On Thu, May 19, 2022 at 08:54:11AM -0400, ralph strebbing via samba wrote:>Hi All, > >As mentioned in other threads, lately a bit project I've been working >on is the cutover to a new Palo Alto firewall, with this we've been >using User Authentication for content filtering and we're quite >restrictive. After many angles and attempts at different solutions >that don't involve outright using a windows domain controller, we've >resorted to using Palo Alto's XML API to manipulate who's logged in >when by having an authentication agent we made sit on each PC and >report back to a central server to make the API calls and track who's >logged in. >On this note, one thing we're trying to achieve now is locking this >application down a bit, so we're trying to figure out the best way to >go about obtaining the logged in user's Kerberos? ticket, and somehow >verifying that it's valid against the domain controller. If there is a >better approach, I'm open to suggestions, the biggest thing we need is >the ability to authenticate the user logged into the PC is actually a >valid domain user, because right now the agent simply sends the active >session username to the auth server, there is no validation that >exists right now.Can you explain what "the agent" does to authenticate ? I think we need more info on how the Palo Alto firewall does authentication.
On Thu, May 19, 2022 at 5:44 PM Jeremy Allison <jra at samba.org> wrote:> Can you explain what "the agent" does to authenticate ?The agent is what we're building. Right now it is just pulling the current username, what we want is to somehow (if possible), obtain the ticket (may not be the correct term) of the currently logged in user, and pass that off to Samba for verification. That's all I'm asking for, or if it's possible.> I think we need more info on how the Palo Alto firewall > does authentication.The Palo has tons of ways to authenticate, but in this case the Palo isn't doing anything, WE are doing the legwork with a custom developed solution and just telling the palo via it's API, "DOMAIN\User is mapped to IP". That's it on the Palo end. Our intermediate server, the thing the Agent talks to, and what sends the above commands to the Palo API is just ingesting the info sent from the agent, THAT is the part we are trying to secure, Rather than sending the username, it would be nice to send the login ticket from the agent to the intermediate server, then (if possible), send a request to Samba to verify whether the ticket sent was valid or not, and what domain user it belonged to. If valid, send mapping commands, if not, do nothing. Hope that helps. Ralph