Configuring a Squid Server to authenticate

off Active Directory

By Adrian Chadd

Warning: Any example presented here is provided "as-is" with no support or guarantee of
suitability. If you have any further questions about these examples please email the squid-users
mailing list.

Contents

1. Configuring a Squid Server to authenticate off Active Directory

1. Basic Concepts
2. Environment
3. Packages to install
4. Files to modify
1. /etc/krb5.conf
2. /etc/samba.smb.conf
3. /var/kerberos/krb5kdc/kdc.conf
4. /var/kerberos/krb5kdc/kadm5.acl
5. Configure NTP time synchronisation
6. Joining the server to the AD domain
7. Squid Configuration
1. Test Squid without auth
2. Test the helpers
3. squid.conf Settings
4. Test Squid with auth

Basic Concepts
In this example, a Squid installation will use the Samba ntlm_auth helper to authenticate against
an Windows Active Directory. The server will be joined to the Active Directory domain and
other services can use the ntlm_auth helper to authenticate users (but be out of the scope of this
document.)

 Windows 2003 Active Directory is also capable of LDAP authentication

Environment
 Windows Server 2003 AD
 Ubuntu Dapper installation
 Squid-2.6
 Kerberos 5
  Samba + Winbind
 NTP server running on AD controller

Packages to install
 samba (3)
 ntp-server (Kerberos requires time-synchronised machines)
 krb5-doc, krb5-config, krb5-user, libkerb53, libkadm55 (Kerberos related user libraries)
 winbind

Files to modify
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log

[libdefaults]
default_realm = DOMAIN.COM.AU.
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

[realms]
DOMAIN.COM.AU = {
kdc = ad-master.domain.com.au.:88
admin_server = ad-master.domain.com.au.:749
default_domain = domain.
}

[domain_realm]
.domain. = DOMAIN.COM.AU.
domain. = DOMAIN.COM.AU.

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba.smb.conf
[global]
netbios name = SERVERNAME
workgroup = DOMAIN
realm = DOMAIN.COM.AU
server string = Domain Proxy Server
encrypt passwords = yes
security = ADS
password server = ad-master.domain.com.au
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
cups options = raw

/var/kerberos/krb5kdc/kdc.conf
[kdcdfefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = noreauth

[libdefaults]
default_realm = DOMAIN.

[realms]
DOMAIN. = {
master_key_type = des-cbc-crc
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-
cbc-crc:afs3
}

/var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *

Configure NTP time synchronisation

The server must time synchronise against the AD clock - so configure ntpd to sync against the
same time source as the AD server is. You must do this step or random authentication failures
will occur!
Joining the server to the AD domain
Once the files have been initialised, join the server to the Active Directory by using an AD
account with sufficient privilege:

# kinit <admin user>@<fulldomain>

eg

kinit [email protected].

You may need to do this a couple of times - it may take a while and fail; so try it once again.

Now, to do the actual join:

# net ads join -U <admin user>@<fulldomain>

eg

# net ads join -U [email protected].

This will also take some time and may need to be repeated. It should eventually tell you that the
server successfully joined the domain.

Next, restart samba and winbind, ie

# /etc/init.d/samba restart
# /etc/init.d/winbind restart

'wbinfo' can tell you whether winbind has successfully negotiated and joined the network:

 wbinfo -t will check whether the trust exists

 wbinfo -u will list the users in the domain

ntlm_auth requires access to the privileged winbind pipe in order to function properly. You
enable this access by adding the security user Squid runs as to the winbindd_priv group.

gpasswd -a proxy winbindd_priv

 Remove the cache_effective_group setting in squid.conf, if present. This setting causes

squid to ignore the auxiliary winbindd_priv group membership.

the default user Squid is bundled as nobody though some distribution packages are
built with squid or proxy or other similar low-access user.

Squid Configuration
As Samba-3.x has it's own authentication helper there is no need to build any of the Squid
authentication helpers for use with Samba-3.x (and the helpers provided by Squid won't work if
you do). You do however need to enable support for the NTLM scheme if you plan on using this.
Also you may want to use the wbinfo_group helper for group lookups

--enable-auth="ntlm,basic"
--enable-external-acl-helpers="wbinfo_group"

Test Squid without auth

Before going further, test basic Squid functionality. Make sure squid is functioning without
requiring authorization.

Test the helpers

Testing the winbind ntlm helper is not really possible from the command line, but the winbind
basic authenticator can be tested like any other basic helper. Make sure to run the test as your
cache_effective_user

# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+myuser mypasswd
OK

The helper should return "OK" if given a valid username/password. + is the domain separator
set in your smb.conf

squid.conf Settings

Add the following to enable both the winbind basic and ntlm authenticators. IE will use ntlm and
everything else basic:

auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-

ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on

# warning: basic authentication sends passwords plaintext

# a network sniffer can and will discover passwords
auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-
basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

And the following acl entries to require authentication:

acl AuthorizedUsers proxy_auth REQUIRED

..
http_access allow all AuthorizedUsers

Test Squid with auth

 Internet Explorer, Mozilla, Firefox:

o Test browsing through squid with a NTLM capable browser. If logged into the
domain, a password prompt should NOT pop up. Confirm the traffic really is
being authorized by tailing access.log. The domain\username should be present.
 Netscape, Mozilla ( < 1.4), Opera...:
o Test with a NTLM non-capable browser. A standard password dialog should
appear. Entering the domain should not be required if the user is in the default
domain and "winbind use default domain = yes" is set in smb.conf. Otherwise, the
username must be entered in "domain+username" format. (where + is the domain
separator set in smb.conf)

If no usernames appear in access.log and/or no password dialogs appear in either browser, then
the acl/http_access portions of squid.conf are not correct.

Note that when using NTLM authentication, you will see two "TCP_DENIED/407" entries in
access.log for every request. This is due to the challenge-response process of NTLM.