On 23/9/2011 2:23 μμ, Markus Moeller wrote:
>> This now goes more into how to setup Windows clients ( Do I
>> understand right taht you use IE on XP or Windows 7) with MIT Kerberos.
Yes, I am using IE 8 and/or Firefox 6 on Windows XP with MIT Kerberos.
>> Therer are several guides for this like
>> https://help.ubuntu.com/community/LDAP-Samba_PDC_%28for_Linux_and_Windows%29
>> and http://technet.microsoft.com/en-us/library/bb742433.aspx Section
>> "Using an MIT KDC with a Standalone Windows 2000 Workstation"
>> (although this is a bit older).
>
Hmmm, I see. That gets much more complex than I want. I need - with zero
client configuration - the client browser to pop up a window and
authenticate *securely* the user to squid (via Kerberos or otherwise).
Now I see we must user ksetup to "set the Kerberos realm and add a KDC
server" and then set the "local machine account password" on the client.
Finally we use again ksetup to map local machine accounts to kerberos
principals - and we also need a client host account in KDC (a user
account which already exists is not enough...)
I guess one could also use pgina to authenticate to kerberos (by
replacing the windows embedded authentication mechanisms).
So, this makes the whole process a problem - we cannot configure a large
number of clients like that. I thought authentication could be
transparent to the user.
So, I guess I must leave Kerberos running alone for a while. :-(
I think the last option - for a transparent solution - is to try
relaying authentication from squid to RADIUS through HTTPS. (I don't
know yet how and if this will work as I want - but I should try.)
I never expected I would have such big problems trying to authenticate
users securely to squid!
Nick
This archive was generated by hypermail 2.2.0 : Fri Sep 23 2011 - 12:00:02 MDT