Fwd: [squid-users] Re: Re: kerberos auth failing behind a load balancer

From: Sean Boran <sean_at_boran.com>
Date: Tue, 26 Mar 2013 13:35:55 +0100

Hi,

FYI ... I got the two squids working behind the (Kemp) load balancer
with kerberos auth

Procedure:
0. myproxy.vptt.ch points to the IP of the load balancer. This is
referenced in wpad.dat or browser settings. Squid runs on port 80, so
the URL of the proxy is http://myproxy.ch:80

1. create an AD service account account
  lets call it my-kerb
2. add an SPN for the LB to that AD account. Did this on windows:
setspn -S http/myproxy.ch my-kerb

3. create a keytab on each squid
rm /etc/krb5.keytab
net ads keytab CREATE HTTP -U my-kerb

ktutil
ktutil: rkt /etc/krb5.keytab
addent -password -p HTTP/myproxy.ch -k 5 -e rc4-hmac (use the my-kerb passwd)
ktutil: wkt /etc/krb5.keytab

chmod 644 /etc/krb5.keytab (or use a group to allow the squid user
to read it).

Regards,

Sean Boran
Received on Tue Mar 26 2013 - 12:36:02 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 26 2013 - 12:00:05 MDT