Hi Bilal,
I create a new OU in Active Directory like OU=UnixPrincipals,DC=... I
then create a Windows Group UnixAdministrators and add the Windows account
of the UnixAdministrators to it. Finally I change the permissions on the
OU=UnixPrincipals so that the members of the group UnixAdministrators have
full rights (or limited rights ) for objects under this OU.
Regards
Markus
"GIGO ." <gigoz_at_msn.com> wrote in message
news:SNT134-w395B3433738667DED2186EB9150_at_phx.gbl...
Markus could not get you please can you elaborate a bit.
thank you all!
regards,
Bilal
----------------------------------------
> To: squid-users_at_squid-cache.org
> From: huaraz_at_moeller.plus.com
> Date: Thu, 8 Apr 2010 20:04:30 +0100
> Subject: [squid-users] Re: Creating a kerberos Service Principal.
>
> BTW You do not need Administrator rights. You can set permission for
> different Groups on OUs for example for Unix Kerberos Admins.
>
> Markus
>
> "Khaled Blah" wrote in message
> news:n2j4a3250ab1004080957id2f4a051xb31445428c62bea0_at_mail.gmail.com...
> Hi Bilal,
>
> 1. ktpass and msktutil practically do the same, they create keytabs
> which include the keys that squid will need to decrypt the ticket it
> receives from the user. However ktpass only creates a file which you
> will then have to securely transfer to your proxy server so that squid
> can access it. Using msktutil on your proxy server, you can get the
> same keytab without having to transfer it. Thus, msktutil saves you
> some time and hassle. AFAIR both need "Administrator" rights, which
> means the account used for ktpass/msktutil needs to be a member of the
> Administrator group.
>
>
> 2. To answer this question, one would need more information about your
> network and your setup. Basically, mixing any other authentication
> method with Kerberos is not a good idea. That's because if the other
> method is insecure or less secure an attacker who gains access to a
> user's credentials will be able to impersonate that user against
> Kerberos and those be able to use ALL services that this user has
> access to. In any case DO NOT use basic auth with Kerberos in a
> public, set-up. That's a recipe for disaster. Digest auth and NTLM
> (v2) might be suitable but these are in fact less secure than Kerberos
> and thus not preferrable. One down-side to Kerberos is that it's an
> "all-or-nothing" service, either you use Kerberos and only Kerberos or
> you risk security breaches in any "mixed" situation.
>
> HTH
>
> Khaled
>
> 2010/4/6 GIGO . :
>>
>> Dear All,
>>
>> Please guide me in regard to SSO setup with Active Directory(No
>> winbind/Samba). I have the following questions in this regard.
>>
>>
>>
>> 1. Creating a Kerberos service principal and keytab file that is used by
>> the Squid what is the effective method? Difference between using Ktpass
>> vs
>> Msktutil package? What rights would i be required in Active Directory and
>> if none then why so?
>>
>>
>>
>>
>>
>>
>> 2. How to configure the fallback Authentication scheme if Kerberos fails?
>> Ldap authentication using basic looks to be an option but isnt it less
>> secure? is there a better approach possible.
>>
>>
>>
>>
>> regards,
>>
>> Bilal Aslam
>> _________________________________________________________________
>> Hotmail: Powerful Free email with security by Microsoft.
>> https://signup.live.com/signup.aspx?id=60969
>
>
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
Received on Fri Apr 09 2010 - 07:10:40 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 16 2010 - 12:00:05 MDT