Autenticating SQUID in Active Directory

It's a annoying task, but lets play
1. Requirements
Basic knowledge in Active Directory, Kerberos, Samba, Linux e Squid. And all packages related. The Microsoft Windows Server 2003® must be acessible by proxy server and *must* have WINS Server working.

The linux server (any distro) must have installed this packages:

•     Kerberos5 (clients, libs, services, servers, etc)
•     SQUID (v2.6)
•     Ntp
•     Samba (with winbind)

2. Introduction
We have two types of authentication:

1. The NTLM Authentication is automatic, the proxy receives the connection requirement and authenticate using AD to make a login.
2. The BASIC Authentication is the trivial authentication with user input.

The best point of NTLM Authentication is the fact of the proxy will be transparent to the user, even if the browser is closed.

3. Preparations

The servers:

Server 1: Domain Controller
    Microsoft Windows Server 2003 Enterprise
    atenas.lab.wtf.br
    10.0.0.4

Server 2: Proxy
    Any Linux Distribution
    oslo.lab.wtf.br
    10.0.0.6

First of all, edit /etc/hosts in your linux box:

10.0.0.60 oslo.lab.wtf.br oslo
10.0.0.4 atenas.lab.wtf.br atenas

Now, edit the /etc/krb5.conf:

[libdefaults]
default_realm = LAB.WTF.BR krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
clockskew = 300

v4_name_convert = {
    host = {
        rcmd = host
        ftp = ftp
    }
    plain = {
        something = something-else
    }
}

fcc-mit-ticketflags = true

[realms]
LAB.WTF.BR = {
    kdc = atenas.lab.wtf.br
    default_domain = lab.wtf.br
    admin_server = atenas.lab.wtf.br
}

[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[domain_realm]
.lab.wtf.br = LAB.WTF.BR
lab.wtf.br = LAB.WTF.BR

We need to sync the clocks. First, let's sync the linux server:

# ntpdate pool.ntp.org

And then, the windows:

C:\> net time /setsntp:pool.ntp.org
C:\> net stop w32time & net start w32time

Now edit /etc/nsswitch.conf, and modify this lines...

passwd: compat
group: compat

...to this...

passwd: compat winbind
group: compat winbind

4. Samba/Winbind

This is the /etc/samba/smb.conf used:

[global]
workgroup = PMP
netbios name = OSLO
server string = OSLO (Samba Server)
load printers = no
log file = /var/log/samba/log.%m
max log size = 500
realm = LAB.WTF.BR
security = domain
auth methods = winbind
winbind separator = /
encrypt passwords = yes
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 10.0.0.4
dns proxy = no ldap ssl = no

After configured, restart SAMBA and WINBIND services.
Lets get the proxy server inside the AD:

# net ads join –U Administrator –S lab.wtf.br
After enter the password, you’ll see something like this:

# net ads join –U Administrator –S lab.wtf.br
Administrator’s password:
Using short domain name – PMP
Joined ‘OSLO’ to realm ‘LAB.WTF.BR’
You can verify if you’re connected using this commands:
# wbinfo –t
Verify connections:
# wbinfo –u
List all users in AD
# wbinfo –g
5. Preparing SQUID
Modify /etc/squid/squid.conf like this:

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm use_ntlm_negotiate off
auth_param ntlm children 60
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 5 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic use_ntlm_negotiate off
auth_param basic children 60
auth_param basic realm Type your USER/PASS
auth_param basic max_challenge_reuses 0
auth_param basic max_challenge_lifetime 5 minutes
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_reply_access allow all
icp_access allow all
coredump_dir /var/cache/squid

6. Tests
Go to some box using windows, configure the browser to use the new proxy and try to access some web page. After this, look in /var/log/squid/access.log and see if the user are logging.

If you have some problems, try using your proxy with default configurations.