On 23/9/2011 2:23 μμ, Markus Moeller wrote:
This now goes more into how to setup Windows clients ( Do I understand right taht you use IE on XP or Windows 7) with MIT Kerberos.
Yes, I am using IE 8 and/or Firefox 6 on Windows XP with MIT Kerberos.
Therer are several guides for this like https://help.ubuntu.com/community/LDAP-Samba_PDC_%28for_Linux_and_Windows%29 and http://technet.microsoft.com/en-us/library/bb742433.aspx Section "Using an MIT KDC with a Standalone Windows 2000 Workstation" (although this is a bit older).
Hmmm, I see. That gets much more complex than I want. I need - with zero client configuration - the client browser to pop up a window and authenticate *securely* the user to squid (via Kerberos or otherwise). Now I see we must user ksetup to "set the Kerberos realm and add a KDC server" and then set the "local machine account password" on the client. Finally we use again ksetup to map local machine accounts to kerberos principals - and we also need a client host account in KDC (a user account which already exists is not enough...)
I guess one could also use pgina to authenticate to kerberos (by replacing the windows embedded authentication mechanisms).
So, this makes the whole process a problem - we cannot configure a large number of clients like that. I thought authentication could be transparent to the user.
So, I guess I must leave Kerberos running alone for a while. :-(I think the last option - for a transparent solution - is to try relaying authentication from squid to RADIUS through HTTPS. (I don't know yet how and if this will work as I want - but I should try.)
I never expected I would have such big problems trying to authenticate users securely to squid!
Nick
<<attachment: smime.p7s>>
