On 18 Jul 2004, Santos wrote: > I'm implementing a "Windows clients, Linux servers" kind of network. > Some users may login at different machines, therefore, ip level is not > enough. I wonder if it's possible to control the access at the "domain > users" level instead of network or ip level.
Not trivially. > I could implement some proxies, but each client machine had to be > configured and that would mean extra work. Well, unless you need something other that what you can get through a web proxy, using WPAD and/or a transparent squid with NTLM authentication should be sufficient, yes? > IPtables can filter at the user level, but only with local users. Is > there a way to configure iptables and kerberos working together or > something like that? No, because there is no user information associated with a connection, even via kerberos. > Is this doable with PAM? I have read that SAMBA authenticated gateway > HOWTO, but it doesn't look very reliable. Well, so basically what i > want, is a firewall similar to a ISA Server firewall There isn't much you can do other than use an authenticated proxy, or a "captive portal" system such as NoCatAuth: <http://nocat.net/> Daniel -- We live in a hallucination of our own devising. -- Alan Kay
