<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body dir="auto">

Hello Mark,

<div><br>

</div>

<div>You can just export the keytab generated on windows and use it on your proxy - then there is no need to mess with proxy’s account in AD - overall this is much easier I believe - see <a href="https://www.diladele.com/websafety/docs/authentication/active_directory/kerberos/">https://www.diladele.com/websafety/docs/authentication/active_directory/kerberos/</a></div>

<div><br>

</div>

<div>And it also works pretty nice with several boxes at once - we use it all the time when testing AD integration, see  <a href="https://www.diladele.com/websafety/docs/redundancy/haproxy_proxy_protocol/">https://www.diladele.com/websafety/docs/redundancy/haproxy_proxy_protocol/</a></div>

<div><br>

</div>

<div>Hope it helps.</div>

<div><br id="lineBreakAtBeginningOfSignature">

<div dir="ltr">Best regards,

<div>Rafael Akchurin</div>

</div>

<div dir="ltr"><br>

<blockquote type="cite">On 23 Jun 2025, at 12:16, Mark Cairney <Mark.Cairney@ed.ac.uk> wrote:<br>

<br>

</blockquote>

</div>

<blockquote type="cite">

<div dir="ltr"><span>Hi,</span><br>

<span></span><br>

<span>Thanks- that make sense and as a result I've set the reverse DNS on the 2 hosts to the round-robin DNS name.</span><br>

<span></span><br>

<span>RE: the KVNO drift issue, one suggestion was to delete the existing machine account(s) from AD and use ktpass and set the kvno to 0.</span><br>

<span></span><br>

<span>I'd previously used msktutil (as suggested on https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory) with the 'dont-expire-password' flag i.e:</span><br>

<span></span><br>

<span>msktutil -c -h test-squid-cluster.dyn.zone -b 'OU=Managed-Linux-Servers' --computer-name TESTSQUID -s HTTP/test-squid-cluster.dyn.zone -k /etc/squid/HTTP.keytab --server domain.controller --realm REALM --use-service-account --dont-expire-password --upn

 HTTP/test-squid-cluster.dyn.zone@REALM</span><br>

<span></span><br>

<span>Which is more likely to be reliable (unfortunately I have to use MS AD as the whole purpose of this proxy is to allow Windows clients to use an authenticated proxy).</span><br>

<span></span><br>

<span>Kind regards,</span><br>

<span></span><br>

<span>Mark</span><br>

<span></span><br>

<span>On 19/06/2025 15:21, Amos Jeffries wrote:</span><br>

<blockquote type="cite"><span>[You don't often get email from squid3@treenet.co.nz. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>On 18/06/25 20:49, Mark Cairney wrote:</span><br>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Hi,</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>I’ve been trying to get Kerberos Authentication against AD working but</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>have been seeing inconsistent results/behaviour across multiple Oses and</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>I’m not sure if the issue lies with the DNS configuration, Kerberos</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>itself or with the Squid config:</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>THE DNS setup is as follows:</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>test.squid.cluster. 3600 IN           CNAME test-squid-</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>cluster.dyn-zone.</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>test-squid-cluster.dyn-zone. 60 IN A 1.2.3.4</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>Where 1.2.3.4 is the IP of one of the servers in the cluster. The</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>intention is to have multiple Squid servers behind a single DNS name for</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span>high-availability.</span><br>

</blockquote>

</blockquote>

<blockquote type="cite">

<blockquote type="cite"><span></span><br>

</blockquote>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>FYI, you cannot have multiple CNAME for test.squid.cluster pointing at</span><br>

</blockquote>

<blockquote type="cite"><span>different Squid server names. So this should not be a problem.</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>In Kerberos:</span><br>

</blockquote>

<blockquote type="cite"><span>* Setup your keytab entry for HTTP/test-squid-cluster.dyn-zone@REALM.</span><br>

</blockquote>

<blockquote type="cite"><span>* export the HTTP/test-squid-cluster.dyn-zone@REALM keytab to each proxy</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>In DNS:</span><br>

</blockquote>

<blockquote type="cite"><span>* Add as many proxy as you want to test-squid-cluster.dyn-zone with A or</span><br>

</blockquote>

<blockquote type="cite"><span>AAAA records in DNS.</span><br>

</blockquote>

<blockquote type="cite"><span>* point any domains you want those proxy to be acting as a CDN to</span><br>

</blockquote>

<blockquote type="cite"><span>test-squid-cluster.dyn-zone using CNAME in DNS.</span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span></span><br>

</blockquote>

<blockquote type="cite"><span>Cheers</span><br>

</blockquote>

<blockquote type="cite"><span>Amos</span><br>

</blockquote>

<blockquote type="cite"><span>_______________________________________________</span><br>

</blockquote>

<blockquote type="cite"><span>squid-users mailing list</span><br>

</blockquote>

<blockquote type="cite"><span>squid-users@lists.squid-cache.org</span><br>

</blockquote>

<blockquote type="cite"><span>https://lists.squid-cache.org/listinfo/squid-users </span>

<br>

</blockquote>

<span></span><br>

<span>-- </span><br>

<span>/****************************</span><br>

<span></span><br>

<span>Mark Cairney</span><br>

<span>ITI Enterprise Services</span><br>

<span>Information Services</span><br>

<span>University of Edinburgh</span><br>

<span></span><br>

<span>Tel: 0131 650 6565</span><br>

<span>Email: Mark.Cairney@ed.ac.uk</span><br>

<span></span><br>

<span>*******************************/</span><br>

<span></span><br>

<span>The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.</span><br>

<span></span><br>

<span>_______________________________________________</span><br>

<span>squid-users mailing list</span><br>

<span>squid-users@lists.squid-cache.org</span><br>

<span>https://lists.squid-cache.org/listinfo/squid-users</span><br>

</div>

</blockquote>

</div>

</body>

</html>