[squid-users] Re: Re: squid client authentication against AD computer account

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Sun, 3 Oct 2010 14:46:45 +0100

Hi Manoj,

The only way I see this can work is to use my experimental local proxy to
support application which don't support Negotiate authentication. You can
find it here
http://squidkerbauth.cvs.sourceforge.net/viewvc/squidkerbauth/squid_kerberizer/

c:\> client_kerb_auth_sspi.exe -S -s <proxy-fqdn> -d -l evtlog (It will
run the client as a Servuce under the machine account.)

It will start a local proxy listening on port 8080 and when connecting to
the proxy (on port 3128) it will add Negotiate with the machine ID.

A squid log entry woul look like:

2010/10/03 14:35:45| squid_kerb_auth: Decode
'YIIEqgYJKoZIhvcSAQICAQBuggSZMIIElaADAgEFoQMCAQ6iBwMFAAAAAACjggO/YYI......CY481Crtw+7+9ClxAeVjhI919w=='
(decoded length: 1198).
2010/10/03 14:35:45| squid_kerb_auth: AF AA== WINXP$@WIN2003R2.HOME

The id WINXP$@WIN2003R2.HOME can be fed into squid_kerb_ldap like it is a
user. ( WINXP$ is the samaccountname of the machine in AD)

Regards
Markus

"Manoj Rajkarnikar" <manoj.rajkarnikar_at_gmail.com> wrote in message
news:AANLkTi=1JZ9PahW3PpD9L_KkccmxGwy8SQywy5J4eBCK_at_mail.gmail.com...
Does any of the authentication methods include the computer name in
the authentication tokens?? I can setup any auth method if any of it
supports it. I basically want to authenticate client computers by the
hostname as registered in the AD.

Thanks everyone.

On Thu, Sep 23, 2010 at 1:45 PM, Manoj Rajkarnikar
<manoj.rajkarnikar_at_gmail.com> wrote:
> Hi Matus.
>
> On Tue, Sep 21, 2010 at 5:17 PM, Matus UHLAR - fantomas
> <uhlar_at_fantomas.sk> wrote:
>> On 15.09.10 12:59, Manoj Rajkarnikar wrote:
>>> Thanks for the quick response Marcus.
>>>
>>> The reason I need to limit computer account and not user account is
>>> that people here move out to distant branches and the internet access
>>> policy is to allow to the position they hold, and thus the computer
>>> they will use.
>>
>> I somehow don't understand this. Maybe it's my english.
>> Do you need to control access for the user+computer combination?
>
> I need to control access based on computer account as registered in
> the AD server.
>
>>
>>> I've successfully setup the kerberos authentication but I don't see
>>> how squid will fetch the computer information from client request and
>>> authorize it based on the group membership in AD. What I wish to
>>> accomplish is:
>>>
>>> 1. create a security group in AD
>>> 2. add computer accounts to this security group
>>> 3. squid checks if the computer trying to access internet is member of
>>> this security group.
>>> 4. if not, don't allow access to internet or request of AD user login
>>> that is allowed.
>>
>> This seems that you want to allow access from some computers to the net,
>> no
>> matter which user is logged in. Why not use ip-based or maybe
>> hardware_address-based authentication then?
>
> That is correct.
> We have dhcp all over our network so ip-based is a bad idea.
> For hardware_address-based auth, will have to maintain a very large
> list of hardware addresses.. not a good idea but considerable (if
> computer account based auth don't work)..
>
> Also to be noted that computer account based authentication would be
> more secure as only a handful of admins have domain administrator
> level access, so it will be hard to spoof.
>
>>
>> --
>> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> Quantum mechanics: The dreams stuff is made of.
>>
>
Received on Sun Oct 03 2010 - 13:47:12 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 07 2010 - 12:00:02 MDT