I forgot this link to an Example configuration:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
2010/4/8 Khaled Blah <khaled.blah_at_googlemail.com>:
> Hi Bilal,
>
> 1. ktpass and msktutil practically do the same, they create keytabs
> which include the keys that squid will need to decrypt the ticket it
> receives from the user. However ktpass only creates a file which you
> will then have to securely transfer to your proxy server so that squid
> can access it. Using msktutil on your proxy server, you can get the
> same keytab without having to transfer it. Thus, msktutil saves you
> some time and hassle. AFAIR both need "Administrator" rights, which
> means the account used for ktpass/msktutil needs to be a member of the
> Administrator group.
>
> 2. To answer this question, one would need more information about your
> network and your setup. Basically, mixing any other authentication
> method with Kerberos is not a good idea. That's because if the other
> method is insecure or less secure an attacker who gains access to a
> user's credentials will be able to impersonate that user against
> Kerberos and those be able to use ALL services that this user has
> access to. In any case DO NOT use basic auth with Kerberos in a
> public, set-up. That's a recipe for disaster. Digest auth and NTLM
> (v2) might be suitable but these are in fact less secure than Kerberos
> and thus not preferrable. One down-side to Kerberos is that it's an
> "all-or-nothing" service, either you use Kerberos and only Kerberos or
> you risk security breaches in any "mixed" situation.
>
> HTH
>
> Khaled
>
> 2010/4/6 GIGO . <gigoz_at_msn.com>:
>>
>> Dear All,
>>
>> Please guide me in regard to SSO setup with Active Directory(No winbind/Samba). I have the following questions in this regard.
>>
>>
>>
>> 1. Creating a Kerberos service principal and keytab file that is used by the Squid what is the effective method? Difference between using Ktpass vs Msktutil package? What rights would i be required in Active Directory and if none then why so?
>>
>>
>>
>>
>>
>>
>> 2. How to configure the fallback Authentication scheme if Kerberos fails? Ldap authentication using basic looks to be an option but isnt it less secure? is there a better approach possible.
>>
>>
>>
>>
>> regards,
>>
>> Bilal Aslam
>> _________________________________________________________________
>> Hotmail: Powerful Free email with security by Microsoft.
>> https://signup.live.com/signup.aspx?id=60969
>
Received on Thu Apr 08 2010 - 16:59:45 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 09 2010 - 12:00:03 MDT