[squid-users] I want to know the concerns of load testing
m k
tamurin0525 at gmail.com
Thu Oct 15 23:53:15 UTC 2020
hi all,
Good news.
I was able to solve the problem yesterday.
I created a key tab for haproxy and added the following options to
negotiate_kerberos_auth in squid.conf.
-s GSS_C_NO_NAME
(squid.conf)
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
/etc/krb5.keytab -s HTTP/
c0528004l.wintest.example.co.jp at WINTEST.EXAMPLE.CO.JP -s GSS_C_NO_NAME
Kerberos authentication is also possible on the load balancer backend
server.
Thank you,
kitamura
2020年10月12日(月) 20:31 m k <tamurin0525 at gmail.com>:
> hello,
>>
>> Switching from NTLM certification to Kerberos certification.
>> Sure enough, I'm in trouble.
>>
>> Kerberos authentication doesn't work.
>> Please let me know if there is a mistake in the settings.
>>
>>
>> SPN creation
>> WINTEST(Active Directory)
>> ktpass.exe /princ HTTP/
>> c0528004l.wintest.example.co.jp at WINTEST.EXAMPLE.CO.JP /mapuser
>> S139821admin at WINTEST.EXAMPLE.CO.JP /crypto AES256-SHA1 /ptype
>> KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab
>>
>>
>> PTR record setting
>> # nslookup 10.217.192.22
>> 22.192.217.10.in-addr.arpa name = c0528004l.wintest.example.co.jp.
>>
>>
>> # klist
>> Ticket cache: KCM:1001
>> Default principal: lx17070028admin at WIN.EXAMPLE.CO.JP
>>
>> Valid starting Expires Service principal
>> 10/12/2020 16:05:10 10/13/2020 02:04:04 ldap/
>> a9413001l.win.example.co.jp at WIN.EXAMPLE.CO.JP
>> renew until 10/13/2020 02:04:04
>> 10/12/2020 16:04:04 10/13/2020 02:04:04 krbtgt/
>> WIN.EXAMPLE.CO.JP at WIN.EXAMPLE.CO.JP
>> renew until 10/13/2020 02:04:04
>> 10/12/2020 16:07:21 10/13/2020 02:04:04 ldap/
>> a9401002l.win.example.co.jp at WIN.EXAMPLE.CO.JP
>> renew until 10/13/2020 02:04:04
>>
>>
>> config setting
>> /etc/squid/squid.conf
>> # Kerberos Auth
>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
>> /etc/squid/squid.keytab -s HTTP/
>> c0528004l.wintest.example.co.jp at WINTEST.EXAMPLE.CO.JP
>> auth_param negotiate children 20
>> auth_param negotiate keep_alive on
>> acl kerb-auth proxy_auth REQUIRED
>> http_access allow kerb-auth
>>
>> --->I get a windows security pop-up in IE.
>>
>>
>> error message
>> /var/log/squid/cache.log
>> 2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating
>> user. Result: {result=BH, notes={message: gss_accept_sec_context() failed:
>> Unspecified GSS failure. Minor code may provide more information. Service
>> key not available; }}
>>
>>
>> Create SPN from server
>> c0528004l(CentOS8.1)
>> # net ads keytab create -U S139821admin at WINTEST.EXAMPLE.CO.JP
>> Warning: "kerberos method" must be set to a keytab method to use keytab
>> functions.
>> Enter S139821admin at WINTEST.EXAMPLE.CO.JP's password:
>> ads_keytab_open: Invalid kerberos method set (0)
>>
>> ---> An error occurs and keytab cannot be created.
>>
>>
>> Please let me know if you have any other information you need.
>>
>> Hi Eliezer,
>>
>> docker is already installed.
>> We are considering a configuration of at least 6 servers.
>> Whether it will be 8 or 10 has not been verified.
>>
>>
>> thank you,
>> kitamura
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201016/3299c934/attachment.htm>
More information about the squid-users
mailing list