Squid + Active Directory Auth (follow-up)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



"Bryan J. Smith" <b.j.smith@xxxxxxxx> wrote:
> What I recommend is that you setup a one-way trust from ADS
> to a UNIX Kerberos realm, using ADS as the KDC.

This does not require Samba at all BTW.  You're merely
setting up a UNIX Kerberos client to a Windows Domain
Controller (DC) that is also the Kerberos Key Distribution
Center (KDC) aka "key server."

Some basic intro on this is here (Non-Windows client
authentication to Windows KDC):   
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/featusability/kerbinop.mspx

Kerberos clients in Linux now support MSKerberos extensions:
http://web.mit.edu/pismere/kerberos/Pismere-kerberos-notes.htm
 

It's important to understand which system/platform is the
Kerberos client and which system/platform is the KDC in this
documentation.  In your case, you clearly want to use a
Windows DC as your KDC, and your UNIX system with Squid as a
client.

> You can then authenticate against that UNIX Kerberos realm
> with whatever method the local NSSwitch/PAM authentication
> supports where you are running Squid.

I guess what I'm saying is that you have 2 choices on the
system running .

1.  You can setup your UNIX system to authenticate against
Kerberos for any user, assuming your Kerberos client services
have been setup against for the entier system (as above).

2.  You can setup a Kerberosized Squid (never tried this
myself).

3.  You can setup Squid with GSSAPI/SASL, which then
authenticates against Kerberos (never tried this myself).

There are a lot of options to explore.  I can't really give
you a "cookbook" approach (I've used #1 myself), because it
might not be appropriate for your system (#1 means you're
always authorizing the entire system against Kerberos).




-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith@xxxxxxxx     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux