Thanks for the quick response Marcus. The reason I need to limit computer account and not user account is that people here move out to distant branches and the internet access policy is to allow to the position they hold, and thus the computer they will use. I've successfully setup the kerberos authentication but I don't see how squid will fetch the computer information from client request and authorize it based on the group membership in AD. What I wish to accomplish is: 1. create a security group in AD 2. add computer accounts to this security group 3. squid checks if the computer trying to access internet is member of this security group. 4. if not, don't allow access to internet or request of AD user login that is allowed. I'm not sure if this is achievable. Thanks for the help. Manoj On Wed, Sep 15, 2010 at 12:28 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > > "Manoj Rajkarnikar" <manoj.rajkarnikar@xxxxxxxxx> wrote in message > news:AANLkTinGXTOwX+AysRVGoasEiqRS1qrMX2VYM8t5i3Aj@xxxxxxxxxxxxxxxxx >> >> Hi all. >> >> I've been trying to setup this squid box with authentication to AD >> 2003 server. The need in our situation is to allow the workstation >> allow access to internet and not the user since the users are always >> moving from station to station. I've already setup kerberos >> authentication successfully. I've searched through the list for any >> thing related to authorizing computer account but found none.. >> > > Why do you want to limit the computer not the user ? I assume the user login > to the stations with their credentials, so moving stations should not be an > issue or ? > >> I'm not very familiar with ldap queries. any help would be greatly >> appreciated.. i'm trying to use squid_kerb_ldap for ldap >> authorization... >> >> > > squid_kerb_ldap will connect to AD and determines if a user is a member of > an AD group. The connection to AD is authenticated using the Kerbeors key > from the squid keytab file and the AD server is found by using SRV DNS > records which are usually defined in a Windows environment with AD. > >> Thank you very much for your help. >> >> Regards >> Manoj >> > > >