Thanks Nick,
That's what I was afraid of, I'll look into HA for this.
Regards,
Essad
On 23 mrt. 2011, at 16:43, Nick Cairncross <Nick.Cairncross_at_condenast.co.uk> wrote:
>>
>> Hi All,
>>
>> We have two squid proxy's running the same config, I want to implement
>> a round robin dns solution, so that the browser points to one hostname
>> entry, and is being directed to one of the two servers.
>>
>> Before that i've fully configured the squid proxy server so that it
>> works with sqkuid_kerb_auth and squid_kerb_ldap, it works fine, but
>> when I enabled round robin dns, I noticed that users weren't being
>> authenticated by kerberos, instead it tried to use NTLM, which also
>> failed and eventually get a login box (basic).
>>
>> I'm guessing that the browser parses the dns entry which is configured
>> as proxy to squid_kerb_auth, which then tries to use that principal
>> name to authenticate? Because its 1 dns entry for two hostnames I
>> can't give them both that hostname right?.
>>
>> Is there another way to configure this?
>>
>> Relevant Squid Configuration:
>> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s
>> host/proxy1.example.com_at_EXAMPLE.COM
>> auth_param negotiate children 10
>> auth_param negotiate keep_alive on
>>
>> auth_param ntlm program /usr/bin/ntlm_auth -d 1
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 10
>> auth_param basic program /usr/bin/ntlm_auth -d 1
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>> Proxy 2 hase the same config, apart from the -s option for
>> squid_kerb_auth which is proxy2.example.com_at_EXAMPLE.COM
>> Also even if I don't provide a service principal name, it doesnt work
>> (Also with HTTP principals).
>>
>> When I start a browser whic points to the round robin dns fqdn
>> (centralproxy.example.com). and go to which server it's being diverted
>> to, I can see this in the logs:
>>
>> 2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Got 'YR
>> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' from squid
>> (length: 59).
>> 2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Decode
>> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' (decoded
>> length: 40).
>> 2011/03/23 14:24:53| squid_kerb_auth: WARNING: received type 1 NTLM token
>> 2011/03/23 14:24:53| authenticateNegotiateHandleReply: Error
>> validating user via Negotiate. Error returned 'BH received type 1 NTLM
>> token'
>>
>> If I change the browser to point directly to that proxy server, it
>> works like a charm.
>>
>> Is there a way to fix this? Can round robin dns be used with
>> squid_kerb_auth?
>>
>> Thanks for your time.
>> Regards,
>> Essad
>
> I believe that this isn't possible due to the DNS/hostname/IP resolution
> as you describe. Kerberos is very specific on these requirements when
> doing its forward and reverse look-ups/using the SPNs. One option could
> be use a PAC/WPAD file and specify your multiple proxies in there..not
> really ideal just a thought.
> May be possible with some sort of HA/load-balancing, where you can pool
> hostnames.
>
>
> The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.
>
> The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Received on Wed Mar 23 2011 - 18:20:00 MDT
This archive was generated by hypermail 2.2.0 : Thu Mar 24 2011 - 12:00:04 MDT