Hi Matus. On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx> wrote: > On 15.09.10 12:59, Manoj Rajkarnikar wrote: >> Thanks for the quick response Marcus. >> >> The reason I need to limit computer account and not user account is >> that people here move out to distant branches and the internet access >> policy is to allow to the position they hold, and thus the computer >> they will use. > > I somehow don't understand this. Maybe it's my english. > Do you need to control access for the user+computer combination? I need to control access based on computer account as registered in the AD server. > >> I've successfully setup the kerberos authentication but I don't see >> how squid will fetch the computer information from client request and >> authorize it based on the group membership in AD. What I wish to >> accomplish is: >> >> 1. create a security group in AD >> 2. add computer accounts to this security group >> 3. squid checks if the computer trying to access internet is member of >> this security group. >> 4. if not, don't allow access to internet or request of AD user login >> that is allowed. > > This seems that you want to allow access from some computers to the net, no > matter which user is logged in. Why not use ip-based or maybe > hardware_address-based authentication then? That is correct. We have dhcp all over our network so ip-based is a bad idea. For hardware_address-based auth, will have to maintain a very large list of hardware addresses.. not a good idea but considerable (if computer account based auth don't work).. Also to be noted that computer account based authentication would be more secure as only a handful of admins have domain administrator level access, so it will be hard to spoof. > > -- > Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Quantum mechanics: The dreams stuff is made of. >
