From LedHed's Wiki
Jump to: navigation, search
(Created page with '== Kerberos == Squid can authenticate against a Kerberos KDC using the SQUID_KERB_AUTH helper.<br> This is particularly useful for Single Sign On authentication against Windows A...')
 
Line 4: Line 4:
  
  
== DNS & Hostname ==
+
== Windows ==
 +
 
 +
=== Active Directory Account ===
 +
Create a user account (which will act like a machine/service account) from Active Directory Users and Computers. This account can be created in any OU.
 +
The username for this account must match the hostname of the squid proxy server (which we will be setting in the next step). Windows has a few reserved hostnames, "proxy" is one of them. So while using a hostname like proxy.domain.lan seems logical, windows will complain, so its best to avoid it.
 +
The "User Login name" should reflect the FQDN of the squid server.  In this example we'll use "web-proxy.domain.lan". The pre-Windows 2000 User logon name is limited to 20 characters, so drop the domain.lan parts and use just "web-proxy" for that username.
 +
 
 +
 
 +
=== DNS & Hostname ===
 
On the Windows DNS server create a HOST(A) record that points to the squid server.
 
On the Windows DNS server create a HOST(A) record that points to the squid server.
For this example we'll call the squid server '' web-proxy.domain.lan ''<br>
+
As mentioned above the AD Username must match the squid servers FQDN.<br>
  
You'll also need to set the hostname of the squid server to match.<br>
+
 
 +
== FreeBSD ==
 +
You'll also need to set the hostname of the squid server to match the DNS record you just created.<br>
 
On FreeBSD you set the hostname in /etc/rc.conf by setting:
 
On FreeBSD you set the hostname in /etc/rc.conf by setting:
 
  hostname="web-proxy.domain.lan"
 
  hostname="web-proxy.domain.lan"
Line 15: Line 25:
 
Now reboot your FreeBSD box to make the changes take effect.
 
Now reboot your FreeBSD box to make the changes take effect.
  
'''NOTE:''' You're going to be creating a AD account with the same username as the squid servers hostname. Windows has a few reserved hostnames "proxy" is one of them. So while using a hostname like proxy.domain.lan seems logical, windows will complain so its best to avoid it.
+
 
 +
 
 +
 
 +
 
 +
 
 +
 
  
  

Revision as of 16:30, 7 March 2011

Kerberos

Squid can authenticate against a Kerberos KDC using the SQUID_KERB_AUTH helper.
This is particularly useful for Single Sign On authentication against Windows Active Directory.


Windows

Active Directory Account

Create a user account (which will act like a machine/service account) from Active Directory Users and Computers. This account can be created in any OU. The username for this account must match the hostname of the squid proxy server (which we will be setting in the next step). Windows has a few reserved hostnames, "proxy" is one of them. So while using a hostname like proxy.domain.lan seems logical, windows will complain, so its best to avoid it. The "User Login name" should reflect the FQDN of the squid server. In this example we'll use "web-proxy.domain.lan". The pre-Windows 2000 User logon name is limited to 20 characters, so drop the domain.lan parts and use just "web-proxy" for that username.


DNS & Hostname

On the Windows DNS server create a HOST(A) record that points to the squid server. As mentioned above the AD Username must match the squid servers FQDN.


FreeBSD

You'll also need to set the hostname of the squid server to match the DNS record you just created.
On FreeBSD you set the hostname in /etc/rc.conf by setting:

hostname="web-proxy.domain.lan"

You'll also need to change /etc/hosts to match

192.168.99.254           web-proxy.domain.lan  web-proxy

Now reboot your FreeBSD box to make the changes take effect.