RE: [SLUG] Authentication question
Bryan, I was faced with a similar authentication problem in our office: Win2K Active Directory used to authenticate users and needing to insert an authenticating Squid proxy. Here are my results: smb_auth: Worked. Users had to enter a username+password every time, even though they were already authenticated. Politic determined that this was unacceptable (whining bastards!). If you can live with manual login on Squid this is a no-brainer to install. Skill level required: 3/10. PAM: Never got this working properly. Like you, PAM is a bit of black magic to me too. I got the basics sorted but not enough to debug weird problems like certain users being able to authenticate and others failing. (??) Skill level required: ??/10 but you need to know PAM. Winbind: Worked and this is what we have stuck with. It passes the cached domain login correctly to Squid so the authentication takes place but the user never sees the login for the proxy. Manglement is happy. It's a little tricky to set up but I have some documentation (for FreeBSD) that will point you in the right direction if you like. E-mail off-list if you like. There are some excellent guides online (google it) that will show you step-by-step how to compile squid and samba to work together to authenticate squid using winbind. You don't need to do the whole nsswitch/pam/winbind thing to allow your users shell access to the squid box either :-) Skill level required: 6/10 (compiling with specific options etc). Good luck. --James > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Simon Bryan > Sent: Sunday, 23 March 2003 3:55 PM > To: Slug > Subject: [SLUG] Authentication question > > > Hi all, > I am trying to build a system for my school to restrict > downloads for users > when they exceed a certain limit. In fact that bit works, now > I need to add > some whistles and bells. We run SQUID on a RH server with > DansGuardian as a > content filter and Squidalyser running nightly to analyse the logs. > > I have a php page that runs against the database created by > Squidalyser from > the Squid logs. A user can enter their username and be told > what their data > usage for the month is, however any user can enter any known > username, so > there is a privacy issue. I would like the user to have to > authenticate > themselves first and then only see their own usage. > > Currently we run an NT Domain with users authenticating to > the PDC, when > they go into our Intranet (which is AUC) on a Linux (RH) > server they are > authenticated on that NT server by a PAM module (comes with the AUC > distribution). (I still find PAM a bit of a black art). > > However the proxy server is not on that server it is on > another RH server. > > Is it feasible that I can achieve what I want? If so can > someone point me in > the right direction? Would winbind be of any help? > > _ > Simon Bryan > IT Manager > OLMC Parramata > ICQ#: 137562751 > _ > > -- > SLUG - Sydney Linux User's Group - http://slug.org.au/ > More Info: http://lists.slug.org.au/listinfo/slug > -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] Authentication question
> Currently we run an NT Domain with users authenticating to the PDC, when > they go into our Intranet (which is AUC) on a Linux (RH) server they are > authenticated on that NT server by a PAM module (comes with the AUC > distribution). (I still find PAM a bit of a black art). apache can be made to use SMB authentication either via PAM or directly.. winbind is probably overkill when all you want is yes/no .. you could also do it with some PHP I think.. ( I think someone used my pam_smb code to make a php module at one stage..).. Dave. > > However the proxy server is not on that server it is on another RH server. > > Is it feasible that I can achieve what I want? If so can someone point me in > the right direction? Would winbind be of any help? > > _ > Simon Bryan > IT Manager > OLMC Parramata > ICQ#: 137562751 > _ > > -- David Airlie, Software Engineer http://www.skynet.ie/~airlied / [EMAIL PROTECTED] pam_smb / Linux DecStation / Linux VAX / ILUG person -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
RE: [SLUG] Authentication Question
I agree with Tom. Sound like a textbook case for LDAP. James [EMAIL PROTECTED] -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug
RE: [SLUG] Authentication Question
On Tue, 17 Oct 2000, George Vieira wrote: > yellow pages `yppasswd` is one way.. when the user changes their password > then all servers update the unix password... (not samba password though).. Hold on, guys, what's wrong with LDAP? tom. Consultant AUSSECPhone: 61 4 1768 2202 339 Blaxland Rd., Ryde NSW 2112 Email: [EMAIL PROTECTED] -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug
Re: [SLUG] Authentication Question
Well, if I sync samba with the unix password database then this could work... I'll look into it. Thanks a lot. Regards, Gonzalo. George Vieira wrote: > > yellow pages `yppasswd` is one way.. when the user changes their password > then all servers update the unix password... (not samba password though).. > > thanks, > George Vieira > Network Administrator > http://www.citadelcomputer.com.au > PGP Fingerprint : 43DC 92AC 1A82 27B2 E97B 52F1 B60F 301A 38A9 A10C > PGP KeyID: 0x38A9A10C > > -Original Message- > From: Gonzalo Servat [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 17, 2000 9:20 AM > To: SLUG Mailing List > Subject: [SLUG] Authentication Question > > Hi Slugers. > > I have a question regarding authentication with Samba and Radius. > > I have a setup of 3 computers. One of the machines will be the main > firewall (which will also handle PPP dialin using a 8 port serial card), > the Second machine will be the main Password/File Server (using SAMBA) > and the third machine will be the main proxy/e-mail server. The firewall > machine will have an external IP address as well as internal and the > other 2 machines will only have internal IP's. > > I was hoping I could get some suggestions as to how I can go about > sharing the passwd/shadow file across the network (in a secure way) so > that if the File Server has all the employee's added to it and so that > the e-mail server will be able to authenticate users from the main File > Server. Also the firewall will be taking care of the PPP dialin so this > machine will also have to authenticate users from the main File Server > machine. > > How could I go about doing this? I thought maybe NIS will do the trick > but I have been told Samba and Radius don't support NIS. Another (rather > un-secure) way of doing it is to configure scp on the 2 client machines > (firewall and proxy/e-mail server) to download the passwd and shadow > files from the file server every few minutes but that's not secure and > surely there has got to be a better way of doing it. > > Thanks in advance for any help. > > Regards, > > Gonzalo. >_ > (_) > __ _ _ __ __ ___ ___ ___ > / // / _ \/ /\ \/ / __ \/ _ \ // > \_._/_//_/ / /_/\_\ .__/_,__/ \___ > PTY. |_|LTD. > > Gonzalo Servat [EMAIL PROTECTED] > _-_|\ UNIXPAC Pty Ltd http://www.unixpac.com.au > / \ BESTNET Pty Ltd http://www.best.net.au > \_.-._/<-- LINUXPLAZA Pty Ltd http://www.linuxplaza.com.au > v 339 Military Road, Level 3 > Cremorne (Sydney) NSW 2090 AUSTRALIA > Tel +61 2 9953-8366 ext 210 > Fax +61 2 9953-5875 > > -- > SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ > More Info: http://slug.org.au/lists/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug
RE: [SLUG] Authentication Question
yellow pages `yppasswd` is one way.. when the user changes their password then all servers update the unix password... (not samba password though).. thanks, George Vieira Network Administrator http://www.citadelcomputer.com.au PGP Fingerprint : 43DC 92AC 1A82 27B2 E97B 52F1 B60F 301A 38A9 A10C PGP KeyID: 0x38A9A10C -Original Message- From: Gonzalo Servat [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 17, 2000 9:20 AM To: SLUG Mailing List Subject: [SLUG] Authentication Question Hi Slugers. I have a question regarding authentication with Samba and Radius. I have a setup of 3 computers. One of the machines will be the main firewall (which will also handle PPP dialin using a 8 port serial card), the Second machine will be the main Password/File Server (using SAMBA) and the third machine will be the main proxy/e-mail server. The firewall machine will have an external IP address as well as internal and the other 2 machines will only have internal IP's. I was hoping I could get some suggestions as to how I can go about sharing the passwd/shadow file across the network (in a secure way) so that if the File Server has all the employee's added to it and so that the e-mail server will be able to authenticate users from the main File Server. Also the firewall will be taking care of the PPP dialin so this machine will also have to authenticate users from the main File Server machine. How could I go about doing this? I thought maybe NIS will do the trick but I have been told Samba and Radius don't support NIS. Another (rather un-secure) way of doing it is to configure scp on the 2 client machines (firewall and proxy/e-mail server) to download the passwd and shadow files from the file server every few minutes but that's not secure and surely there has got to be a better way of doing it. Thanks in advance for any help. Regards, Gonzalo. _ (_) __ _ _ __ __ ___ ___ ___ / // / _ \/ /\ \/ / __ \/ _ \ // \_._/_//_/ / /_/\_\ .__/_,__/ \___ PTY. |_|LTD. Gonzalo Servat [EMAIL PROTECTED] _-_|\ UNIXPAC Pty Ltd http://www.unixpac.com.au / \ BESTNET Pty Ltd http://www.best.net.au \_.-._/<-- LINUXPLAZA Pty Ltd http://www.linuxplaza.com.au v 339 Military Road, Level 3 Cremorne (Sydney) NSW 2090 AUSTRALIA Tel +61 2 9953-8366 ext 210 Fax +61 2 9953-5875 -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://slug.org.au/lists/listinfo/slug