Squid single sign on with active directory

Thanks to http://janaps.wordpress.com/2010/05/30/squid-single-sign-on-with-active-directory/

For my first post on this blog, I will publish my experience with NTLM-proxy authentication. I’ve gotten most of my info from http://tom.knaupp.com/2007/12/12/howto-single-sign-on-with-squid-proxy-and-active-directory/, but there are some addenda.
So here goes

You need some linux box, I’ve used Fedora 11 but anything goes here really
A Windows domain, I’ve used a 2003 domain

install squid, kerberos tools, winbind and sambaclient
#yum install samba-winbind
#yum install krb5-workstation
#yum install squid
Because of the dependencies, you will have all necessaray packages if you issue these three commands. But still, check…

Next you’ll have to configure your firewall. Squid by default listens on TCP 3128, so add this to your INPUT chain

Configuring Kerberos
Now we can configure the kerberos protocol.

First of all, make sure the date and time of your linux-machine are in sync with that of the domain controller. How big the clocks skew can be, depends on some policy settings in the DC, but setting the DC as NTP time source is allways a good idea.

Next we edit the /etc/krb5.conf file. Mine looks like this.

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

kdc = DC1.mydomain.com:88 DC2.mydomain.com:88
admin_server = DC1.mydomain.com DC2.mydomain.com
default_domain = mydomain.com

.mydomain.com = MYDOMAIN.COM
mydomain.com =MYDOMAIN.COM

pam = {
debug = false
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
krb4_convert = falsie
retain_after_close = false
minimum_uid = 1

The domain I’ve been using is named mydomain.com (not really, but still), and this domain has two domain-controllers: DC1 and DC2.
Once this is done, you’ll have to test kerberos

Get a kerberos ticket with
# kinit Administrator
Password for Administrator@MYDOMAIN.COM:

Now test the kerberos ticket
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MYDOMAIN.COM

Valid starting Expires Service principal
05/30/10 15:59:12 05/31/10 01:59:14 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 05/31/10 15:59:12

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Now edit /etc/samba/smb.conf. Mine looks like this
workgroup = LOCAL
preferred master = no
server string = squid proxy server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 600-20000
idmap gid = 600-20000
idmap backend = rid
;template primary group = “Domain Users”
template shell = /bin/bash

comment = Home Direcotries
valid users = %S
read only = No
browseable = No

comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes

Winbind uses by default an anonymous connection to Active Directory to query for users and groups. Domains in 2003 mode or higher do not allow this. You have to provide a domain user to excecute the queries. So create a user winbind in Active Directory with a very very long password. The password isn’t going to be changed on a regular basis. So you can set the password to NOT expire for this user. Then issue the following command to tell winbind to use it to query AD
# wbinfo –domain=MYDOMAIN –set-auth-user=winbind

A common error if you try to join AD with winbind an issue with DNS update. So the best thing to do is set the dns-search domain to your domain. You can test this by using the command hostname. This should return the FQDN of the linux box so
#hostname -f

Domain Join
If all the preparations went according to plan, you should now be able to join the linux-box with
#net join -Uadministrator%password

After starting winbind, we can test the functionality with
# wbinfo -t
checking the trust secret via RPC calls succeeded
And you can check if winbind can retrieve groups by
#wbinfo -g

Also we can test support for ntlm with
# wbinfo -a user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

The only thing left to do is tell squid to use the right helper. Add these lines to /etc/squid/squid.conf
auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds
## acl entries to require authentication:
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

One last problem may occur: squid has to have permissions on the /var/lib/samba/winbindd_privileged directory.
You should check the following:

  • if the line cache_effective_group is commented out or set to None in squid.conf: by default the group with permissions on this directory is wbpriv and squid is a member of this group.
  • if the above is not true make sure that squid has permissions on this directory. To my experience though, changing the group owner on this directory can make winbind fail to start.

Now we are all done: fire up squid and check /var/log/squid/access.log for the usernames. Sweet