[squid-users] I want to know the concerns of load testing

m k tamurin0525 at gmail.com
Mon Oct 12 11:31:11 UTC 2020 

>
> hello,
>
> Switching from NTLM certification to Kerberos certification.
> Sure enough, I'm in trouble.
>
> Kerberos authentication doesn't work.
> Please let me know if there is a mistake in the settings.
>
>
> SPN creation
> WINTEST(Active Directory)
> ktpass.exe /princ HTTP/
> c0528004l.wintest.example.co.jp at WINTEST.EXAMPLE.CO.JP /mapuser
> S139821admin at WINTEST.EXAMPLE.CO.JP /crypto AES256-SHA1 /ptype
> KRB5_NT_PRINCIPAL /pass 20201002 /out C:\squid.keytab
>
>
> PTR record setting
> # nslookup 10.217.192.22
> 22.192.217.10.in-addr.arpa      name = c0528004l.wintest.example.co.jp.
>
>
> # klist
> Ticket cache: KCM:1001
> Default principal: lx17070028admin at WIN.EXAMPLE.CO.JP
>
> Valid starting       Expires              Service principal
> 10/12/2020 16:05:10  10/13/2020 02:04:04  ldap/
> a9413001l.win.example.co.jp at WIN.EXAMPLE.CO.JP
>         renew until 10/13/2020 02:04:04
> 10/12/2020 16:04:04  10/13/2020 02:04:04  krbtgt/
> WIN.EXAMPLE.CO.JP at WIN.EXAMPLE.CO.JP
>         renew until 10/13/2020 02:04:04
> 10/12/2020 16:07:21  10/13/2020 02:04:04  ldap/
> a9401002l.win.example.co.jp at WIN.EXAMPLE.CO.JP
>         renew until 10/13/2020 02:04:04
>
>
> config setting
> /etc/squid/squid.conf
> # Kerberos Auth
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
> /etc/squid/squid.keytab -s HTTP/
> c0528004l.wintest.example.co.jp at WINTEST.EXAMPLE.CO.JP
> auth_param negotiate children 20
> auth_param negotiate keep_alive on
> acl kerb-auth proxy_auth REQUIRED
> http_access allow kerb-auth
>
> --->I get a windows security pop-up in IE.
>
>
> error message
> /var/log/squid/cache.log
> 2020/10/12 20:06:31 kid1| ERROR: Negotiate Authentication validating user.
> Result: {result=BH, notes={message: gss_accept_sec_context() failed:
> Unspecified GSS failure.  Minor code may provide more information. Service
> key not available; }}
>
>
> Create SPN from server
> c0528004l(CentOS8.1)
> # net ads keytab create -U S139821admin at WINTEST.EXAMPLE.CO.JP
> Warning: "kerberos method" must be set to a keytab method to use keytab
> functions.
> Enter S139821admin at WINTEST.EXAMPLE.CO.JP's password:
> ads_keytab_open: Invalid kerberos method set (0)
>
> ---> An error occurs and keytab cannot be created.
>
>
> Please let me know if you have any other information you need.
>
> Hi Eliezer,
>
> docker is already installed.
> We are considering a configuration of at least 6 servers.
> Whether it will be 8 or 10 has not been verified.
>
>
> thank you,
> kitamura
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201012/fb4f9c6e/attachment.htm>

More information about the squid-users mailing list