You are on page 1of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

By Jelloir Published: 2011-06-15 17:53

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin ReporterIntroduction
This document covers setup of a Squid Proxy which will seamlessly integrate with Active Directory for authentication using Kerberos with LDAP as a backup for users not authenticated via Kerberos. Authorisation is managed by Groups in Active Directory. This is especially useful for Windows 7 clients which no longer support NTLMv2 without changing the local computer policy.It is capable of using white lists and black lists for site access and restrictions. For this guide the following examples are utilised - you should update any sections with the clients domain, hostnames and IP's where necessary. - Domain = example.local - Subnet = 192.168.0.0/24 - Proxy Server: IP = 192.168.0.26, HOSTNAME = squidproxy.example.local - Windows Server 1: IP = 192.168.0.1, HOSTNAME = domaincontroller1.example.local - Windows Server 2: IP = 192.168.0.10, HOSTNAME = server2.example.local A base install of Debian Squeeze is assumed as well as basic Debian administration skills.vi is assumed as the text editor.

Prerequisites
Client Internet Explorer Browsers need to have "Enable Integrated Windows Authentication" ticked in Internet Options :: Advanced settings as well as Proxy Auto detection enabled - google these if not sure. All modern web browsers will support proxy auto detection. Firefox and Chrome also support Windows Authentication.

DNS Configuration
Install dnsutils:

This page is licensed under a Creative Commons License.

HowtoForge

Page 1 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter apt-get install dnsutils

http://www.howtoforge.com/

On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works.Check that the proxy is using the Windows DNS Server for name resolution and update /etc/resolv.conf accordingly.
vi /etc/resolv.conf

search example.local nameserver 192.168.0.1 nameserver 192.168.0.10

Ping an internal and external hostname to ensure DNS is operating.


ping domaincontroller1.example.local -c 4 && ping google.com -c 4

Check you can reverse look up the Windows Server and the local proxy ip from the Windows DNS.
dig -x 192.168.0.1

dig -x 192.168.0.26

Warning: If either DNS lookup fails do not proceed until fixed or proxy authentication will fail.

NTP Configuration
Install the ntp package:
apt-get install ntp

This page is licensed under a Creative Commons License.

HowtoForge

Page 2 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

Because Kerberos needs to have the time synchronized with Windows Domain Controllers for authentication we configure the proxy to obtain time from the them.
vi /etc/ntp.conf

Locate the following section and update the ntp servers as required. If you have more than one Domain Controller or NTP Server you may add multiple lines.
# You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example server domaincontroller1.example.local server server2.example.local

Then restart and test NTP.


invoke-rc.d ntp restart

ntpq -p

You should see output that refers to the Domain Controllers and other NTP Servers which are processed in the order that they appear in the conf file.

Configure Kerberos
Install Kerberos packages:
apt-get install krb5-user libkrb53

This page is licensed under a Creative Commons License.

HowtoForge

Page 3 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

Just accept the defaults presented to any debconf dialog's presented as we are overwriting them. Set up Kerberos.
cp /etc/krb5.conf /etc/krb5.conf.default

cat /dev/null > /etc/krb5.conf

vi /etc/krb5.conf

Edit the file replacing the variables (highlighted) with the client's domain and server. Warning: Depending on your Windows Domain Controllers OS Version un-comment the relevant Windows 200X section and comment out the opposing section. If you only have 1 Domain Controller remove the additional "kdc" entry from the "[realms]" section.
[libdefaults] default_realm = EXAMPLE.LOCAL

dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5; for Windows 2008 with AES; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5[realms] EXAMPLE.LOCAL = { kdc = domaincontroller1.example.local kdc = server2.example.local admin_server = domaincontroller1.example.local default_domain = example.local }[domain_realm] .example.local = EXAMPLE.LOCAL example.local = EXAMPLE.LOCAL

Install Squid 3
apt-get install squid3 ldap-utils

This page is licensed under a Creative Commons License.

HowtoForge

Page 4 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

Note: Squid configuration takes places after msktutil is configured.

Install and run msktutil


Obtain the msktutil package and install it.
cd /var/cache/apt/archives/ wget http://fuhm.net/software/msktutil/releases/msktutil_0.4-2_i386.deb

apt-get install libsasl2-modules-gssapi-mit libsasl2-modules

dpkg -i msktutil_0.4-2_i386.deb

cd

Initiate a kerberos session to the server so msktutil can use it to create our Proxy object in Active directory that will be used for access.
kinit administrator

Enter the domain administrator password. It should then return without errors. You can see if you successfully obtained a ticket with:
klist

Now we configure the proxy in AD with service principles by running msktutil (update the highlighted values with your network). Warning: You should not move the object from the OU that you use msktutil to create it in.
msktutil -c -b

This page is licensed under a Creative Commons License.

HowtoForge

Page 5 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter "CN=COMPUTERS"

http://www.howtoforge.com/

-s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY --upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose If you are using a Server 2008 domain then add "--enctypes 28" at the end of the command.
msktutil -c -b "CN=COMPUTERS"

-s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY --upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose --enctypes 28 Set the permissions on the keytab so squid can read it.
chgrp proxy /etc/squid3/PROXY.keytab

chmod g+r /etc/squid3/PROXY.keytab

On the Windows Server reset the Computer Account in AD by right clicking on the SQUIDPROXY Computer and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly. Reboot the proxy first to clear the kerberos tickets generated by kinit command then run the following:
msktutil --auto-update --verbose

If the keytab is not found try adding "-k /etc/squid3/PROXY.keytab" to the command to see if it works and then troubleshoot until resolved or users will not be able to authenticate with Squid. Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically around 30 days). I pipe it through logger so I can see any errors in syslog if necessary. As stated the msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it.

This page is licensed under a Creative Commons License.

HowtoForge

Page 6 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

The SHELL and PATH variables are there to ensure cron runs properly change this if you know what your doing.
crontab -e

SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # m h dom mon dow command 00 4 * * * msktutil --auto-update --verbose | logger -t msktutil

Configure Squid
In order to use our redundant LDAP access and authorizations via Security Groups in Active Directory we need to create and account with permission to look up Active Directory attributes. Squid will then use this account to provide users with access. In Active Directory create a user called "Squid Proxy" with the logon name squid@example.local and note the password down and substitute the word "squidpass" below with your password. Ensure the following is true when creating the account. - User must change password at next logon Un-ticked - User cannot change password Ticked - Password never expires Ticked - Account is disabled Un-ticked By default the squid account will not be able to query the "memberOf" attribute in AD. Select the top level of your active directory domain in Active Directory Users and Computers, Right click on it and choose properties, Security Tab, Add the squid user and give it read permissions (should happen by default) and allow it to read "This Object and all child objects" by going into Advanced options. Create the following Security Groups with descriptions in Active Directory and add users to the relevant groups - if a user is not part of a group they will only be able to access sites in the whitelistsites ACL.

This page is licensed under a Creative Commons License.

HowtoForge

Page 7 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

Members of Internet Users will not be able to access websites in the blocksites ACL. - Internet Users | Description: Members of this group can access the Internet. Access is logged with website restrictions - Internet Users Full Log | Description: Members of this group can access the Internet. Access is logged with full website access - Internet Users Full NoLog | Description: Members of this group can access the Internet. Access is not logged with full website access We then set up squid and it's associated config files.

Squid startup
Add the following configuration to /etc/default/squid3 (this file does not exist by default).
vi /etc/default/squid3

KRB5_KTNAME=/etc/squid3/PROXY.keytab export KRB5_KTNAME

squid.conf
cp /etc/squid3/squid.conf /etc/squid3/squid.conf.default

cat /dev/null > /etc/squid3/squid.conf

vi /etc/squid3/squid.conf

Update the cache manager variable with the emails address of the person in charge of the proxy. Study and update the following text carefully, replacing the example content (highlighted) with your networks configuration - if you get something wrong your proxy will not work.

This page is licensed under a Creative Commons License.

HowtoForge

Page 8 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter ####### /etc/squid3/squid.conf Configuration File ####### ####### cache manager cache_mgr administrator@example.com

http://www.howtoforge.com/

####### kerberos authenticationauth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d -s HTTP/squidproxy.example.localauth_param negotiate children 10auth_param negotiate keep_alive on####### provide access via ldap for clients not authenticated via kerberosauth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=example,dc=local" -D squid@example.local -w "squidpass" -f sAMAccountName=%s -h domaincontroller1.example.localauth_param basic children 10auth_param basic realm Internet Proxyauth_param basic credentialsttl 1 minute####### ldap authorizations# restricted proxy access loggedexternal_acl_type internet_users %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=example,dc=local" -D squid@example.local -w "squidpass" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet Users,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))" -h domaincontroller1.example.local# full proxy access no loggingexternal_acl_type internet_users_full_nolog %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=example,dc=local" -D squid@example.local -w "squidpass" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet Users Full NoLog,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))" -h domaincontroller1.example.local# full proxy access loggedexternal_acl_type internet_users_full_log %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=example,dc=local" -D squid@example.local -w "squidpass" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Internet Users Full Log,ou=Security Groups,ou=MyBusiness,dc=example,dc=local))" -h domaincontroller1.example.local####### acl for proxy auth and ldap authorizationsacl auth proxy_auth REQUIRED# format "acl, aclname, acltype, acltypename, activedirectorygroup"acl RestrictedAccessLog external internet_users Internet Usersacl FullAccessNoLog external internet_users_full_nolog Internet Users Full NoLogacl FullAccessLog external internet_users_full_log Internet Users Full Logacl whitelistsites url_regex -i "/etc/squid3/whitelistsites.txt"acl blockedsites url_regex -i "/etc/squid3/blockedsites.txt"####### squid defaultsacl manager proto cache_objectacl localhost src 127.0.0.1/32 ::1acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftp acl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECThttp_access allow manager localhosthttp_access deny managerhttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localhost####### enforce auth: order of rules is important for authorization levelsno_cache deny whitelistsiteshttp_access allow whitelistsiteshttp_access allow FullAccessNoLog authhttp_access allow FullAccessLog authhttp_access deny blockedsites http_access allow RestrictedAccessLog auth####### logging# don't log whitelistsites, FullAccessNoLogaccess_log /var/log/squid3/access.log squid !whitelistsites !FullAccessNoLog####### squid defaultshttp_access deny allhttp_port 3128hierarchy_stoplist cgi-bin ?coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/|?) 0 0% 0refresh_pattern . 0 20% 4320
touch /etc/squid3/whitelistsites.txt

This page is licensed under a Creative Commons License.

HowtoForge

Page 9 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

touch /etc/squid3/blockedsites.txt

invoke-rc.d squid3 restart

Proxy Auto Configuration


Install Apache2:
apt-get install apache2

Add a configuration to Apache2 to identify the file format of the proxy configuration script.
vi /etc/apache2/conf.d/wpad.dat

AddType

application/x-ns-proxy-autoconfig .dat

Create our wpad.dat file used by web browsers for configuration:


vi /var/www/wpad.dat

Change the line starting with $proxy to your proxy's FQDN (highlighted text).
function FindProxyForURL(url, host) { $proxy = "PROXY squidproxy.example.local

:3128";

// URLs within this network are accessed direct

if (isInNet(host, "192.168.0.0", "255.255.0.0"))

{return "DIRECT";}

if

This page is licensed under a Creative Commons License.

HowtoForge

Page 10 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

(isInNet(host, "172.16.0.0", "255.240.0.0")) (isInNet(host, "127.0.0.0", "255.0.0.0")) Restart Apache2:


invoke-rc.d apache2 restart

{return "DIRECT";} {return "DIRECT";}

if (isInNet(host, "10.0.0.0", "255.0.0.0")) {return "DIRECT";} //Return proxy for EVERYTHING else else return $proxy;}

if

WPAD DNS entries


Warning: Once you add the following DNS entry the proxy will become live. Stop at this point and check. - That client browsers are using Integrated Windows Authentication - That you have added all users to the relevant Internet Users security groups in AD - That all client browsers are set to use automatically detect proxy settings for internet access. Using group policy is a sensible option here or perhaps restrict outbound HTTP access on your firewall to weed out users without auto-detection configured. Test access with Internet Explorer by Ticking "Use automatic configuration script" and insert http://squidproxy.example.local/wpad.dat (change the proxy FQDN to yours of course) in the address field and then access any websites. Good luck, I hope it works! Stop here and troubleshoot if it is not working or else you will end up with a lot of angry users! Add a CNAME record in DNS to point wpad.example.local to squidproxy.example.local Note: Server 2008 comes with a security measure that blocks wpad, I have also seen it on server 2003 To remove the wpad DNS restriction, but leave the Blocklist enabled, run Regedit and open the following location.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDNSParametersGlobalQueryBlockList

Server 2008 will likely have the entries of WPAD and ISATAP. Remove the WPAD entry and restart the DNS service for it to reload the Blocklist. You should then be able to resolve wpad.example.local Then set your browser to use Proxy auto configuration. All modern web browsers follow the wpad standard and will attempt to lookup http://wpad.example.local/wpad.dat for their configuration information.

This page is licensed under a Creative Commons License.

HowtoForge

Page 11 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

More information about WPAD can be found here: http://wiki.squid-cache.org/Technology/WPAD/DNS Check your squid logs to see that the browsers are using the proxy.

Optional: Install Cyphin Reporter


With the proxies we operate we need decent reporting. Programs like sarg, mysar etc. were not cutting it as decent reporting options for monitoring user internet usage. Cyfin Reporter by Wavecrest has proven to be a very capable and intuitive reporting system with plenty of features. This is how to setup and install Cyfin Reporter with squid on Debian Squeeze. The latest Cyfin Reporter version at the time of writing is version 8.5. Check the following locations depending on your architecture before you download and update the following commands where necessary.http://downloads.wavecrest.net/release/cyfin/linux32/ http://downloads.wavecrest.net/release/cyfin/linux64/ So your install might look something like this...
cd /usr/local/src/

wget "http://downloads.wavecrest.net/release/cyfin/linux32/v850/c850linux32.bin.gz"

gunzip c850linux32.bin.gz

chmod +x c850linux32.bin

N.B The Install Anywhere program screws around with PS1, so changing this for the current shell resolves the issue.
export PS1=">"

./c850linux32.bin

This page is licensed under a Creative Commons License.

HowtoForge

Page 12 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

When prompted about the install path enter it as

ENTER AN ABSOLUTE PATH, OR PRESS TO ACCEPT THE DEFAULT : /opt/wavecrest/cyfin

Accept everything else as default. We need to create an initscript to start and stop cyfin the Debian way.
vi /etc/init.d/cyfin

#! /bin/sh ### BEGIN INIT INFO # Provides: # Required-Start: # Required-Stop: # Default-Start: # Default-Stop: cyfin $network $remote_fs $network $remote_fs 2345 016

# Short-Description: cyfin reporter initscript ### END INIT INFO NAME=cyfin SCRIPTNAME=/etc/init.d/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.2-14) to ensure that this file is present # and status_of_proc is working. . /lib/lsb/init-functions case "$1" in start) sh /opt/wavecrest/cyfin/cyfin start

This page is licensed under a Creative Commons License.

HowtoForge

Page 13 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter ;; stop) ;; status) ;; restart) ;; *) echo "Usage: $SCRIPTNAME {start|stop|status|restart}" >&2 exit 3 ;; esac : sh /opt/wavecrest/cyfin/cyfin restart sh /opt/wavecrest/cyfin/cyfin start sh /opt/wavecrest/cyfin/cyfin stop

http://www.howtoforge.com/

chmod +x /etc/init.d/cyfin

update-rc.d cyfin defaults

Configuring Cyfin Reporter would require a brand new tutorial so here is the basics. Access the configuration GUI via http://squidproxy.example.local:7999. The logon by default is "admin" for the username and password. - Use the help in the GUI as the documentation is very good. - Check the FAQs at http://www.wavecrest.net/support/cyfin/reporter/faqs.html - Use the Quick Start menu to setup the basics, which are fairly straight forward. - Enable the Data Manager to import log files and setup a log file import schedule. - use the integration into Active Directory, you can use the squid account created for LDAP auth to also extract information from Active Directory. - Configure a schedule to import User lists from Active Directory. - You should ensure your users are part of a security group or distribution group in Active Directory and add these groups to Cyfin Reporter. - Assign the departments Manager as the recipient of email reports. - Setup access accounts for staff with permission to view the logs.

This page is licensed under a Creative Commons License.

HowtoForge

Page 14 of 15

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

http://www.howtoforge.com/

If you use Cyfin Reporter you need to account for additional memory usage so be sure to allocate enough resources to run it. That concludes the tutorial. Hope it helps.

This page is licensed under a Creative Commons License.

HowtoForge

Page 15 of 15