[squid-users] Problem with HAProxy + Squid 4.11 + Kerberos authentication

Brett Lymn brett.lymn at baesystems.com
Mon Jul 27 00:04:33 UTC 2020


On Fri, Jul 24, 2020 at 10:44:34AM +0200, Klaus Brandl wrote:
> 
> but then you have a single point of failure, if your loadbalancer is down, 
> nothing will work. We need a solution, that each system can work by itself. So 
> at the moment we merge the keytabs of each system together, and we are able to 
> takeover the addresses of the other systems. Then we have no loadbalancing, 
> but a fallback solution, what is more important on our systems.
> 

No, you don't have a single point of failure, this is why I mentioned
using ktutil (well, I said ktadmin, my bad).  You merge the keytab for
the machine with the keytab for the HA user.  This way the clients are
able to both auth to the HA and to the the underlying machine.  It is
what we do, it works fine.

-- 
Brett Lymn
This email has been sent on behalf of one of the following companies within the BAE Systems Australia group of companies:

BAE Systems Australia Limited - Australian Company Number 008 423 005
BAE Systems Australia Defence Pty Limited - Australian Company Number 006 870 846
ASC Shipbuilding Pty Limited - Australian Company Number 051 899 864

BAE Systems Australia's registered office is Evans Building, Taranaki Road, Edinburgh Parks, Edindurgh, South Australia, 5111.
ASC Shipbuilding's registered office is Level 2, 80 Flinders Street, Adelaide, South Australia, 5000.
If the identity of the sending company is not clear from the content of this email, please contact the sender.

This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.



More information about the squid-users mailing list