Re: Authenticating mixed clients for Internet Access

From: harley mcdonald (
Date: 07/16/02

Date: Tue, 16 Jul 2002 14:17:10 -0700 (PDT)
From: harley mcdonald <>
To: Quentin Hartman <>, "Steven J. Sobol" <>


you're on the right track for file / print sharing and
user authentication with samba PDC. more, you should
look into the winbind suite of samba and give some ACL
support a go ( needs to be compiled into the kernel up
to 2.4.x --not sure how high 'x' is ). combined they
are some really clever stuff for file access through
stupid windows network neighborhood, particularly when
you're talking as precise control as you seem to need
for fileserving :

acls :

winbind :

i dont know if there is an rpm out for winbind yet,
but you have to compile ACL support into that too
so... be sure to patch the kernel with both the acl
and extended attributes.

as for the proxy, i might try squid. its got
extensive access controls. might give you what you

hope this helps

--- Quentin Hartman <> wrote:
> Steve et al-
> It seems I may have been unclear in stating
> my request, for which
> I apologize. We are trying to migrate away from MS
> server OS's for a
> variety of reasons, cost being the most significant.
> When I stated we have
> a mix of NT and Linux servers, I failed to mention
> that the remaining NT
> machine only serves to update our Norton AV
> corporate edition clients.
> There are no other services running on it, nor do we
> wish there to be any.
> My primary stumbling block in this project
> is finding a
> centralized way to control which users are allowed
> out to the Internet (via
> proxy, gateway, what have you) that will work for
> both Linux and Windows
> systems. I believe I have unified user logins across
> platforms sorted using
> Samba and PAM, but it is the Internet access control
> that is stumping me.
> We need to allow / deny Internet access to different
> users based on whether
> or not they have completed their acceptable use
> forms, and also have the
> ability to deny access to those who abuse the
> system. I am relatively new
> to this particular facet of network administration
> and design, so please
> excuse my ignorance on the topic. It seems this
> should be a common need
> with a well-established solution, but I have not
> found one.
> The users move between platforms regularly
> and I need consistency
> across them. I have found software (such as
> Microsoft's Proxy server, or
> Novell's) which works on a per-user basis, but those
> only run on OS's we do
> not use, or work only for Windows clients. It would
> be simple enough to
> block a particular machine using an ACL or similar,
> but I have not found
> anything that will authenticate on a per user basis
> on a Linux-based
> gateway, firewall, or proxy. I need it to work from
> either Windows Domain
> login (processed by a Samba PDC) or Linux terminal
> logins. I have found
> options which require people to SSH into a gateway
> to open a connection
> from the client, but I do not see that as a usable
> option in a k-12
> environment. My users are simply not up to that kind
> process, especially
> not for the younger kids (or older teachers, for
> that matter). Am I chasing
> my tail, or is this sort of thing possible?
> <snip from Steve Sobol>
> >LDAP might be another potential solution.
> <snip>
> I have heard of a lot of people using LDAP as an
> authentication database,
> but I have yet to find any good current
> documentation on how to get such a
> beast rolling. I guess I just don't "get it". Such
> an open-ended and
> centralized system would be ideal for the services
> we want to offer in the
> future. I've tried a few times to figure it out on
> my own with OpenLDAP,
> but it seems pretty clunky in the role of an
> authentication db. What am I
> missing? What resources would you suggest?
> -Thanks in Advance and Best Regards-
> -Quentin Hartman-
> Original Post Follows:
> Colleagues-
> I am working on re-building a network for a k-12
> institution, and am trying
> to put in some security features that are sorely
> needed. One of the most
> glaringly obvious omission for this environment is
> that there is no
> mechanism in place to authenticate users for
> internet access. It is a mixed
> environment of Linux and Windows 9x workstations and
> Linux and NT servers.
> I would very much like to have centralized user
> management. The scenario
> goals we are trying to achieve are:
> 1- Unrestricted user logs in. Has access to file /
> app servers and Internet
> 2- Semi-restricted user logs in. Has access to file
> / app servers, but not
> internet.
> 3- restricted user logs in. Has access only to local
> files and programs.
> 4- Unauthorized user cannot login.
> I imagine a combination of policy files for the 9x
> clients, samba, pam, and
> squid could achieve this, but I would like your
> feedback on the best way to
> proceed to complete this project. Am I on the right
> track at all?
> -Regards-
> -Quentin Hartman-

Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes

Relevant Pages

  • Re: OT - Anyone here use SBC DSL with Free Agent?
    ... I've gotten many "authentication required" msgs as well as ... requiring authentication for use of its news servers. ...
  • Re: Log into an NT Domain
    ... > ended with the YaST front end for Samba saying that I was accepted ... Are you authenticating to IIS web page which then connects to SQL ... Failed to initialise locking database ... Pass along my authentication to the IIS when accessing web pages ...
  • Samba 3.0.25 Available for Download
    ... Samba production release. ... Significant improvements in the winbind off-line logon support. ... improved read performance with Linux servers. ... Support for Additional ACL Modules ...
  • Re: XP Blues
    ... and does maintain a large number of Samba file/print servers. ... matching UID/GID settings to allow permissions to work pretty ... The only problems I've seen with SP2 is for clients to kill Samba's ...
  • Re: authenticating users from different domains
    ... the concept of RADIUS servers ... you have several independent authentication networks. ...