Authenticate squid in Active Directory

classic Classic list List threaded Threaded
42 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

bofh-6
On Feb 8, 2008 7:58 AM, Lars Noodin <[hidden email]> wrote:

>        expected to emulate a Windows Server 200x domain controller.
>        But the interoperability issue goes far deeper than this.
>        In the domain control protocols that are used by MS Windows
>        XP Professional, there is a tight interdependency between
>        the Kerberos protocols and the Microsoft distributed
>        computing environment (DCE) RPCs that themselves are an
>        integral part of the SMB/CIFS protocols as used by Microsoft."


Why are you changing the discussion from authentication to file serving?


> So the kerberos question still remains unless there is more recent
> material somewhere that can show that these problems have been resolved.
>    I would have expected some documentation.
>

What kerberos question?  Per your original email

> Allowing AD near any part of your infrastructure is the opposite of
> useful and results in a net loss of productivity.  No.
>
> LDAP+Kerberos is one tried and true option, but there are others
> nowadays.  Don't confuse AD with a useful tool or with an authentication
> service

 Why are you confusing AD with file serving?  The original poster asked
about _AUTHENTICATION_  You are just serving plain FUD.

As of 2002, definitely not:
>        http://www.pcworld.com/article/id,97504/article.html
>
> > If you don't need to supoort Windows Vista client machines, you should
> be
> > all right.
>
> Nope.
>

Who gives a shit whether Vista needs to be supported or not?  I have Suse
boxes authenticating via kerberos from AD because - guess what - it improves
productivity and security.

MS Exchange was one of the productivity killers I referred to earlier.
> For people that use e-mail, it's an albatross.  For people that need to
> use e-mail for their job, well, they can't work.


Again - what is your point?  Sexchange and LookOut sucks.  The original
poster is asking about authenticating via AD.  Your ranting about other
topics is.... off topic.



--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
In reply to this post by Karl Karlsson
Karl Karlsson wrote:

> Those standards i fully agree with. I got a bit a float there and thought
> you meant it in a broader sense as it's going almost everywhere these days
> where they use pam to glue every one and everything together. But this
> really is off topic from that AD where we started. :)

Not entirely, if you could add something like the following, but pam may
not be so relevant for Squid:

  /etc/pam.d/common-krb5 to use as an include file for PAM:
    auth  sufficient  /lib/insecurity/pam_ad.so use_first_pass

Regards
-Lars

123