[squid-users] Re: Kerberos: HTTP/<host> and not HTTP/<host.fqdn>@FQDN

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sat, 17 Jul 2010 12:09:09 +0100

Hi Nick,

  This is a unusual setup. I wonder how you could get it to work as a keytab
extraction changes usually the AD entry and therefore the key for your
2nd/3rd squid server. I suggest to create three separate AD entries and
remove any SPN for HTTP/<short-hostname>.

Regards
Markus

"Nick Cairncross" <Nick.Cairncross_at_condenast.co.uk> wrote in message
news:C8665961.B8AC%nick.cairncross_at_condenast.co.uk...
Hi list,

I think I have a problem with one of my SPNs/keytab - wondered if someone
could confirm this:

3 x squid boxes on different sites, squid1, squid2 and squid3 are their
hostnames. I have one AD account with the SPNs of all on it. Using fqdn for
the proxy address to 2 of them results in Kerberos tickets:
HTTP/<squid1>.fqdn_at_FQDN and HTTP/<squid2>.fqdn_at_FQDN and everything is fine.

However on the third one I get a ticket: HTTP/squid3@ i.e. No fqdn or @FQDN

I have both 'squidx' and 'squidx.fqdn' in my AD SPN for all boxes. I'm
thinking the working two are using the squid.fqdn and the non-working one is
using just 'squid3' hence the issue. Does this sound feasible. I think the
answer is drop the 'squidx' from my SPNs and stick with the 'squidx.fqdn',
regenerate my keytab and that's it.

I have cloned one of the working squid boxes and replaced the non-working
one, so this leads me to believe it is the SPN/keytab and not the server.

Thoughts welcome!

Nickcx

The information contained in this e-mail is of a confidential nature and is
intended only for the addressee. If you are not the intended addressee, any
disclosure, copying or distribution by you is prohibited and may be
unlawful. Disclosure to any party other than the addressee, whether
inadvertent or otherwise, is not intended to waive privilege or
confidentiality. Internet communications are not secure and therefore Conde
Nast does not accept legal responsibility for the contents of this message.
Any views or opinions expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square,
London W1S 1JU
Received on Sat Jul 17 2010 - 11:09:31 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 19 2010 - 12:00:04 MDT