[squid-users] Kerberos authentication with multiple squids
Markus Moeller
huaraz at moeller.plus.com
Sat Oct 16 19:39:31 UTC 2021
Hi Amos,
If you let me know where exactly I can add a few lines.
One way to make this setup work would be to add proxy1 also to AD like
proxy2 and then merge the keytab for proxy1 into the keytab of proxy2 using
ktutil. The negotiate_kerberos_auth handle would require the -s
GSS_C_NO_NAME option to select either key.
A second option is to add a second service principal name to the proxy2 AD
account and use -s GSS_C_NO_NAME.
Regards
Markus
"Amos Jeffries" wrote in message
news:95c70ccd-5c15-3395-2103-3025ef043ebd at treenet.co.nz...
On 14/10/21 8:48 am, Markus Moeller wrote:
> The problem lies more in the way how Kerberos proxy authentication works.
> The client uses the proxy name to create a ticket and in this case it
> would be the name of the first proxy e.g. proxy1.internal. The first
> proxy will pass it through to the authenticating proxy for authentication
> proxy2.internal. Now the client receiving a 407 thinks that proxy1 asked
> for authentication (not knowing it is only a passthrough) and will ask for
> a ticket for proxy1, which it can't get as proxy1 is not in AD. Even if
> proxy1 would be in AD, the client would send a proxy1 ticket to proxy2
> which will be rejected.
>
> Markus
> \
Aha. That make ssense.
Can we get the Kerberos auth wiki page updated with that info? this is
something that has come up a few times.
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list