On Friday 16 September 2005 06:32, nairb rotsak wrote: ** SNIPPED ** > But I think I read that Squid will use the > authentication from the browser's header, and not from > who is authenticated to the box or ip. > > Anybody got any good examples of using Squid to > authenticate to AD (Samba has to be somewhere on the > network.. right.. can't just be all windows) and > REALLY do per user coming from a Citrix farm? We're using Squid on FreeBSD (2.5_STABLE10) with AD authentication for our Windows Terminal Server users and it does do per-user authentication. If you're paranoid (like me) we disabled NTLM authentication on the Squid box and stuck with "BASIC" for two reasons: 1. Users are presented with a "login" box each time they launch a browser. The login box has a customised "Realm" message that basically says "Be good boys and girls, play nice and we wont cancel your web access" ;) 2. The user ID that people log into the Terminal Server is different to their real user account. We have "shared logins" for the terminal server so that all call center staff, etc get the same desktop etc but we want them to use their personal login to access the web - so transparent NTLM was a no-go for us. All up, we're very pleased with the result and by adding banner/pop-up/flash-ad filtering and few other access controls to the proxy (Squid) we've managed a quite secure and fast environment for our terminal server users. :) And yes, Squid on Linux/*BSD/*nix uses Samba to provide the AD authentication layer via winbind. So you'll need to set that up first, then the Squid install is a piece of cake. The whole process is detailed in the FAQ and on literally hundreds of websites. If you use SquidNT, it has it's own AD/Windows-auth "wrapper" that plugs straight in with no fancy config required beyond an ACL rule or two. HTH, James
