On Thu, Sep 16, 2010 at 3:28 AM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > >> "Manoj Rajkarnikar" <manoj.rajkarnikar@xxxxxxxxx> wrote in message >> news:AANLkTimRPZFwid0ehc0cBFchnDc7nV=-jStXTngMmXZp@xxxxxxxxxxxxxxxxx >> Thanks for the quick response Marcus. >> >> The reason I need to limit computer account and not user account is >> that people here move out to distant branches and the internet access >> policy is to allow to the position they hold, and thus the computer >> they will use. >> >> I've successfully setup the kerberos authentication but I don't see >> how squid will fetch the computer information from client request and >> authorize it based on the group membership in AD. What I wish to >> accomplish is: >> >> 1. create a security group in AD >> 2. add computer accounts to this security group >> 3. squid checks if the computer trying to access internet is member of >> this security group. >> 4. if not, don't allow access to internet or request of AD user login >> that is allowed. >> >> I'm not sure if this is achievable. >> > > I don't think this is possible with Kerberos as the ticket does not have > (usable) information about the client computer. > Is there any other way that I can achieve this?? kerberos or no kerberos..?? I will have multiple layers of auth acls and the major portion will be handled by this auth(if possible i.e. if not, will have to use user based auth) This is how I plan to do. 1. sites allowed to all..(internal sites + some update sites.) 2. privileged users all sites allowed... (computer account if possible, or IP based or user based) 3. semi-privileged users.. (some sites like facebook/hotmail/gmail etc. allowed to computer accounts or user accounts) 4. whitelist allowed to all... 5. blacklist denied to all...(porn/video sites and many others that are blocked) 6. other authenticated users allowed to rest of the sites...(this is the main acl where I want it to be computer account based if possible) Thanks Manoj
