Configuring a Squid Server to authenticate off Active Directory

By Adrian Chadd

Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.

Contents

Configuring a Squid Server to authenticate off Active Directory

Basic Concepts

In this example, a Squid installation will use the Samba ntlm_auth helper to authenticate against an Windows Active Directory. The server will be joined to the Active Directory domain and other services can use the ntlm_auth helper to authenticate users (but be out of the scope of this document.)

Windows 2003 Active Directory is also capable of LDAP authentication

Environment

Windows Server 2003 AD
Ubuntu Dapper installation
Squid-2.6
Kerberos 5
Samba + Winbind
NTP server running on AD controller

Packages to install

samba (3)
ntp-server (Kerberos requires time-synchronised machines)
krb5-doc, krb5-config, krb5-user, libkerb53, libkadm55 (Kerberos related user libraries)
winbind

Files to modify

/etc/krb5.conf

[logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/ksadmind.log

[libdefaults]
   default_realm = DOMAIN.COM.AU.
   dns_lookup_realm = false
   dns_lookup_kdc = false
   ticket_lifetime = 24h
   forwardable = yes
   default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
   default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
   preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC 

[realms]
   DOMAIN.COM.AU = {
           kdc = ad-master.domain.com.au.:88
           admin_server = ad-master.domain.com.au.:749
           default_domain = domain.
   } 

[domain_realm]
   .domain. = DOMAIN.COM.AU.
   domain. = DOMAIN.COM.AU. 

[kdc]
   profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
   pam = {
           debug = false
           ticket_lifetime = 36000
           renew_lifetime = 36000
           forwardable = true
           krb4_convert = false
   }

/etc/samba.smb.conf

[global]
        netbios name = SERVERNAME
        workgroup = DOMAIN
        realm = DOMAIN.COM.AU
        server string = Domain Proxy Server
        encrypt passwords = yes
        security = ADS
        password server = ad-master.domain.com.au
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        preferred master = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind use default domain = yes
        cups options = raw

/var/kerberos/krb5kdc/kdc.conf

[kdcdfefaults]
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        dict_file = /usr/share/dict/words
        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
        v4_mode = noreauth

[libdefaults]
        default_realm = DOMAIN.

[realms]
        DOMAIN. = {
                master_key_type = des-cbc-crc
                supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 
             }

/var/kerberos/krb5kdc/kadm5.acl

*/admin@EXAMPLE.COM     *

Configure NTP time synchronisation

The server must time synchronise against the AD clock - so configure ntpd to sync against the same time source as the AD server is. You must do this step or random authentication failures will occur!

Joining the server to the AD domain

Once the files have been initialised, join the server to the Active Directory by using an AD account with sufficient privilege:

# kinit <admin user>@<fulldomain>

kinit chadda@DOMAIN.COM.AU.

You may need to do this a couple of times - it may take a while and fail; so try it once again.

Now, to do the actual join:

# net ads join -U <admin user>@<fulldomain>

# net ads join -U chadda@DOMAIN.COM.AU.

This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain.

Next, restart samba and winbind, ie

# /etc/init.d/samba restart
# /etc/init.d/winbind restart

'wbinfo' can tell you whether winbind has successfully negotiated and joined the network:

wbinfo -t will check whether the trust exists
wbinfo -u will list the users in the domain

ntlm_auth requires access to the privileged winbind pipe in order to function properly. You enable this access by adding the security user Squid runs as to the winbindd_priv group.

gpasswd -a proxy winbindd_priv

$/!\$ Remove the cache_effective_group setting in squid.conf, if present. This setting causes squid to ignore the auxiliary winbindd_priv group membership.
the default user Squid is bundled as nobody though some distribution packages are built with squid or proxy or other similar low-access user.

Squid Configuration

As Samba-3.x has it's own authentication helper there is no need to build any of the Squid authentication helpers for use with Samba-3.x (and the helpers provided by Squid won't work if you do). You do however need to enable support for the NTLM scheme if you plan on using this. Also you may want to use the wbinfo_group helper for group lookups

--enable-auth="ntlm,basic"
--enable-external-acl-helpers="wbinfo_group"

Test Squid without auth

Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization.

Test the helpers

Testing the winbind ntlm helper is not really possible from the command line, but the winbind basic authenticator can be tested like any other basic helper. Make sure to run the test as your cache_effective_user

# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+myuser mypasswd
OK

The helper should return "OK" if given a valid username/password. + is the domain separator set in your smb.conf

squid.conf Settings

Add the following to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on

# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

And the following acl entries to require authentication:

acl AuthorizedUsers proxy_auth REQUIRED
..
http_access allow all AuthorizedUsers

Test Squid with auth

Internet Explorer, Mozilla, Firefox:
- Test browsing through squid with a NTLM capable browser. If logged into the domain, a password prompt should NOT pop up. Confirm the traffic really is being authorized by tailing access.log. The domain\username should be present.
Netscape, Mozilla ( < 1.4), Opera...:
- Test with a NTLM non-capable browser. A standard password dialog should appear. Entering the domain should not be required if the user is in the default domain and "winbind use default domain = yes" is set in smb.conf. Otherwise, the username must be entered in "domain+username" format. (where + is the domain separator set in smb.conf)

If no usernames appear in access.log and/or no password dialogs appear in either browser, then the acl/http_access portions of squid.conf are not correct.

Note that when using NTLM authentication, you will see two "TCP_DENIED/407" entries in access.log for every request. This is due to the challenge-response process of NTLM.

CategoryConfigExample

ConfigExamples/Authenticate/WindowsActiveDirectory (last edited 2009-02-11 12:51:19 by Amos Jeffries)

Navigation

Page

Search

User