"Bryan J. Smith" b.j.smith@ieee.org wrote:

What I recommend is that you setup a one-way trust from ADS to a UNIX Kerberos realm, using ADS as the KDC.

This does not require Samba at all BTW. You're merely setting up a UNIX Kerberos client to a Windows Domain Controller (DC) that is also the Kerberos Key Distribution Center (KDC) aka "key server."

Some basic intro on this is here (Non-Windows client authentication to Windows KDC): http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/featus...

Kerberos clients in Linux now support MSKerberos extensions: http://web.mit.edu/pismere/kerberos/Pismere-kerberos-notes.htm

It's important to understand which system/platform is the Kerberos client and which system/platform is the KDC in this documentation. In your case, you clearly want to use a Windows DC as your KDC, and your UNIX system with Squid as a client.

You can then authenticate against that UNIX Kerberos realm with whatever method the local NSSwitch/PAM authentication supports where you are running Squid.

I guess what I'm saying is that you have 2 choices on the system running .

1. You can setup your UNIX system to authenticate against Kerberos for any user, assuming your Kerberos client services have been setup against for the entier system (as above).

2. You can setup a Kerberosized Squid (never tried this myself).

3. You can setup Squid with GSSAPI/SASL, which then authenticates against Kerberos (never tried this myself).

There are a lot of options to explore. I can't really give you a "cookbook" approach (I've used #1 myself), because it might not be appropriate for your system (#1 means you're always authorizing the entire system against Kerberos).