(Created page with '== Kerberos == Squid can authenticate against a Kerberos KDC using the SQUID_KERB_AUTH helper.<br> This is particularly useful for Single Sign On authentication against Windows A...') |
|||
Line 4: | Line 4: | ||
− | == DNS & Hostname == | + | == Windows == |
+ | |||
+ | === Active Directory Account === | ||
+ | Create a user account (which will act like a machine/service account) from Active Directory Users and Computers. This account can be created in any OU. | ||
+ | The username for this account must match the hostname of the squid proxy server (which we will be setting in the next step). Windows has a few reserved hostnames, "proxy" is one of them. So while using a hostname like proxy.domain.lan seems logical, windows will complain, so its best to avoid it. | ||
+ | The "User Login name" should reflect the FQDN of the squid server. In this example we'll use "web-proxy.domain.lan". The pre-Windows 2000 User logon name is limited to 20 characters, so drop the domain.lan parts and use just "web-proxy" for that username. | ||
+ | |||
+ | |||
+ | === DNS & Hostname === | ||
On the Windows DNS server create a HOST(A) record that points to the squid server. | On the Windows DNS server create a HOST(A) record that points to the squid server. | ||
− | + | As mentioned above the AD Username must match the squid servers FQDN.<br> | |
− | You'll also need to set the hostname of the squid server to match.<br> | + | |
+ | == FreeBSD == | ||
+ | You'll also need to set the hostname of the squid server to match the DNS record you just created.<br> | ||
On FreeBSD you set the hostname in /etc/rc.conf by setting: | On FreeBSD you set the hostname in /etc/rc.conf by setting: | ||
hostname="web-proxy.domain.lan" | hostname="web-proxy.domain.lan" | ||
Line 15: | Line 25: | ||
Now reboot your FreeBSD box to make the changes take effect. | Now reboot your FreeBSD box to make the changes take effect. | ||
− | + | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
Revision as of 16:30, 7 March 2011
Kerberos
Squid can authenticate against a Kerberos KDC using the SQUID_KERB_AUTH helper.
This is particularly useful for Single Sign On authentication against Windows Active Directory.
Windows
Active Directory Account
Create a user account (which will act like a machine/service account) from Active Directory Users and Computers. This account can be created in any OU. The username for this account must match the hostname of the squid proxy server (which we will be setting in the next step). Windows has a few reserved hostnames, "proxy" is one of them. So while using a hostname like proxy.domain.lan seems logical, windows will complain, so its best to avoid it. The "User Login name" should reflect the FQDN of the squid server. In this example we'll use "web-proxy.domain.lan". The pre-Windows 2000 User logon name is limited to 20 characters, so drop the domain.lan parts and use just "web-proxy" for that username.
DNS & Hostname
On the Windows DNS server create a HOST(A) record that points to the squid server.
As mentioned above the AD Username must match the squid servers FQDN.
FreeBSD
You'll also need to set the hostname of the squid server to match the DNS record you just created.
On FreeBSD you set the hostname in /etc/rc.conf by setting:
hostname="web-proxy.domain.lan"
You'll also need to change /etc/hosts to match
192.168.99.254 web-proxy.domain.lan web-proxy
Now reboot your FreeBSD box to make the changes take effect.