[squid-users] Kerberos Auth weirdness/inconsistency when using CNAMEs/Round-robin DNS
Mark Cairney
Mark.Cairney at ed.ac.uk
Mon Jun 23 10:15:43 UTC 2025
Hi,
Thanks- that make sense and as a result I've set the reverse DNS on the
2 hosts to the round-robin DNS name.
RE: the KVNO drift issue, one suggestion was to delete the existing
machine account(s) from AD and use ktpass and set the kvno to 0.
I'd previously used msktutil (as suggested on
https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory)
with the 'dont-expire-password' flag i.e:
msktutil -c -h test-squid-cluster.dyn.zone -b 'OU=Managed-Linux-Servers'
--computer-name TESTSQUID -s HTTP/test-squid-cluster.dyn.zone -k
/etc/squid/HTTP.keytab --server domain.controller --realm REALM
--use-service-account --dont-expire-password --upn
HTTP/test-squid-cluster.dyn.zone at REALM
Which is more likely to be reliable (unfortunately I have to use MS AD
as the whole purpose of this proxy is to allow Windows clients to use an
authenticated proxy).
Kind regards,
Mark
On 19/06/2025 15:21, Amos Jeffries wrote:
> [You don't often get email from squid3 at treenet.co.nz. Learn why this
> is important at https://aka.ms/LearnAboutSenderIdentification ]
>
> On 18/06/25 20:49, Mark Cairney wrote:
>> Hi,
>>
>> I’ve been trying to get Kerberos Authentication against AD working but
>> have been seeing inconsistent results/behaviour across multiple Oses and
>> I’m not sure if the issue lies with the DNS configuration, Kerberos
>> itself or with the Squid config:
>>
>> THE DNS setup is as follows:
>>
>> test.squid.cluster. 3600 IN CNAME test-squid-
>> cluster.dyn-zone.
>>
>> test-squid-cluster.dyn-zone. 60 IN A 1.2.3.4
>>
>> Where 1.2.3.4 is the IP of one of the servers in the cluster. The
>> intention is to have multiple Squid servers behind a single DNS name for
>> high-availability.
>>
>
> FYI, you cannot have multiple CNAME for test.squid.cluster pointing at
> different Squid server names. So this should not be a problem.
>
>
> In Kerberos:
> * Setup your keytab entry for HTTP/test-squid-cluster.dyn-zone at REALM.
> * export the HTTP/test-squid-cluster.dyn-zone at REALM keytab to each proxy
>
> In DNS:
> * Add as many proxy as you want to test-squid-cluster.dyn-zone with A or
> AAAA records in DNS.
> * point any domains you want those proxy to be acting as a CDN to
> test-squid-cluster.dyn-zone using CNAME in DNS.
>
>
>
> Cheers
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
--
/****************************
Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: Mark.Cairney at ed.ac.uk
*******************************/
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
More information about the squid-users
mailing list