On Sun, Oct 3, 2010 at 19:46, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Hi Manoj,
>
>
> The only way I see this can work is to use my experimental local proxy to
> support application which don't support Negotiate authentication. You can
> find it here
> http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/
>
> c:\> client_kerb_auth_sspi.exe -S -s <proxy-fqdn> -d -l evtlog (It will
> run the client as a Servuce under the machine account.)
>
> It will start a local proxy listening on port 8080 and when connecting to
> the proxy (on port 3128) it will add Negotiate with the machine ID.
>
> A squid log entry woul look like:
>
> 2010/10/03 14:35:45| squid_kerb_auth: Decode
> 'YIIEqgYJKoZIhvcSAQICAQBuggSZMIIElaADAgEFoQMCAQ6iBwMFAAAAAACjggO/YYI......CY481Crtw+7+9ClxAeVjhI919w=='
> (decoded length: 1198).
> 2010/10/03 14:35:45| squid_kerb_auth: AF AA== WINXP$@WIN2003R2.HOME
>
> The id WINXP$@WIN2003R2.HOME can be fed into squid_kerb_ldap like it is a
> user. ( WINXP$ is the samaccountname of the machine in AD)
>
> Regards
> Markus
>
> "Manoj Rajkarnikar" <manoj.rajkarnikar_at_gmail.com> wrote in message
> news:AANLkTi=1JZ9PahW3PpD9L_KkccmxGwy8SQywy5J4eBCK_at_mail.gmail.com...
> Does any of the authentication methods include the computer name in
> the authentication tokens?? I can setup any auth method if any of it
> supports it. I basically want to authenticate client computers by the
> hostname as registered in the AD.
>
> Thanks everyone.
>
> On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar
> <manoj.rajkarnikar_at_gmail.com> wrote:
>>
>> Hi Matus.
>>
>> On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas
>> <uhlar_at_fantomas.sk> wrote:
>>>
>>> On 15.09.10 12:59, Manoj Rajkarnikar wrote:
>>>>
>>>> Thanks for the quick response Marcus.
>>>>
>>>> The reason I need to limit computer account and not user account is
>>>> that people here move out to distant branches and the internet access
>>>> policy is to allow to the position they hold, and thus the computer
>>>> they will use.
>>>
>>> I somehow don't understand this. Maybe it's my english.
>>> Do you need to control access for the user+computer combination?
>>
>> I need to control access based on computer account as registered in
>> the AD server.
>>
>>>
>>>> I've successfully setup the kerberos authentication but I don't see
>>>> how squid will fetch the computer information from client request and
>>>> authorize it based on the group membership in AD. What I wish to
>>>> accomplish is:
>>>>
>>>> 1. create a security group in AD
>>>> 2. add computer accounts to this security group
>>>> 3. squid checks if the computer trying to access internet is member of
>>>> this security group.
>>>> 4. if not, don't allow access to internet or request of AD user login
>>>> that is allowed.
>>>
>>> This seems that you want to allow access from some computers to the net,
>>> no
>>> matter which user is logged in. Why not use ip-based or maybe
>>> hardware_address-based authentication then?
>>
>> That is correct.
>> We have dhcp all over our network so ip-based is a bad idea.
>> For hardware_address-based auth, will have to maintain a very large
>> list of hardware addresses.. not a good idea but considerable (if
>> computer account based auth don't work)..
>>
>> Also to be noted that computer account based authentication would be
>> more secure as only a handful of admins have domain administrator
>> level access, so it will be hard to spoof.
>>
I still think Matus's idea of using IP based is the best and simplest
approach. Even if you have DHCP enabled, you can always force a
certain computer to a certain IP.
Regards
HASSAN
Received on Wed Oct 06 2010 - 19:39:31 MDT
This archive was generated by hypermail 2.2.0 : Mon Oct 18 2010 - 12:00:03 MDT