[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

L.P.H. van Belle belle at bazuin.nl
Fri Jul 24 10:31:31 UTC 2020

Hai Rafael,

First, thank you for maintaining diladele, each time i read them,
i learned something :-) As usual, your manuals look great. 

I have a few suggestion if i may point these out, just small update for the site. 

This part, The krb5.conf should be updated it with. 

; for Windows 2008+ with AES support ( you might want to remove rc4 and des, its there for compatibility)
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Some tutorials describing integration of Squid with Active Directory rely on creating special computer account in AD for the same goal. Unfortunately it ties the proxy machine to Active Directory and prevents us from making and restoring VM snapshots because the restored snapshot loses the AD join state and needs to be rejoined manually.

Well, all i can say here is, this works fine for me, but i understand where its coming from. 
As your pointing out, yes, i did use a "user" account also in the past.
But if samba/winbind is setup correcty with its hostName, and you use CNAMES for the proxy it's serviceName, 
after a backup/restore of a VM and samba/winbind starts, winbind handles the "computername" keytab and its password.
Squid has its own keytab file and CNAME and is untouched. 

Resulting in, you can restore a VM. I do this on XenServers, i suggest, give it a try. 
But note, i dont have HAProxy running (yet), so i cant say anyting about that part,
The logical parts should be the same (hostname A - PTR and CNAMES for serices) 

The COMPUTER needs A and PTR (this is the real hostname) 
Now you can setup any CNAME SPN for the proxy it's "ServiceName" 
You can use or the computer account or a separated account for the Squid CNAME-ed SPN's. 
Als long these are somewhere to findable in AD. 

You might want to test this, this setup removed the need of ktpass in windows, 
which was always giving problems at my side. 

And last, if winbind is use and you want to add a automounted homedir with NFS or CIFS.
Then half of the work is already done. 
It basicly only needs : nfs-common nfs4-acl-tools 
And : 
net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator
net ads keytab add_update_ads cifs/$(hostname -f) -U Administrator

In the Haproxy setup, well, thats next on my list, 
i saw something i liked and dont have it running yet.  
Learning a lot here. :-) 

Main difference between your setups, i dont have any windows servers. 
I running fully on Samba AD-DC's and member servers and my client PC's are windows 10. 

I hope I could give you someone ideas here and people can use them. 
If you have questions, just ask. 



> -----Oorspronkelijk bericht-----
> Van: squid-users 
> [mailto:squid-users-bounces at lists.squid-cache.org] Namens 
> Rafael Akchurin
> Verzonden: vrijdag 24 juli 2020 11:39
> Aan: Brett Lymn; Klaus Brandl
> CC: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Problem with HAProxy + Squid 
> 4.11 + Kerberos authentication
> Hello Klaus, Brett, all list members,
> This is the scheme with haproxy and Squid we use all the time 
> in our test lab for Web Safety - we need to constantly 
> add/remove test nodes to the cluster without 
> breaking/changing anything in Kerberos settings for the 
> constantly running client pool - 
> https://docs.diladele.com/administrator_guide_stable/active_di
> rectory_extra/redundancy/haproxy_proxy_protocol.html
> And yes we do *not* use computer account, we use *user* 
> account instead.
> See the reasoning  in the tutorial.
> Best regards,
> Rafael Akchurin
> Diladele B.V.
> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> 
> On Behalf Of Brett Lymn
> Sent: Friday, July 24, 2020 2:23 AM
> To: Klaus Brandl <klaus_brandl at genua.de>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Problem with HAProxy + Squid 4.11 
> + Kerberos authentication
> On Thu, Jul 23, 2020 at 06:07:39PM +0200, Klaus Brandl wrote:
> > 
> > But if anyone knows a solution, i will spread my ears :)
> > 
> What we do is:
> 1) create a user account in AD that will be used for the HA 
> front end, set a password and export the keytab for this user
> 2) Use ktadmin to import the keytab entries for the user 
> created in step
> 1 into the keytab for squid on the squid servers.
> 3) Set a SPN (setspn) in AD that maps HTTP://ha.fqdn.address 
> to the user created in 1
> The SPN (service principal name) tells kerberos to use the 
> user details set up in step 1 to authenticate http requests.  
> This works for us, has been for years.
> One thing, if you want to know the IP addresses of your 
> clients in the squid logs you will need to do some extra 
> stuff because all accesses will appear to come from the HA 
> loadbalancer.  We have configured our load balancers to 
> insert the X-Forwarded-For header into the http traffic and 
> then modified the logging to log both the loadblancer and client IP.
> --
> Brett Lymn
> This email has been sent on behalf of one of the following 
> companies within the BAE Systems Australia group of companies:
> BAE Systems Australia Limited - Australian Company Number 008 
> 423 005 BAE Systems Australia Defence Pty Limited - 
> Australian Company Number 006 870 846 ASC Shipbuilding Pty 
> Limited - Australian Company Number 051 899 864
> BAE Systems Australia's registered office is Evans Building, 
> Taranaki Road, Edinburgh Parks, Edindurgh, South Australia, 5111.
> ASC Shipbuilding's registered office is Level 2, 80 Flinders 
> Street, Adelaide, South Australia, 5000.
> If the identity of the sending company is not clear from the 
> content of this email, please contact the sender.
> This email and any attachments may contain confidential and 
> legally privileged information. If you are not the intended 
> recipient, do not copy or disclose its content, but please 
> reply to this email immediately and highlight the error to 
> the sender and then immediately delete the message.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list