Re: [squid-users] I want to know the concerns of load testing

Mon, 12 Oct 2020 04:31:48 -0700 

>
> hello,
>
> Switching from NTLM certification to Kerberos certification.
> Sure enough, I'm in trouble.
>
> Kerberos authentication doesn't work.
> Please let me know if there is a mistake in the settings.
>
>
> SPN creation
> WINTEST(Active Directory)
> ktpass.exe /princ HTTP/
> c0528004l.wintest.example.co...@wintest.example.co.jp /mapuser
> s139821ad...@wintest.example.co.jp /crypto AES256-SHA1 /ptype
> KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab
>
>
> PTR record setting
> # nslookup 10.217.192.22
> 22.192.217.10.in-addr.arpa      name = c0528004l.wintest.example.co.jp.
>
>
> # klist
> Ticket cache: KCM:1001
> Default principal: lx17070028ad...@win.example.co.jp
>
> Valid starting       Expires              Service principal
> 10/12/2020 16:05:10  10/13/2020 02:04:04  ldap/
> a9413001l.win.example.co...@win.example.co.jp
>         renew until 10/13/2020 02:04:04
> 10/12/2020 16:04:04  10/13/2020 02:04:04  krbtgt/
> win.example.co...@win.example.co.jp
>         renew until 10/13/2020 02:04:04
> 10/12/2020 16:07:21  10/13/2020 02:04:04  ldap/
> a9401002l.win.example.co...@win.example.co.jp
>         renew until 10/13/2020 02:04:04
>
>
> config setting
> /etc/squid/squid.conf
> # Kerberos Auth
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
> /etc/squid/squid.keytab -s HTTP/
> c0528004l.wintest.example.co...@wintest.example.co.jp
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
> acl kerb-auth proxy_auth REQUIRED
> http_access allow kerb-auth
>
> --->I get a windows security pop-up in IE.
>
>
> error message
> /var/log/squid/cache.log
> 2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating user.
> Result: {result=BH, notes={message: gss_accept_sec_context() failed:
> Unspecified GSS failure.  Minor code may provide more information. Service
> key not available; }}
>
>
> Create SPN from server
> c0528004l(CentOS8.1)
> # net ads keytab create -U s139821ad...@wintest.example.co.jp
> Warning: "kerberos method" must be set to a keytab method to use keytab
> functions.
> Enter s139821ad...@wintest.example.co.jp's password:
> ads_keytab_open: Invalid kerberos method set (0)
>
> ---> An error occurs and keytab cannot be created.
>
>
> Please let me know if you have any other information you need.
>
> Hi Eliezer,
>
> docker is already installed.
> We are considering a configuration of at least 6 servers.
> Whether it will be 8 or 10 has not been verified.
>
>
> thank you,
> kitamura
>
>
>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to