CongExamples/Authenticate/WindowsActiveDir...

http://wiki.squid-cache.org/CongExamples/Auth...

Configuring a Squid Server to authenticate off Active Directory

By Adrian Chadd
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability.
If you have any further questions about these examples please email the squid-users mailing list.
Contents
1. Configuring a Squid Server to authenticate off Active Directory
1. Basic Concepts
2. Environment
3. Packages to install
4. Files to modify
1. /etc/krb5.conf
2. /etc/samba.smb.conf
3. /var/kerberos/krb5kdc/kdc.conf
4. /var/kerberos/krb5kdc/kadm5.acl
5. Configure NTP time synchronisation
6. Joining the server to the AD domain
7. Squid Configuration
1. Test Squid without auth
2. Test the helpers
3. squid.conf Settings
4. Test Squid with auth

Basic Concepts
In this example, a Squid installation will use the Samba ntlm_auth helper to authenticate against an
Windows Active Directory. The server will be joined to the Active Directory domain and other
services can use the ntlm_auth helper to authenticate users (but be out of the scope of this
document.)
Windows 2003 Active Directory is also capable of LDAP authentication

Environment
Windows Server 2003 AD
Ubuntu Dapper installation
Squid-2.6
Kerberos 5
Samba + Winbind
NTP server running on AD controller

Packages to install

1 de 6

26-07-2011 12:44

CongExamples/Authenticate/WindowsActiveDir...

http://wiki.squid-cache.org/CongExamples/Auth...

samba (3)
ntp-server (Kerberos requires time-synchronised machines)
krb5-doc, krb5-config, krb5-user, libkerb53, libkadm55 (Kerberos related user libraries)
winbind

Files to modify
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log
[libdefaults]
default_realm = DOMAIN.COM.AU.
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
DOMAIN.COM.AU = {
kdc = ad-master.domain.com.au.:88
admin_server = ad-master.domain.com.au.:749
default_domain = domain.
}
[domain_realm]
.domain. = DOMAIN.COM.AU.
domain. = DOMAIN.COM.AU.
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/samba.smb.conf

2 de 6

26-07-2011 12:44

CongExamples/Authenticate/WindowsActiveDir...

http://wiki.squid-cache.org/CongExamples/Auth...

[global]
netbios name = SERVERNAME
workgroup = DOMAIN
realm = DOMAIN.COM.AU
server string = Domain Proxy Server
encrypt passwords = yes
security = ADS
password server = ad-master.domain.com.au
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
cups options = raw

/var/kerberos/krb5kdc/kdc.conf
[kdcdfefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = noreauth
[libdefaults]
default_realm = DOMAIN.
[realms]
DOMAIN. = {
master_key_type = des-cbc-crc
supported_enctypes = des3-hmac-sha1:normal arcfourhmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
des-cbc-crc:v4 des-cbc-crc:afs3
}

/var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM

Configure NTP time synchronisation

The server must time synchronise against the AD clock - so configure ntpd to sync against the same

3 de 6

26-07-2011 12:44

CongExamples/Authenticate/WindowsActiveDir...

http://wiki.squid-cache.org/CongExamples/Auth...

time source as the AD server is. You must do this step or random authentication failures will occur!

Joining the server to the AD domain

Once the files have been initialised, join the server to the Active Directory by using an AD account
with sufficient privilege:
# kinit <admin user>@<fulldomain>

eg
kinit chadda@DOMAIN.COM.AU.

You may need to do this a couple of times - it may take a while and fail; so try it once again.
Now, to do the actual join:
# net ads join -U <admin user>@<fulldomain>

eg
# net ads join -U chadda@DOMAIN.COM.AU.

This will also take some time and may need to be repeated. It should eventually tell you that the
server successfully joined the domain.
Next, restart samba and winbind, ie
# /etc/init.d/samba restart
# /etc/init.d/winbind restart

'wbinfo' can tell you whether winbind has successfully negotiated and joined the network:
wbinfo -t

will check whether the trust exists

wbinfo -u

will list the users in the domain

ntlm_auth requires access to the privileged winbind pipe in order to function properly. You enable this
access by adding the security user Squid runs as to the winbindd_priv group.
gpasswd -a proxy winbindd_priv

Remove the cache_effective_group setting in squid.conf, if present. This setting causes

squid to ignore the auxiliary winbindd_priv group membership.
the default user Squid is bundled as nobody though some distribution packages are built
with squid or proxy or other similar low-access user.

4 de 6

26-07-2011 12:44

CongExamples/Authenticate/WindowsActiveDir...

http://wiki.squid-cache.org/CongExamples/Auth...

Squid Configuration
As Samba-3.x has it's own authentication helper there is no need to build any of the Squid
authentication helpers for use with Samba-3.x (and the helpers provided by Squid won't work if you
do). You do however need to enable support for the NTLM scheme if you plan on using this. Also
you may want to use the wbinfo_group helper for group lookups
--enable-auth="ntlm,basic"
--enable-external-acl-helpers="wbinfo_group"

Test Squid without auth

Before going further, test basic Squid functionality. Make sure squid is functioning without requiring
authorization.

Test the helpers

Testing the winbind ntlm helper is not really possible from the command line, but the winbind basic
authenticator can be tested like any other basic helper. Make sure to run the test as your
cache_effective_user
# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+myuser mypasswd
OK

The helper should return "OK" if given a valid username/password. + is the domain separator set in
your smb.conf

squid.conf Settings
Add the following to enable both the winbind basic and ntlm authenticators. IE will use ntlm and
everything else basic:
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helperprotocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server

5 de 6

26-07-2011 12:44

CongExamples/Authenticate/WindowsActiveDir...

http://wiki.squid-cache.org/CongExamples/Auth...

auth_param basic credentialsttl 2 hours

And the following acl entries to require authentication:

acl AuthorizedUsers proxy_auth REQUIRED
..
http_access allow all AuthorizedUsers

Test Squid with auth

Internet Explorer, Mozilla, Firefox:
Test browsing through squid with a NTLM capable browser. If logged into the domain, a
password prompt should NOT pop up. Confirm the traffic really is being authorized by
tailing access.log. The domain\username should be present.
Netscape, Mozilla ( < 1.4), Opera...:
Test with a NTLM non-capable browser. A standard password dialog should appear.
Entering the domain should not be required if the user is in the default domain and
"winbind use default domain = yes" is set in smb.conf. Otherwise, the username must
be entered in "domain+username" format. (where + is the domain separator set in
smb.conf)
If no usernames appear in access.log and/or no password dialogs appear in either browser, then the
acl/http_access portions of squid.conf are not correct.
Note that when using NTLM authentication, you will see two "TCP_DENIED/407" entries in
access.log for every request. This is due to the challenge-response process of NTLM.
CategoryConfigExample
ConfigExamples/Authenticate/WindowsActiveDirectory (last edited 2009-02-11 12:51:19 by Amos Jeffries)

6 de 6

26-07-2011 12:44