[squid-users] Kerberos Auth weirdness/inconsistency when using CNAMEs/Round-robin DNS
Amos Jeffries
squid3 at treenet.co.nz
Thu Jun 19 14:21:39 UTC 2025
On 18/06/25 20:49, Mark Cairney wrote:
> Hi,
>
> I’ve been trying to get Kerberos Authentication against AD working but
> have been seeing inconsistent results/behaviour across multiple Oses and
> I’m not sure if the issue lies with the DNS configuration, Kerberos
> itself or with the Squid config:
>
> THE DNS setup is as follows:
>
> test.squid.cluster. 3600 IN CNAME test-squid-
> cluster.dyn-zone.
>
> test-squid-cluster.dyn-zone. 60 IN A 1.2.3.4
>
> Where 1.2.3.4 is the IP of one of the servers in the cluster. The
> intention is to have multiple Squid servers behind a single DNS name for
> high-availability.
>
FYI, you cannot have multiple CNAME for test.squid.cluster pointing at
different Squid server names. So this should not be a problem.
In Kerberos:
* Setup your keytab entry for HTTP/test-squid-cluster.dyn-zone at REALM.
* export the HTTP/test-squid-cluster.dyn-zone at REALM keytab to each proxy
In DNS:
* Add as many proxy as you want to test-squid-cluster.dyn-zone with A or
AAAA records in DNS.
* point any domains you want those proxy to be acting as a CDN to
test-squid-cluster.dyn-zone using CNAME in DNS.
Cheers
Amos
More information about the squid-users
mailing list