Thanks Nick, That's what I was afraid of, I'll look into HA for this.
Regards, Essad On 23 mrt. 2011, at 16:43, Nick Cairncross <[email protected]> wrote: >> >> Hi All, >> >> We have two squid proxy's running the same config, I want to implement >> a round robin dns solution, so that the browser points to one hostname >> entry, and is being directed to one of the two servers. >> >> Before that i've fully configured the squid proxy server so that it >> works with sqkuid_kerb_auth and squid_kerb_ldap, it works fine, but >> when I enabled round robin dns, I noticed that users weren't being >> authenticated by kerberos, instead it tried to use NTLM, which also >> failed and eventually get a login box (basic). >> >> I'm guessing that the browser parses the dns entry which is configured >> as proxy to squid_kerb_auth, which then tries to use that principal >> name to authenticate? Because its 1 dns entry for two hostnames I >> can't give them both that hostname right?. >> >> Is there another way to configure this? >> >> Relevant Squid Configuration: >> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -d -s >> host/[email protected] >> auth_param negotiate children 10 >> auth_param negotiate keep_alive on >> >> auth_param ntlm program /usr/bin/ntlm_auth -d 1 >> --helper-protocol=squid-2.5-ntlmssp >> auth_param ntlm children 10 >> auth_param basic program /usr/bin/ntlm_auth -d 1 >> --helper-protocol=squid-2.5-basic >> auth_param basic children 5 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hours >> >> Proxy 2 hase the same config, apart from the -s option for >> squid_kerb_auth which is [email protected] >> Also even if I don't provide a service principal name, it doesnt work >> (Also with HTTP principals). >> >> When I start a browser whic points to the round robin dns fqdn >> (centralproxy.example.com). and go to which server it's being diverted >> to, I can see this in the logs: >> >> 2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Got 'YR >> TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' from squid >> (length: 59). >> 2011/03/23 14:24:53| squid_kerb_auth: DEBUG: Decode >> 'TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==' (decoded >> length: 40). >> 2011/03/23 14:24:53| squid_kerb_auth: WARNING: received type 1 NTLM token >> 2011/03/23 14:24:53| authenticateNegotiateHandleReply: Error >> validating user via Negotiate. Error returned 'BH received type 1 NTLM >> token' >> >> If I change the browser to point directly to that proxy server, it >> works like a charm. >> >> Is there a way to fix this? Can round robin dns be used with >> squid_kerb_auth? >> >> Thanks for your time. >> Regards, >> Essad > > I believe that this isn't possible due to the DNS/hostname/IP resolution > as you describe. Kerberos is very specific on these requirements when > doing its forward and reverse look-ups/using the SPNs. One option could > be use a PAC/WPAD file and specify your multiple proxies in there..not > really ideal just a thought. > May be possible with some sort of HA/load-balancing, where you can pool > hostnames. > > > The information contained in this e-mail is of a confidential nature and is > intended only for the addressee. If you are not the intended addressee, any > disclosure, copying or distribution by you is prohibited and may be unlawful. > Disclosure to any party other than the addressee, whether inadvertent or > otherwise, is not intended to waive privilege or confidentiality. Internet > communications are not secure and therefore Conde Nast does not accept legal > responsibility for the contents of this message. Any views or opinions > expressed are those of the author. > > The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, > London W1S 1JU
