03 September 2007

Autenticating SQUID in Active Directory

It's a annoying task, but lets play







1. Requirements


Basic knowledge in Active Directory, Kerberos, Samba, Linux e Squid. And all packages related. The Microsoft Windows Server 2003® must be acessible by proxy server and *must* have WINS Server working.
The linux server (any distro) must have installed this packages:
  • Kerberos5 (clients, libs, services, servers, etc)
  • SQUID (v2.6)
  • Ntp
  • Samba (with winbind)


2. Introduction


We have to types of authentication:
The NTLM Authentication is automatic, the proxy receives the connection requirement and authenticate using AD to make a login.
The BASIC Authentication is the trivial authentication with user input.
The best point of NTLM Authentication is the fact of the proxy will be transparent to the user, even if the browser is closed.


3. Preparations


The servers:


Domain Controller



Proxy



Microsoft Windows Server 2003 Enterprise



Any Linux



atenas.lab.wtf.br



oslo.lab.wtf.br



10.0.0.4



10.0.0.6



First of all, edit /etc/hosts in your linux box:


10.0.0.60 oslo.lab.wtf.br oslo
10.0.0.4 atenas.lab.wtf.br atenas


Now, edit the /etc/krb5.conf:


[libdefaults]




default_realm = LAB.WTF.BR krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

v4_instance_resolve = false


clockskew = 300




v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}

fcc-mit-ticketflags = true




[realms]
LAB.WTF.BR = {
kdc = atenas.lab.wtf.br
default_domain = lab.wtf.br
admin_server = atenas.lab.wtf.br
}


[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log


[domain_realm]
.lab.wtf.br = LAB.WTF.BR
lab.wtf.br = LAB.WTF.BR


Now we need to sync the clocks. First, lest sync the linux server:


# ntpdate pool.ntp.org



And them, the windows:


C:\> net time /setsntp:pool.ntp.org
C:\> net stop w32time & net start w32time


Now edit /etc/nsswitch.conf, and modify this lines...


passwd: compat
group: compat


...to this...


passwd: compat winbind
group: compat winbind


4. Samba/Winbind


This is the /etc/samba/smb.conf used:


[global]
workgroup = PMP
netbios name = OSLO
server string = OSLO (Samba Server)
load printers = no
log file = /var/log/samba/log.%m
max log size = 500
realm = LAB.WTF.BR
security = domain
auth methods = winbind
winbind separator = /
encrypt passwords = yes
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 10.0.0.4
dns proxy = no
ldap ssl = no


After configured, restart SAMBA and WINBIND services.
Lets get the proxy server inside the AD:


# net ads join –U Administrator –S lab.wtf.br



After enter the password, you’ll see something like this:


# net ads join –U Administrator –S lab.wtf.br
Administrator’s password:
Using short domain name – PMP
Joined ‘OSLO’ to realm ‘LAB.WTF.BR’


You can verify if you’re connected using this commands:


wbinfo –t



Verify connections



wbinfo –u



List all users in AD



wbinfo –g



List all groups in AD



5. Preparing SQUID
Modify /etc/squid/squid.conf like this:


http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm use_ntlm_negotiate off
auth_param ntlm children 60
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 5 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic use_ntlm_negotiate off
auth_param basic children 60
auth_param basic realm Type your USER/PASS
auth_param basic max_challenge_reuses 0
auth_param basic max_challenge_lifetime 5 minutes
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_reply_access allow all
icp_access allow all
coredump_dir /var/cache/squid


6. Tests


Go to some box using windows, configure the browser to use the new proxy and try to access some web page. After this, look in /var/log/squid/access.log and see if the user are logging.
If you have some problems, try using your proxy with default configurations.

5 comments:

  1. newbie9.6.08

    how to putt two active groups in Squid

    ReplyDelete
  2. newbie9.6.08

    i have two groups in active directory one group have access full access to internet and another group must have access only to whitelist can somebody tell me how to manage this in squid.conf

    ReplyDelete
  3. In the same way you add one group, you'll do with the second one. The internet access will be defined in AD, or you can simply deny access for a group in squid.conf.

    ReplyDelete
  4. newbie10.6.08

    this is my configuration can you tell me is this good configuration:

    visible_hostname linux
    http_port 3128
    visible_hostname linux
    http_port 3128
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    access_log /var/log/squid/access.log squid
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp --require-membership-of="TESTDOMAIN+policy-internet-beperkt"
    auth_param ntlm use_ntlm_negotiate off
    auth_param ntlm children 60
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm max_challenge_lifetime 5 minutes
    auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp --require-membership-of="TESTDOMAIN+policy-internet-beperkt"
    auth_param basic use_ntlm_negotiate off
    auth_param basic children 60
    auth_param basic realm Type your USER/PASS
    auth_param basic max_challenge_reuses 0
    auth_param basic max_challenge_lifetime 5 minutes
    auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp --require-membership-of="TESTDOMAIN+policy-internet-onbeperkt"
    auth_param ntlm use_ntlm_negotiate off
    auth_param ntlm children 60
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm max_challenge_lifetime 5 minutes
    auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp --require-membership-of="TESTDOMAIN+policy-internet-onbeperkt"
    auth_param basic use_ntlm_negotiate off
    auth_param basic children 60
    auth_param basic realm Type your USER/PASS
    auth_param basic max_challenge_reuses 0
    auth_param basic max_challenge_lifetime 5 minutes
    access_log /var/log/squid/access.log squid
    acl all src 192.2.0.0/16
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    acl internet-beperkt proxy_auth REQUIRED
    acl internet-onbeperkt proxy_auth REQUIRED
    acl whitelist dstdomain "/etc/squid/whitelist/whitelist
    acl ads dstdomain "/etc/squid/blacklist/ads"
    acl warez dstdomain "/etc/squid/blacklist/warez"
    http_access deny ads
    http_access deny warez
    http_access allow whitelist internet-beperkt
    http_access allow all internet-onbeperkt
    coredump_dir /var/cache/squid
    acl all src 192.2.0.0/16
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT
    acl internet-beperkt proxy_auth REQUIRED
    acl internet-onbeperkt proxy_auth REQUIRED
    acl whitelist dstdomain "/etc/squid/whitelist/whitelist
    acl filehosting dstdomain "/etc/squid/blacklist/filehosting"
    acl warez dstdomain "/etc/squid/blacklist/warez"
    http_access allow all
    http_access deny filehosting
    http_access deny warez
    http_access allow whitelist internet-beperkt
    http_access allow internet-onbeperkt
    coredump_dir /var/cache/squid

    ReplyDelete
  5. da_sepp18.5.09

    what is to dp for using with Windows 2008 AD?

    ReplyDelete