Re: [squid-users] I want to know the concerns of load testing

[m k]

hi all,

Good news.
I was able to solve the problem yesterday.
I created a key tab for haproxy and added the following options to
negotiate_kerberos_auth in squid.conf.

-s GSS_C_NO_NAME

(squid.conf)
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
/etc/krb5.keytab -s HTTP/
c0528004l.wintest.example.co...@wintest.example.co.jp -s GSS_C_NO_NAME

Kerberos authentication is also possible on the load balancer backend
server.

Thank you,
kitamura

2020年10月12日(月) 20:31 m k <tamurin0...@gmail.com>:

> hello,
>>
>> Switching from NTLM certification to Kerberos certification.
>> Sure enough, I'm in trouble.
>>
>> Kerberos authentication doesn't work.
>> Please let me know if there is a mistake in the settings.
>>
>>
>> SPN creation
>> WINTEST(Active Directory)
>> ktpass.exe /princ HTTP/
>> c0528004l.wintest.example.co...@wintest.example.co.jp /mapuser
>> s139821ad...@wintest.example.co.jp /crypto AES256-SHA1 /ptype
>> KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab
>>
>>
>> PTR record setting
>> # nslookup 10.217.192.22
>> 22.192.217.10.in-addr.arpa      name = c0528004l.wintest.example.co.jp.
>>
>>
>> # klist
>> Ticket cache: KCM:1001
>> Default principal: lx17070028ad...@win.example.co.jp
>>
>> Valid starting       Expires              Service principal
>> 10/12/2020 16:05:10  10/13/2020 02:04:04  ldap/
>> a9413001l.win.example.co...@win.example.co.jp
>>         renew until 10/13/2020 02:04:04
>> 10/12/2020 16:04:04  10/13/2020 02:04:04  krbtgt/
>> win.example.co...@win.example.co.jp
>>         renew until 10/13/2020 02:04:04
>> 10/12/2020 16:07:21  10/13/2020 02:04:04  ldap/
>> a9401002l.win.example.co...@win.example.co.jp
>>         renew until 10/13/2020 02:04:04
>>
>>
>> config setting
>> /etc/squid/squid.conf
>> # Kerberos Auth
>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
>> /etc/squid/squid.keytab -s HTTP/
>> c0528004l.wintest.example.co...@wintest.example.co.jp
>> auth_param negotiate children 20
>> auth_param negotiate keep_alive on
>> acl kerb-auth proxy_auth REQUIRED
>> http_access allow kerb-auth
>>
>> --->I get a windows security pop-up in IE.
>>
>>
>> error message
>> /var/log/squid/cache.log
>> 2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating
>> user. Result: {result=BH, notes={message: gss_accept_sec_context() failed:
>> Unspecified GSS failure.  Minor code may provide more information. Service
>> key not available; }}
>>
>>
>> Create SPN from server
>> c0528004l(CentOS8.1)
>> # net ads keytab create -U s139821ad...@wintest.example.co.jp
>> Warning: "kerberos method" must be set to a keytab method to use keytab
>> functions.
>> Enter s139821ad...@wintest.example.co.jp's password:
>> ads_keytab_open: Invalid kerberos method set (0)
>>
>> ---> An error occurs and keytab cannot be created.
>>
>>
>> Please let me know if you have any other information you need.
>>
>> Hi Eliezer,
>>
>> docker is already installed.
>> We are considering a configuration of at least 6 servers.
>> Whether it will be 8 or 10 has not been verified.
>>
>>
>> thank you,
>> kitamura
>>
>>
>>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users