Installing Squid with Active Directory Authentication
Proxy servers are fairly essential devices that should be part of a network’s perimeter defense strategy. They are devices that allow clients to indirectly access network services via a connection through them. In an enterprise environment, proxy servers are used to aid in enforcement of acceptable use and security policies.
There are a number of reasons for using a proxy server as part of securing a network but that is beyond the scope of this document.
The 10 Legged Creature.
One of the premier proxy servers available today is Squid. It is the most popular HTTP proxy available today, mainly because it is offers a comprehensive set of features, is highly configurable all while being open source and free. It runs on just about any Linux distribution and scales better than any other application of its kind.
For the sake of this exercise, Squid is being deployed to an enterprise network to act in the capacity of a web proxy. By doing so, Squid will be an intermediary for all web browsing between network users and the destinations web sites they desire to browse. When a user requests to visit a site that request will go first to Squid, which will then establish a connection with the destination, transfer the data from the web site to its cache and then pass that data back to the requesting user.
In many instances Squid will even pass the data from its local cache back to the users, both saving time and precious bandwidth. Depending on which algorithm is selected when configuring Squid will determine how Squid decides whether or not to serve the local cache to a user or whether to fetch new data.
Mayday, Mayday!
When I set out to install Squid so that it could perform active directory authentication I was unable to locate any single resource that could explain, in detail, the steps required in order to make this happen. What I did find, however, was a variety of instructions related to various aspects of the entire process. The sum of all the information that I discovered is contained in this document, which will hopefully serve as a means of helping someone else achieve the same goal I was aiming for.
The following are the instructions for installing Squid Proxy Server so that it performs Active Directory authentication off of a Windows 2003 domain controller. Squid is configured so that the browsers must explicitly point to it, which means that it is not being setup to function as a transparent proxy. This entire design was performed on a Dell 1650 running Gentoo Linux 2006.0.
Although the act of downloading, compiling and installing applications on a Gentoo box is slightly different than that of an RPM based distribution (like Red Hat) the same basic configuration directions are applicable. The key difference is Gentoo’s USE flag convention whereas the other distributions will force the use of compile time options (i.e. using “–with-winbind†when running configure, as an example).
The following software is necessary in order to make all of this work as planned.
Installation of this software on Gentoo is rather easy however there is a USE flag caveat. In order to ensure that the software is compiled with the necessary options to make this all work properly specific Gentoo USE flags need to be set. This can be done on the command-line while emerging the software or by modifying the make.conf file. Whichever method is selected, the following USE flags need to be set:
USE="kerberos ldap pam"
Using the command-line, emerge the software as follows:
USE="kerberos ldap pam" emerge squid samba openldap mit-krb5
If make.conf was updated to reflect the necessary USE flags then do the following:
emerge squid samba openldap mit-krb5
Once emerge is done working the lovely magic it performs it will be time to modify the various configuration files.
Squid
This is only the applicable portion of the squid.conf file required for active directory authentication. In the event that a complete squid.conf file is necessary then take a look here.
/etc/squid/squid.conf
# Active Directory configuration
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
# Only allow authenticated users to use the proxy
# Add these in the appropriate places in squid.conf
acl authenticated_users proxy_auth REQUIRED
...
http_access allow authenticated_users
SAMBA
/etc/samba/smb.conf
[global]
netbios name = proxyserver
realm = DOMAIN.COM
workgroup = DOMAIN
security = ADS
password server = dc01.domain.com dc02.domain.com dc03.domain.com
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5
Kerberos
/etc/krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.COM = {
kdc = dc01.domain.com:88
kdc = dc02.domain.com:88
kdc = dc03.domain.com:88
admin_server = dc01.domain.com:749
default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = dc01.domain.com
domain.com = dc01.domain.com
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
PAM
/etc/pam.d/samba
auth required pam_nologin.so
auth required pam_stack.so service=system-auth-winbind
account required pam_stack.so service=system-auth-winbind
session required pam_stack.so service=system-auth-winbind
password required pam_stack.so service=system-auth-winbind
/etc/pam.d/squid
auth required /lib/security/pam_stack.so service=system-auth-winbind
account required /lib/security/pam_stack.so service=system-auth-winbind
/etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
Once all the aforementioned software has been configured as depicted the proxy server needs to be added to the Windows 2003 domain. This is necessary so that the proxy server can perform authentication in conjunction with a Windows 2003 active directory domain controller.
To join the Linux machine to a Windows 2003 domain perform the following:
sudo net ads join Servers/Linux -U AdminAcct -S dc01.domain.com
If everything went as planned then a message will be echoed on the screen depicting as such. After a few moments, once the domain controllers replicate, the proxy server should show up in the OU that was specified when joining the domain. In the example above, the Linux server proxyserver.domain.com would show up in the Linux OU, under the Servers OU in the Windows 2003 domain named domain.com.
In the event that an error occurred while joining the domain check syslog for possible errors.
At this point, start SAMBA and winbindd by performing the following:
/etc/init.d/samba start
/usr/sbin/winbindd
Both of these are necessary in order for Squid to be able to properly perform active directory based authentication. Ensure that winbindd is functioning properly by issuing the following command. If all goes as planned then the following will be the response:
proxyserver ~ # wbinfo –t
checking the trust secret via RPC calls succeeded
Ensure that Squid is able to properly perform active directory authentication by testing the helper application:
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
DOMAIN+username password
utils/ntlm_auth.c:check_plaintext_auth(292)
NT_STATUS_OK: Success (0×0)
Assuming that everything has gone as listed above, start up Squid by issuing the following:
/etc/init.d/squid start
Configure a web browser, such as Firefox or Internet Explorer, to point directly to the proxy server and ensure that browsing is possible without ever being offered an authentication dialogue box. This is testing to ensure that NTLM authentication with the Windows 2003 active directory domain controller is working properly. Confirm that traffic is being properly authorized by tailing the Squid access log file.
tail –f /var/log/squid/access.log
1147739650.906 9969 192.168.1.203 TCP_MISS/200 4244 CONNECT mail.google.com:443 DOMAIN+username DIRECT/64.233.185.19 -
1147739672.965 1085 192.168.1.203 TCP_REFRESH_MISS/200 2321 GET http://www.cnn.com/.element/ssi/auto/1.4/pipeline_mp/live.mhtml? DOMAIN+username DIRECT/64.236.29.120 text/html
1147739673.871 907 192.168.1.203 TCP_MISS/200 3027 GET http://i.cnn.net/cnn/.element/img/1.3/pipeline/keyframes/88×49/stream1.jpg? DOMAIN+username DIRECT/64.236.24.136 image/jpeg
1147739683.229 0 192.168.1.203 TCP_DENIED/407 1745 CONNECT mail.google.com:443 - NONE/- text/html
1147739683.243 0 192.168.1.203 TCP_DENIED/407 1874 CONNECT mail.google.com:443 - NONE/- text/html
1147739693.881 10636 192.168.1.203 TCP_MISS/200 4340 CONNECT mail.google.com:443 DOMAIN+username DIRECT/64.233.185.83 -
When using NTLM authentication it is normal to see two simultaneous TCP_DENIED/407 errors. This is due to the nature of the challenge/response mechanism of NTLM authentication.
In the event that no username appear in the squid access log, or password dialogue boxes appear, then check the squid.conf file to ensure that the ACL’s are setup properly. Also ensure that winbindd is functioning, as depicted above. If changes are made to the squid.conf file then squid needs to be restarted in order for those modifications to take affect.
If everything is working as planned then ensure that Squid and SAMBA start automatically upon reboot by issuing the following:
rc-update add squid default
rc-update add samba default
Modify the following file so that winbindd is started after a reboot:
/etc/conf.d/local.start
# Start the winbind daemon so we can do AD lookups in Squid
/usr/sbin/winbindd
Squid is now properly configured to perform Windows 2003 active directory authentication. Enjoy the added security benefit that a proxy server solution offers, especially since it can perform authentication.
The following resources were used in both the configuring of Squid with active directory authentication, as well as putting this document together:
This is a great article for anyone looking to get out from under an MS ISA server.
Thank you for taking the time to document the process.
Nice work!
Im unable to reach web pages through the proxy I set up.
The log displays “denied” messages.
I can authenticate with the following:
/usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
Everytime I bring up the browser, I am presented with a login box.
I put in my credentials and it still does not accept it.
Where did I go wrong?
I can email or post my configs on the web if you need to view them.
Thanks,
Jeff
I figured it out.
There were some directory permissions and ownerships that had to be modified. I found the solution here.
http://www.siriusit.co.uk/docs/doc.php?pageID=13&typeID=3
Jeff: Glad to hear that it all worked out. Thanks for sharing the link as well.
HI,
that is working fine. but i have a question. if i want that only some particular group of active directory should be able to access the internet instead of all users. then what configuration i have to do for that.
Regards
Satish Kumar
Satish,
Modify the following lines in squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmsspSo that they reads as such:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=ACTIVE_DIRECTORY_GROUPauth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=ACTIVE_DIRECTORY_GROUP
You might need to format the group so that the domain is listed along with it, as such:
AD_DOMAIN\\ACTIVE_DIRECTORY_GROUPHope that helps.
Fantastic article! I found it by chance really, and it happens I have a client who is attempting this very sort of thing in the next week or so, and I am sure it will be invaluable!
HI Scott,
Thnks for replay. I willl implement the same and let you know. I hopw that will work
Cheers
Satish Kumar
Thanks Scott. Great compilation. Helped me understand that its not as easy as just enabling a switch or two in squid’s config file; and the level of admin skill required to implement such a thing on an existing barebones squid server
I had the following error
[2006/07/12 15:01:12, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password xxxx@xx.xxx.xx failed: Cannot find KDC for requested realm
[2006/07/12 15:01:12, 0] utils/net_ads.c:ads_startup(186)
ads_connect: Cannot find KDC for requested realm
and it was resolved changing the:
dns_lookup_kdc = false
to true at /etc/krb5.conf
Thanks for the great how to, cheers, Leon.
Another problem was telated to the clock. It was more than five minutes late than DC server and I got “Clock skew too great ” error. Configured NTP server at the proxy server and dc server and solved the problem.
I don’t exactly understand why you use NTLM authentification, when, in your article (nice one anyway), you talk about using AD authentification. Maybe there’s something I didn’t understand: I thought NTLM auth and AD auth were two separate things? Am I wrong?
Hi Scott
Great article…So about dansguardian have you been implemented before?
Jeff: I got the problem of the authentication, it always ask for username and password.I tryed follow your link but it doesnt go.
How did you solve the problem?
Could you please help me?
Thx
Hi all,
good article… but i don’t understand some points.
For example… local.start.
do i need smbd or nmbd for authentication?
i tried to put only winbind in /etc/conf.d/samba and it seems work. (gentoo related)
Then, why do you post config of system-auth? i only had to move /etc/samba/system-auth-winbind in /etc/pam.d
I neede also to set the right permission on /var/cache/samba/winbind_privileged
thanks for your attention and sorry for my bad english.
Matteo
HI All,
I have a problem. In my network i have two process and they are sharing the common proxy. But they hav different domain with different Vlan. So is that possible that squid will take authentication with two different Active directory…
Regards,
Satish Kumar
Hi All
I have a problem. in my group policy i had defined to groups one is internetonly and another is internetwithIM. now how i will define in squid to make these rules work according. means i want to give internet access only for internetonly and internetwithIM for internet and IM Please help me
Sorry if sound dumb, does this mean in the report side of squid I would be able to see internet usage by user rather than IP address?
Cheers Dan
This was perfect info.
I am getting away from ISA2004 (”pos”).
I would like to minimise the password prompt and improve user experience:
Is there a way:
1) to use passthrough authentication
2) cache the ticket life (password cache)
3) any other suggestion to acheive the above
HI
I am having a very similar problem as Jeff Coyle had.
I had tried the link Jeff had provided, but the link does not work
Is there any other link or could any tell which directory permissions and ownerships needs to be modified.
Regards
Niku
Im unable to reach web pages through the proxy I set up.
The log displays “denied†messages.
I can authenticate with the following:
/usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
Everytime I bring up the browser, I am presented with a login box.
I put in my credentials and it still does not accept it.
Where did I go wrong?
I can email or post my configs on the web if you need to view them.
Thanks,
srinivas
Scott is this forum still open I mean r u still there for help
This is a little too lengthy. I don’t think you need to setup SAMBA and Kerberos, just with adding a few lines to your squid.conf file it should work.
Anyway, I think i’ll try your way, since I’m having this annoying problem that some users actions get logged not using their domain names, but their IP addresses.
Everything worked as stated by you.I received no error in configuring the samba squid winbind,But when my users try to connect to the internet using ie 7.I face 2 issues
1>There is no authentication box coming up at the startup of IE
2>When the user goes to a website he receives page cannot be displayed and in the tailing of access log I see that his Ip address and message access denied.
Please help.Waiting for a response.
Atul
What is the instructions in SQUID.CONF to authenticate in Domain A/D Microsoft.
This is my squid.conf auth param and acl part
##################################################
auth_param ntlm program /usr/bin/ntlm_auth–helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth–helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hours
#ACL’s
acl ntlm_users proxy_auth REQUIRED
acl sak11 src 192.168.11.0/255.255.255.0 my network
acl sak12 src 192.168.12.0/255.255.255.0 my network
acl all src 0.0.0.0/0.0.0.0
http_access allow ntlm_users
http_access allow sak11
http_access allow sak12
http_access deny all
##################################################
Thanks for help.
Atul
hi
I have configured a squid.conf and my users can connect the internet through my squid server , but i want that anyone who is connected to my squid server from local net , use a Username & Password for authenticating and then let him to view his site or anything else.
by searching at google i get here , please help me , or send me a sample configuration of it.
-
Best Regards
Im sucsses configure squid auth with 1 DC Win 2003 server. But wahtas instruction in SQUID.CONF to authenticate with 2 /more Domain A/D Microsoft.
Thanks for help,
Regards..
Im sucsses configure squid auth with 1 DC Win 2003 server. But what’s instruction in SQUID.CONF to authenticate with 2 /more Domain A/D Microsoft.
Thanks for help,
Regards..
I have successfully setup the guide. The only problem is that i always get a box prompting for a password.
Any workaround.?
hi guys,
Thanks for the tutorial, it has been a great help in authenticating a single group in the AD. Would you help me with a solution to authenticate two or more groups in the AD!! e.g “internet_users” and “it” for example
when I issue the
sudo net ads join Servers/Linux -U AdminAcct -S dc01.domain.com command with my information in place it returns with an error of
Invalid paramater. Not sure what I am missing any help would be greatly appreciated
hi
Is it necessary to configure samba ? while integratting squid-2.6.S to windows active directory 2003