This week I worked on getting a Linux box to authenticate against Active Directory. This has gotten a lot better support since the last time I tried.
Monday or Tuesday, I had the ability to log on to the machine with domain user credentials thanks to MIT Kerboros, Winbind, and Samba3. Yesterday, I had Squid proxy setup and got a basic configuration working. Most of yesterday I spent trying to get Squid to authenticate against the domain. I worked on this all day today as well, I cracked the problem about 3:30pm. After I got squid to authenticate domain users, I then tackled the problem of granting access based on domain groups. This actually took a bit of perl hacking on the wbinfo_group.pl script that comes with Squid now. At the end of the day, I was working from a motley set of resources. One that got MIT Kerboros setup correctly and almost got Samba3's config right. One that pointed out the flaws in the Samba3 configuration. Then there was one resource that explained how to setup the authenticator helpers in the Squid configuration - but this was targeted at Red Hat users. Then I found a few useful references in the Squid mail archive about changes that had to be made in wbinfo_group.pl to make it work correctly. When I went to make the changes I noticed that the file I was working from wasn't the same as the one in the example - it had been changed to handle multiple group membership - so I had to hack a small small bit to fit the changes into the newer file. Once I finished that everything worked well.
All in all, doing this on SuSE 10 was fairly easy. I didn't have to modify the nsswitch files or mess with PAM, that has all been setup for you. Oh, and the firewall configuration under SuSE 10 is much much better. GUI configuration through YAST... almost as friendly as XP's firewall configuration. Simple is good.
