auth helper like negotiate_kerberos_auth -s HTTP/loadbalancer.example.com@REALM Unfortunately, when I try this it fails. The only way I could get it to work at all was by removing the SPN from the KrbUser and associating the SPN with the machine trust account (of the proxy behind the loadbalancer) However, this is not a viable solution since there are two machines behind the load balancer and AD only allows you to associate a SPN with one account. Furthermore, given that I needed step (4) above, is it possible to have load balanced Kerberos authentication working with multiple realms? If so, then how? Many thanks.
