On Thu, May 19, 2022 at 08:54:11AM -0400, ralph strebbing via samba
wrote:>Hi All,
>
>As mentioned in other threads, lately a bit project I've been working
>on is the cutover to a new Palo Alto firewall, with this we've been
>using User Authentication for content filtering and we're quite
>restrictive. After many angles and attempts at different solutions
>that don't involve outright using a windows domain controller, we've
>resorted to using Palo Alto's XML API to manipulate who's logged in
>when by having an authentication agent we made sit on each PC and
>report back to a central server to make the API calls and track who's
>logged in.
>On this note, one thing we're trying to achieve now is locking this
>application down a bit, so we're trying to figure out the best way to
>go about obtaining the logged in user's Kerberos? ticket, and somehow
>verifying that it's valid against the domain controller. If there is a
>better approach, I'm open to suggestions, the biggest thing we need is
>the ability to authenticate the user logged into the PC is actually a
>valid domain user, because right now the agent simply sends the active
>session username to the auth server, there is no validation that
>exists right now.
Can you explain what "the agent" does to authenticate ?
I think we need more info on how the Palo Alto firewall
does authentication.