<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.10570.1001"></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Hi </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Maybe some general comments about LB, CNAMEs and Squid Kerberos will
help. The kerberos client will try to request a ticket based on the used
hostname. e.g. if you configure in your browser the proxy name as
ha-proxy.slb.example.com then the client will look for a serviceprincipal of
HTTP/ha-proxy.slb.example.com. If this is a Cname then you may have browser
dependencies e.g. </DIV>
<DIV> </DIV>
<DIV> ha-proxy.slb.example.com CNAME HA-server1.real.example.com </DIV>
<DIV> </DIV>
<DIV>Some browsers will use HTTP/ha-proxy.slb.example.com and some will
use HTTP/HA-server1.real.example.com </DIV>
<DIV> </DIV>
<DIV>Now if your squid server name is squid1.real.example.com you will have
probably only HTTP/squid1.real.example.com in your keytab. </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>There are now 2 Options:</DIV>
<DIV> </DIV>
<DIV>1 ) Create one entry in AD for all squid servers i.e. the AD entry
will have at least number of servers + 2 service principals associated to
it, extract the key to a keytab and use the option –s GSS_C_NO_NAME with the
negotiate_kerberos_auth helper </DIV>
<DIV> .e.g HTTP/squid1.real.example.com ,
HTTP/squid2.real.example.com , HTTP/HA-server1.real.example.com ,
HTTP/ha-proxy.slb.example.com </DIV>
<DIV>2) Create separate entries in AD for each squid server, the LB and the
CNAMEs and then merge the keys into one keytab to be used on all squid
servers.</DIV>
<DIV> </DIV>
<DIV>Kind Regards</DIV>
<DIV>Markus</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV>"L.P.H. van Belle" <belle@bazuin.nl> wrote in message
news:vmime.5f1aa165.2c44.7eb4bc368baef35@ms249-lin-003.rotterdam.bazuin.nl...</DIV></DIV></DIV>
<DIV
style="BORDER-TOP-COLOR: #000000; BORDER-BOTTOM-COLOR: #000000; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 4px solid; BORDER-RIGHT-COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV dir=ltr align=left><SPAN class=745565108-24072020><FONT color=#0000ff
size=2 face=Arial>forgot 1 thing. (sorry) <BR># </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=745565108-24072020><FONT color=#0000ff
size=2 face=Arial>adduser proxyuser winbind_priv <BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=745565108-24072020><FONT color=#0000ff
size=2 face=Arial>or things might not work. </FONT></SPAN></DIV>
<DIV><SPAN class=745565108-24072020><FONT color=#0000ff size=2
face=Arial><BR> </DIV></FONT></SPAN><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>Van:</B> squid-users
[mailto:squid-users-bounces@lists.squid-cache.org] <B>Namens </B>L.P.H. van
Belle<BR><B>Verzonden:</B> vrijdag 24 juli 2020 10:46<BR><B>Aan:</B>
squid-users@lists.squid-cache.org<BR><B>Onderwerp:</B> Re: [squid-users]
Problem with HAProxy + Squid 4.11 + Kerberos
authentication<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=171043008-24072020><FONT color=#0000ff
size=2 face=Arial>i would recommend to ..</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=171043008-24072020><FONT color=#0000ff
size=2 face=Arial>1) use debian buster,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=171043008-24072020><FONT color=#0000ff
size=2 face=Arial>2) use squid 4.12</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=171043008-24072020><FONT color=#0000ff
size=2 face=Arial>3) use samba (winbind). </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=171043008-24072020><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=171043008-24072020><FONT color=#0000ff
size=2 face=Arial>needed in smb.conf ( only shown whats really needed ),
there is more offcourse. </FONT></SPAN></DIV><SPAN class=171043008-24072020>
<DIV dir=ltr align=left><FONT color=#0000ff size=2 face=Arial></FONT><BR><FONT
color=#0000ff size=2 face=Arial> dedicated keytab file =
/etc/krb5.keytab<BR> kerberos method = secrets and
keytab</FONT></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2
face=Arial> # renew the kerberos
ticket<BR> winbind refresh tickets = yes<BR></FONT></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2
face=Arial> # Added for freeradius
support<BR> <SPAN class=171043008-24072020>#</SPAN>ntlm auth
= mschapv2-and-ntlmv2-only<BR><BR></FONT><SPAN lang=N>
<P><FONT color=#0000ff size=2 face=Arial>apt install winbind krb5-user
</FONT><SPAN class=171043008-24072020><FONT color=#0000ff size=2
face=Arial>should be sufficient. <BR></FONT><SPAN lang=N><BR><FONT
color=#0000ff size=2 face=Arial>samba joins the domain.
<BR></FONT></SPAN></SPAN><SPAN class=171043008-24072020><SPAN lang=N><FONT
color=#0000ff size=2 face=Arial>/etc/krb5.keytab contains the default part and
refreshed the server kerberos passworks/tickes. </FONT></SPAN></SPAN></P>
<P><SPAN class=171043008-24072020><SPAN lang=N><FONT color=#0000ff size=2
face=Arial>And for squid its keytab. <BR><BR>kinit Administrator<BR>export
KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab<BR><SPAN
class=171043008-24072020><SPAN lang=N><FONT color=#0000ff size=2
face=Arial>net ads keytab add_update_ads <SPAN
class=171043008-24072020>HTTP</SPAN>/$(hostname -f) -U
Administrator<BR></FONT></SPAN></SPAN><BR># alias name to keytab<BR>net ads
keytab ADD HTTP/CNAME.FQDN <BR><BR># check keytab file.<BR>klist -ke
/etc/squid/HTTP-$(hostname -s).keytab<BR>unset KRB5_KTNAME<BR><BR># set
rights.<BR>chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab<BR>chmod g+r
/etc/squid/HTTP-$(hostname -s).keytab</FONT></SPAN></SPAN></P>
<P><SPAN class=171043008-24072020><SPAN lang=N><FONT color=#0000ff size=2
face=Arial>And i use in squid <BR>auth_param negotiate program
/usr/lib/squid/negotiate_wrapper_auth \<BR> --kerberos
/usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/HTTP-hostname.keytab
\<BR> -s <A>HTTP/hostname.fqdn@REALM</A> -s
<A>HTTP/CNAME.FQDN@REALM</A> <BR> --ntlm /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --domain=NTDOM <BR><BR>Point to think about.
</FONT></SPAN></SPAN></P><SPAN class=171043008-24072020><SPAN lang=N><FONT
color=#0000ff size=2 face=Arial></FONT></SPAN></SPAN></SPAN></DIV>
<DIV dir=ltr align=left><SPAN lang=N><SPAN class=171043008-24072020><SPAN
lang=N>
<P><SPAN class=171043008-24072020></SPAN><FONT face=Arial><FONT
color=#0000ff><FONT size=2><SPAN class=171043008-24072020>server
</SPAN>I</FONT></FONT></FONT><FONT face=Arial><FONT color=#0000ff><FONT
size=2><SPAN class=171043008-24072020>P's needs A + PTR <BR></SPAN><SPAN
class=171043008-24072020>use CNAMEs in the DNS. <BR>and make sure the
resolving is setup correctly. </SPAN></FONT></FONT></FONT></P>
<P><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=171043008-24072020>Add a caching DNS to the proxy. ( and let squid use
it also ) </SPAN></FONT></FONT></FONT></P>
<P><SPAN class=171043008-24072020></SPAN><SPAN
class=171043008-24072020></SPAN><FONT color=#0000ff size=2 face=Arial>I<SPAN
class=171043008-24072020> had this working (without HAproxy) but with
keepalived. </SPAN></FONT></P>
<P><SPAN class=171043008-24072020></SPAN><SPAN
class=171043008-24072020></SPAN><SPAN class=171043008-24072020><FONT
color=#0000ff size=2 face=Arial>A</FONT></SPAN><SPAN
class=171043008-24072020><FONT color=#0000ff size=2 face=Arial>s far i can
tel, your problem is in how the hostnames and ip are used.
<BR></FONT></SPAN><SPAN class=171043008-24072020></SPAN><FONT color=#0000ff
size=2 face=Arial>b<SPAN class=171043008-24072020>ut above might give you
ideas. <BR></SPAN></FONT></P>
<P><SPAN class=171043008-24072020></SPAN><SPAN
class=171043008-24072020></SPAN><FONT color=#0000ff size=2 face=Arial>G<SPAN
class=171043008-24072020>reetz, </SPAN></FONT></P><FONT color=#0000ff size=2
face=Arial><SPAN
class=171043008-24072020></SPAN></FONT></SPAN></SPAN></SPAN></DIV>
<DIV dir=ltr align=left><SPAN lang=N><SPAN class=171043008-24072020><SPAN
lang=N><SPAN class=171043008-24072020></SPAN>
<P><SPAN class=171043008-24072020></SPAN><FONT color=#0000ff size=2
face=Arial>L<SPAN
class=171043008-24072020>ouis</SPAN><BR></FONT></P></SPAN></SPAN></SPAN></DIV>
<DIV dir=ltr align=left><FONT color=#0000ff size=2
face=Arial> </DIV></FONT></SPAN><FONT color=#0000ff size=2
face=Arial></FONT><FONT color=#0000ff size=2 face=Arial></FONT><FONT
color=#0000ff size=2 face=Arial></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"
dir=ltr>
<DIV lang=nl class=OutlookMessageHeader dir=ltr align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>Van:</B> squid-users
[mailto:squid-users-bounces@lists.squid-cache.org] <B>Namens </B>Service
MV<BR><B>Verzonden:</B> donderdag 23 juli 2020 17:36<BR><B>Aan:</B>
squid-users@lists.squid-cache.org<BR><B>Onderwerp:</B> [squid-users] Problem
with HAProxy + Squid 4.11 + Kerberos authentication<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr>Hi, everybody.<BR>I have a SQUID 4.11 compiled on Debian 9.8
with kerberos integration authenticating and browsing without
problems:<BR>cache.log<BR>squid_kerb_auth: User some.user
authenticated<BR>access.log<BR>10.10.10.203 TCP_TUNNEL/200 5264 CONNECT <A
href="http://update.googleapis.com:443">update.googleapis.com:443</A>
some.user HIER_DIRECT/<A href="http://172.217.162.3"><FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> <FONT color=red><B>MailScanner warning: numerical
links are often malicious:</B></FONT> <FONT color=red><B>MailScanner
warning: numerical links are often malicious:</B></FONT> <FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> 172.217.162.3</A> -<BR><BR>The problem starts when I
try to configure a HAProxy 1.8 load balancer to which by redundancy I
configured a virtual IP with the keepalived service. When I point my browser
to the DNS A record (balancer.mydomain.local) which in turn points to the
keepalived virtual IP, the authentication stops working:<BR>cache.log
<DIV>no records<BR>access.log<BR>10.10.8.207 TCP_DENIED/407 4142 CONNECT <A
href="http://update.googleapis.com:443">update.googleapis.com:443</A> -
HIER_NONE/- text/</DIV>
<DIV> </DIV>
<DIV>In the client browser a prompt appears requesting
authentication.<BR><BR>I find it strange that the IP registered by SQUID is
10.10.8.207, which is the physical IP of my VM, instead of the virtual IP
configured in HAProxy, which is the IP 10.10.8.213.<BR><BR>I send you all
the configurations that I have made to see if you can help me to find where
my configuration error is.<BR><BR>keepalived.conf
<DIV> global_defs {<BR> notification_email
{<BR>
some.user@mydomain.local<BR>
}<BR> notification_email_from
balancer1@mydomain.local<BR> smtp_server smtp.
mydomain.local <BR> smtp_connect_timeout
60<BR> }<BR><BR> vrrp_instance VI_1
{<BR> state
MASTER<BR> interface
eth0<BR> virtual_router_id
101<BR> priority
101<BR> advert_int
1<BR> authentication
{<BR> auth_type
PASS<BR> auth_pass
somepass123<BR>
}<BR> virtual_ipaddress
{<BR>
10.10.8.213<BR> }<BR> }<BR><BR></DIV>
<DIV> </DIV>
<DIV>haproxy.conf</DIV>
<DIV>global<BR>log /dev/log local0<BR>log /dev/log local1 notice<BR>chroot
/var/lib/haproxy<BR>stats socket /run/haproxy/admin.sock mode 660 level
admin<BR>stats timeout 30s<BR>user haproxy<BR>group
haproxy<BR>daemon<BR>maxconn 4000<BR>ca-base /etc/ssl/certs<BR>crt-base
/etc/ssl/private<BR>server=haproxy<BR>ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS<BR>ssl-default-bind-options
no-sslv3<BR><BR>defaults<BR>balance source<BR>log global<BR>mode
http<BR>option httplog<BR>option dontlognull<BR>option
http-server-close<BR>option forwardfor except <A
href="http://127.0.0.0/8"><FONT color=red><B>MailScanner warning: numerical
links are often malicious:</B></FONT> <FONT color=red><B>MailScanner
warning: numerical links are often malicious:</B></FONT> <FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> <FONT color=red><B>MailScanner warning: numerical
links are often malicious:</B></FONT> 127.0.0.0/8</A><BR>timeout connect
5000<BR>timeout client 50000<BR>timeout server 50000<BR><BR>errorfile 400
/etc/haproxy/errors/400.http<BR>errorfile 403
/etc/haproxy/errors/403.http<BR>errorfile 408
/etc/haproxy/errors/408.http<BR>errorfile 500
/etc/haproxy/errors/500.http<BR>errorfile 502
/etc/haproxy/errors/502.http<BR>errorfile 503
/etc/haproxy/errors/503.http<BR>errorfile 504
/etc/haproxy/errors/504.http<BR><BR>### statistics<BR>listen stats<BR>bind
<A href="http://10.10.8.213:1936"><FONT color=red><B>MailScanner warning:
numerical links are often malicious:</B></FONT> <FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> <FONT color=red><B>MailScanner warning: numerical
links are often malicious:</B></FONT> <FONT color=red><B>MailScanner
warning: numerical links are often malicious:</B></FONT>
10.10.8.213:1936</A><BR>mode http<BR>stats enable<BR>stats
hide-version<BR>stats realm Haproxy\ Statistics<BR>stats uri
/haproxy?stats<BR>stats auth haproxy:somepass123<BR><BR>###
balancer<BR>listen squid<BR>bind <A href="http://10.10.8.213:3128"><FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> <FONT color=red><B>MailScanner warning: numerical
links are often malicious:</B></FONT> <FONT color=red><B>MailScanner
warning: numerical links are often malicious:</B></FONT> <FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> 10.10.8.213:3128</A><BR> mode http<BR>
option httplog<BR> balance source<BR> hash-type
consistent<BR> option httpclose<BR> cookie SERVERID insert
indirect nocache<BR> option forwardfor header X-Client<BR>
server proxy1 <A href="http://10.10.8.205:3128"><FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> <FONT color=red><B>MailScanner warning: numerical
links are often malicious:</B></FONT> <FONT color=red><B>MailScanner
warning: numerical links are often malicious:</B></FONT> <FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> 10.10.8.205:3128</A> check inter 2000 rise 2 fall
5<BR></DIV>
<DIV>
<DIV> server proxy2 <A href="http://10.10.8.206:3128"><FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> <FONT color=red><B>MailScanner warning: numerical
links are often malicious:</B></FONT> <FONT color=red><B>MailScanner
warning: numerical links are often malicious:</B></FONT> <FONT
color=red><B>MailScanner warning: numerical links are often
malicious:</B></FONT> 10.10.8.206:3128</A> check inter 2000 rise 2 fall
5<BR></DIV>
<DIV></DIV></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>squid.conf</DIV>
<DIV># minimal configuration for testing</DIV>
<DIV>visible_hostname proxy1.mydomain.local<BR>http_port
3128<BR>debug_options ALL, 1 33, 2 28, 9<BR>maximum_object_size 8192
KB<BR>error_directory /opt/squid411/share/errors/es-ar<BR>shutdown_lifetime
0 seconds<BR>forwarded_for on<BR>auth_param negotiate program
/usr/local/bin/squid_kerb_auth -i -r -s GSS_C_NO_NAME<BR>auth_param
negotiate children 300 startup=150 idle=10<BR>auth_param negotiate
keep_alive on<BR>acl auth proxy_auth REQUIRED<BR>http_access allow
auth<BR>acl SSL_ports port 443<BR>acl Safe_ports port 80<BR>acl CONNECT
method CONNECT<BR>http_access deny !Safe_ports<BR>http_access deny CONNECT
!SSL_ports<BR>http_access deny all<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>squid -v</DIV>
<DIV>Squid Cache: Version 4.11<BR>Service Name: squid<BR><BR>This binary
uses OpenSSL 1.0.2u 20 Dec 2019. For legal restrictions on
distribution see <A
href="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</A><BR><BR>configure
options: '--prefix=/opt/squid411' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info'
'--localstatedir=/opt/squid411/var' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' '--enable-inline'
'--enable-async-io' '--enable-storeio=ufs,aufs,diskd'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth'
'--enable-digest-auth-helpers' '--enable-negotiate-auth-helpers'
'--enable-auth-ntlm' '--enable-arp-acl' '--enable-esi--disable-translation'
'--with-logdir=/var/log/squid411' '--with-pidfile=/var/run/squid411.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--enable-linux-netfilter'
'--enable-ltdl-convenience' '--with-openssl' '--enable-ssl'
'--enable-ssl-crtd'<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>env</DIV>
<DIV>KRB5_KTNAME=/opt/squid411/etc/PROXY.keytab<BR>KRB5RCACHETYPE=none<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/etc/krb5.conf</DIV>
<DIV>[libdefaults]<BR> default_realm =
MYDOMAIN.LOCAL<BR> dns_lookup_kdc =
yes<BR> dns_lookup_realm = yes <BR>
ticket_lifetime = 24h<BR><BR>
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5<BR>
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5<BR> permitted_enctypes
= aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5<BR><BR>[realms]<BR> MYDOMAIN.LOCAL =
{<BR> kdc =
s-dc00.mydomain.local<BR> kdc =
s-dc01.mydomain.local<BR> kdc =
s-dc02.mydomain.local<BR>
admin_server = s-dc00.mydomain.local<BR>
}<BR><BR>[domain_realm]<BR> .mydomain.local =
MYDOMAIN.LOCAL<BR> mydomain.local =
MYDOMAIN.LOCAL<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>msktutil -c -b "OU=SERVIDORES" -s HTTP/debian-proxy.mydomain.local -k
/opt/squid411/etc/PROXY.keytab --computer-name DEBIAN-PROXY --upn
HTTP/debian-proxy.mydomain.local --server s-dc00.mydomain.local --verbose
--enctypes 28<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV># permissions for kaytab file</DIV>
<DIV>chgrp proxy /opt/squid411/etc/PROXY.keytab<BR>chmod g+r
/opt/squid411/etc/PROXY.keytab<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>klist<BR>Ticket cache: FILE:/tmp/krb5cc_0<BR>Default principal:
some.user@MYDOMAIN.LOCAL<BR><BR>Valid
starting
Expires
Service principal<BR>07/23/2020 11:59:45 07/23/2020 21:59:45
krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL<BR>
renew until 07/24/2020 11:59:40<BR></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>One thing I didn't quite understand is the procedure to authenticate
from HAProxy. According to the documentation I read, I did the
following:</DIV>
<DIV><BR>I created a DNS A record and its PTR in my DNS server pointing to
the virtual IP of the keepalived (10.10.8.213) in the HAProxy. <BR>Then I
created a "HTTP_inet" user account in Active Directory.<BR>Then on my domain
controller, in a CMD with administrator permissions, I ran:<BR>setspn -S
HTTP/inet.mydomain.local HTTP_inet<BR>setspn -S HTTP/inet HTTP_inet <BR>In
both cases the message was: object updated.<BR>Then in my SQUID servers, I
executed:<BR>kinit HTTP_inet@MYDOMAIN.LOCAL<BR>It asks for the user's
password.<BR>Start the ktutil tool<BR>That's where I write:<BR>addent
-password -p HTTP/inet.mydomain.local -k 2 -e rc4-hmac</DIV>
<DIV>Ask the user password<BR>addent -password -p HTTP/inet -k 2 -e
rc4-hmac</DIV>
<DIV>Ask the user password<BR>wkt
/opt/squid411/etc/PROXY.keytab<BR>quit<BR><BR>list the keys in
keytab:<BR>ktutil<BR>read_kt /opt/squid411/etc/PROXY.keytab<BR>
1 1 DEBIAN-PROXY$@MYDOMAIN.LOCAL<BR> 2 1
DEBIAN-PROXY$@MYDOMAIN.LOCAL<BR> 3 1
DEBIAN-PROXY$@MYDOMAIN.LOCAL<BR> 4 1
HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL<BR> 5 1
HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL<BR> 6 1
HTTP/debian-proxy.mydomain.local@MYDOMAIN.LOCAL<BR> 7 1
host/DEBIAN-PROXY@MYDOMAIN.LOCAL<BR> 8 1
host/DEBIAN-PROXY@MYDOMAIN.LOCAL<BR> 9 1
host/DEBIAN-PROXY@MYDOMAIN.LOCAL<BR> 10 1
host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL<BR> 11 1
host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL<BR> 12 1
host/debian-proxy.mydomain.local@MYDOMAIN.LOCAL<BR> 13 2
HTTP/inet.mydomain.local@MYDOMAIN.LOCAL<BR> 14 2
HTTP/inet@MYDOMAIN.LOCAL<BR><BR>It's this last part I understand the least,
maybe the mistake is there. Or somewhere else.<BR>I appreciate any help you
can offer me. <BR><BR>Best regards,<BR><BR>Gabriel<BR></DIV>
<DIV> </DIV></DIV></DIV></BLOCKQUOTE></BLOCKQUOTE>
<P>
<HR>
_______________________________________________<BR>squid-users mailing
list<BR>squid-users@lists.squid-cache.org<BR>http://lists.squid-cache.org/listinfo/squid-users<BR></DIV></DIV></DIV></DIV></BODY></HTML>