Hello Mark, You can just export the keytab generated on windows and use it on your proxy - then there is no need to mess with proxy’s account in AD - overall this is much easier I believe - see https://www.diladele.com/websafety/docs/authentication/active_directory/kerberos/
And it also works pretty nice with several boxes at once - we use it all the time when testing AD integration, see https://www.diladele.com/websafety/docs/redundancy/haproxy_proxy_protocol/ Hope it helps. Best regards, Rafael Akchurin On 23 Jun 2025, at 12:16, Mark Cairney <mark.cair...@ed.ac.uk> wrote: Hi, Thanks- that make sense and as a result I've set the reverse DNS on the 2 hosts to the round-robin DNS name. RE: the KVNO drift issue, one suggestion was to delete the existing machine account(s) from AD and use ktpass and set the kvno to 0. I'd previously used msktutil (as suggested on https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory) with the 'dont-expire-password' flag i.e: msktutil -c -h test-squid-cluster.dyn.zone -b 'OU=Managed-Linux-Servers' --computer-name TESTSQUID -s HTTP/test-squid-cluster.dyn.zone -k /etc/squid/HTTP.keytab --server domain.controller --realm REALM --use-service-account --dont-expire-password --upn HTTP/test-squid-cluster.dyn.zone@REALM Which is more likely to be reliable (unfortunately I have to use MS AD as the whole purpose of this proxy is to allow Windows clients to use an authenticated proxy). Kind regards, Mark On 19/06/2025 15:21, Amos Jeffries wrote: [You don't often get email from squ...@treenet.co.nz. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On 18/06/25 20:49, Mark Cairney wrote: Hi, I’ve been trying to get Kerberos Authentication against AD working but have been seeing inconsistent results/behaviour across multiple Oses and I’m not sure if the issue lies with the DNS configuration, Kerberos itself or with the Squid config: THE DNS setup is as follows: test.squid.cluster. 3600 IN CNAME test-squid- cluster.dyn-zone. test-squid-cluster.dyn-zone. 60 IN A 1.2.3.4 Where 1.2.3.4 is the IP of one of the servers in the cluster. The intention is to have multiple Squid servers behind a single DNS name for high-availability. FYI, you cannot have multiple CNAME for test.squid.cluster pointing at different Squid server names. So this should not be a problem. In Kerberos: * Setup your keytab entry for HTTP/test-squid-cluster.dyn-zone@REALM. * export the HTTP/test-squid-cluster.dyn-zone@REALM keytab to each proxy In DNS: * Add as many proxy as you want to test-squid-cluster.dyn-zone with A or AAAA records in DNS. * point any domains you want those proxy to be acting as a CDN to test-squid-cluster.dyn-zone using CNAME in DNS. Cheers Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users -- /**************************** Mark Cairney ITI Enterprise Services Information Services University of Edinburgh Tel: 0131 650 6565 Email: mark.cair...@ed.ac.uk *******************************/ The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
