Solved

Squid Authentication Against Active Directory

Posted on 2010-08-28
3
1,463 Views
Last Modified: 2012-05-10
Hello!
For some time I have a problem with the following:
I have an Active Directory domain with several computers.I have made group in AD for AD users who should be allowed to access internet. I have configured Squid proxy server to authenticate users based on their AD membership,but one thing is missing:the users,when starting their web browsers,have to enter username/password (domain one).It is embarrassing to them,although they can click OK and use stored passwords...I know that it is possible to configure Squid with Kerberos,so that the credentials of AD user logged on machine are used,and it is completely transparent top user,no prompt for username/password.
If you can help me,please explain which services needs to be configured (samba,kerberos?).Please do not post if you haven't already done it by yourself,because I have read tons of how-to's and they don't work...Thanks!
0
Comment
Question by:pingvinos
3 Comments
 
LVL 4

Expert Comment

by:netF
ID: 33550534
0
 
LVL 25

Accepted Solution

by:
madunix earned 500 total points
ID: 33550795
read my own notes, actually what i have done to get it up and running::

Install and configure internet gateway using squid proxy server, which retrieves the users who are allowed to connect to the internet from active directory group via samba server and winbind, the scenario is using NTLM for SSO, that’s why we have to configure Kerberos, the gateway is protected with clamAV antivirus, and dansguardian for content filtering.

Installation requirements

   1. Kerberos v5
   2. Samba v3.2.4
   3. Dansguardian v 2.9.9.8
   4. ClamAV v0.94
   5. Squid 2.6 or newer version

Prerequisites

   1. Linux server and active directory are time synced ( using NTP )
   2. Active directory is running in native mode
   3. Zlib + zlib devel is installed
   4. Perl modules are installed
   5. Libstdc++ , and libstdc++ devel is installed
   6. gcc and its components, ld, ldconfig
   7. The user account which used in binding Linux machine a member of domain admins

 

Installation process

   1. Install  Kerberos v5(workstation+server+lib+devel)
   2. Download  samba-3.2.4.tar.gz from www.samba.org and extract it
   3. Compile samba with the following options

      ./configure --prefix=/usr --sbindir=/usr/sbin/ --bindir=/usr/bin/ --libexecdir=/usr/sbin/ --sysconfdir=/etc/samba --localstatedir=/var --libdir=/usr/lib --datarootdir=/usr/share/ --enable-nss-wrapper=yes --enable-swat=yes --enable-cups=yes --with-privatedir=/etc/samba/ --with-ldap --with-ads --with-krb5 --with-automount --with-cifsmount --with-pam --with-pam_smbpass --with-syslog --with-utmp --with-libtdb --with-included-iniparser --with-winbind --with-quotas --with-pammodulesdir=/lib/security/ --enable-shared-libs --with-rootsbindir=/usr/sbin/ --with-lockdir=/var/lock/samba --with-piddir=/var/lock/samba --with-configdir=/etc/samba --with-logfilebase=/var/log/samba/

      After that issue the command (make) and (make install)

   4. Download ClamAV v0.94 from http://www.clamav.net/
   5. Compile ClamAV with the following options

      ./configure --prefix=/usr/ --bindir=/usr/bin/ --sbindir=/usr/sbin/ --libexecdir=/usr/sbin/ --sysconfdir=/etc/clamav/ --localstatedir=/var/clamav/ --libdir=/usr/lib/ --enable-debug --enable-dns-fix --enable-readdir_r --with-zlib=/usr/ --with-libbz2-prefix --with-user=root --with-group=root --with-dbdir=/var/clamav/db/

      After that issue the commands (make) and (make install)

   6. Download Dansguardian v2.9.9.8 from http://dansguardian.org/ and extract it
   7. Compile Dansguardian with the following options

      ./configure --prefix=/usr --bindir=/usr/bin/ --sbindir=/usr/sbin/ --libexecdir=/usr/sbin/ --sysconfdir=/etc/ --localstatedir=/var/dansguardian --libdir=/usr/lib/ --enable-clamav=yes --enable-clamd=yes --enable-ntlm=yes --with-proxyuser=squid --with-proxygroup=squid --with-piddir=/var/run/ --with-logdir=/var/log/dansguardian/ --with-sysconfsubdir=/etc/dansguardian/ --enable-pcre=no  

      After that issue the commands (make) and (make install)
       
       
       

Configuration steps  

         1. Kerberos

            Edit /etc/krb5.conf Remove its content and add the

            [logging]

                  default = FILE:/var/log/krb5libs.log

                  kdc = FILE:/var/log/krb5kdc.log

                  admin_server = FILE:/var/log/kadmind.log

            [libdefaults]

                  default_realm = TESTING.RND

                  dns_lookup_realm = true

                  dns_lookup_kdc = true

                  ticket_lifetime = 24h

                  forwardable = yes

            [realms]

                  TESTING.RND = {

                        kdc = win-vmware.testing.rnd:88

                        admin_server = win-vmware.testing.rnd:749

                        kdc = win-vmware.testing.rnd

                        }

            [domain_realm]

                  .testing.rnd = TESTING.RND

                  testing.rnd = TESTING.RND

            [appdefaults]

                  pam = {

                        debug = false

                        ticket_lifetime = 36000

                        renew_lifetime = 36000

                        forwardable = true

                        krb4_convert = false

                        }

      Then Issue the following commands

            #chkconfig kadmin on

            #chkconfig krb5kdc on
       

         2. Edit /etc/samba/smb.conf

               1. Copy smb.conf to smb.conf.default
               2. Replace the content of smb.conf with the following

workgroup = TESTING

server string = Samba Server Version %v

#machine name

netbios name = testing-rnd

#if there is no Microsoft wins server  

wins support = yes

#admin path in the directory tree

ldap admin dn = cn=administrator,dc=testing,dc=rnd

#sam accounts will be taken from active directory

security = ads

#hostname or ip of the active directory server

password server = win-vmware.testing.rnd

#Kerberos REALM  

realm = TESTING.RND

socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

#samba ID mapping for active directory users and groups

idmap uid = 10000-20000

idmap gid = 16777216-33554431

winbind enum users = yes

winbind enum groups = yes

#winbind mapping for active directory users and groups

winbind uid = 10000-20000

winbind gid = 10000-20000

#domain and username separators like TESTING+saddam

winbind separator = +

winbind use default domain = true

prefered master = yes

encrypt passwords = yes

log level = 3 passdb:5 auth:10 winbind:5

template shell = /bin/bash

               3. Issue the following command  from root

                  #chmod 750 /var/lock/samba/winbindd_privileged

                  #chown :squid /var/lock/samba/winbindd_privileged

                  # /usr/bin/net join -w TESTING -S win-vmware.testing.rnd -U Administrator

                  #chkconfig smb on

                  #chkconfig winbind on  

                   

               4. Test that everything is working fine in winbind by issuing the following command

                  #net ads testjoin //to test workstation membership

                  #wbinfo  -u //to get the user list from active directory

                  #wbinfo -g  //to get the group list from active directory

                  #wbinfo –t  //to check domain trusts

                  #setup

                  From setup choose authentication -> choose winbind from the authentication and information colons + Kerberos

                  Choose next -> next -> ok

                     
                   

         3. edit /etc/squid/squid.conf

               1. Copy squid.conf to squid.conf.default
               2. Replace the content of squid.conf with the following

 

http_port 10.1.46.243:8888

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

auth_param ntlm children 30

auth_param basic children 5

auth_param basic casesensitive off

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 1 hours

auth_param basic program /usr/lib/squid/squid_ldap_auth -u cn -b "cn=Users,dc=testing,dc=rnd" -D "cn=administrator,cn=Users,dc=testing,dc=rnd" -w cccisdrnd

-f "(&(sAMAccountName=%s)(memberOf=CN=internet,CN=Users,DC=testing,DC=rnd))" 10.1.46.74

auth_param basic children 10

auth_param basic realm Web-Proxy

auth_param basic credentialsttl 1 minute

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl lan src 10.1.0.0/16

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl localIP  src  10.1.46.243/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "cn=Users,dc=testing,dc=rnd" -D "cn=Administrator,cn=Users,dc=testing,dc=rnd" -w cccisdrnd -f "(&(cn=%g)(member=%u))" -F "(sAMAccountName=%s)" -h 10.1.46.74

acl InetAccess external InetGroup internet

acl authenticated_users proxy_auth REQUIRED

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny !InetAccess

http_access allow lan authenticated_users

http_access deny all

http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid

Issue the following command

#chkconfig squid on
 

         4.

               1. Copy /etc/clamav/clamd.conf  to  /etc/clamav/clamd.conf .default

               Replace the content of clamd.con with the following  

            TemporaryDirectory /var/tmp

            DatabaseDirectory /var/clamav/db/

            LocalSocket /tmp/clamd.socket

            TCPSocket 3310

            TCPAddr 127.0.0.1

            StreamMaxLength 20M

            ExcludePath ^/proc/

            ExcludePath ^/sys/

            ExcludePath ^/selinux

            MaxDirectoryRecursion 20

            SelfCheck 600

            VirusEvent /usr/bin/mail -s "VIRUS ALERT: %v" root

            User root

            AllowSupplementaryGroups yes

            LeaveTemporaryFiles yes

            ScanPE yes

            ScanELF yes

            DetectBrokenExecutables yes

            ScanOLE2 yes

            ScanPDF yes

            HeuristicScanPrecedence yes

            ScanHTML yes

            ScanArchive yes

            MaxScanSize 1000M

            MaxFileSize 1000M

            MaxRecursion 10

            MaxFiles 15000

               2. Copy /etc/clamav/ freshclam.conf  to  /etc/clamav/ freshclam.conf.default

               Replace the content of clamd.con with the following  

            UpdateLogFile /var/log/freshclam.log

            LogFileMaxSize 3M

            LogTime yes

            LogVerbose yes

            PidFile /var/run/freshclam.pid

            DatabaseOwner root

            AllowSupplementaryGroups yes

            DNSDatabaseInfo current.cvd.clamav.net

            DatabaseMirror database.clamav.net

            MaxAttempts 5

            ScriptedUpdates yes

            Checks 24  

            Issue the following command

            #crontab –e

            And add this line

            06   *  *  *  *  *  /usr/bin/freshclam

            #touch  /var/log/clamav.log

            #touch /etc/init.d/clamav

            Add the following lines  

            #! /bin/bash

            # processname: clamd

            # config: /etc/clamav/

            prog="clamd"

            start() {

                    echo -n $"Starting $prog: "

                            /usr/sbin/clamd &> /dev/null

                            if [ $? -eq 0 ];then

                               echo "[ok]"

                            else

                            if [ $? -eq 1 ];then

                               echo "clamAV already running"

                            fi

                            fi

            }

            stop() {

                    killall -15 clamd &> /dev/null

                    if [ $? -eq 0 ];then

                       echo "Stopping $prog: [ok]"

                    else

                       killall -9 clamd &> /dev/null

                       echo "Stopping $prog: [ok]"

                    fi

                    }

            restart() {

                    stop

                    start

            }

            reload() {

                    echo -n $"Reloading cron daemon configuration: "

                    killall -1 clamd

            }

            case "$1" in

              start)

                    start

                    ;;

              stop)

                    stop

                    ;;

              restart)

                    restart

                    ;;

              reload)

                    reload

                    ;;

              *)

                    echo $"Usage: $0 {start|stop|reload|restart}"

                    exit 1

            esac
       
       

         5. Copy /etc/dansguardian/dansguardian.conf to /etc/dansguardian/dansguardian.conf.default

            Replace the content of dansguardian.conf with the following  

reportinglevel = 3

languagedir = '/usr/share/dansguardian/languages'

language = 'ukenglish'

loglevel = 3

logexceptionhits = 2

logfileformat = 3

maxlogitemlength = 400

anonymizelogs = off

syslog = on

loglocation = '/var/log/dansguardian//access.log'

statlocation = '/var/log/dansguardian//stats'

filterip = 10.1.46.243

filterport = 3128

proxyip = 10.1.46.243

proxyport = 8888

nonstandarddelimiter = on

usecustombannedimage = on

custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

filtergroups = 1

filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannediplist = '/etc/dansguardian/lists/bannediplist'

exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 1000

urlcacheage = 900

scancleancache = on

phrasefiltermode = 2

preservecase = 0

hexdecodecontent = off

forcequicksearch = off

reverseaddresslookups = off

reverseclientiplookups = off

logclienthostnames = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 256

maxcontentramcachescansize = 2000

maxcontentfilecachescansize = 20000

filecachedir = '/tmp'

deletedownloadedtempfiles = on

initialtrickledelay = 20

trickledelay = 10

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'

downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'

contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'

contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'

contentscannertimeout = 180

contentscanexceptions = off

authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'

authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'

recheckreplacedurls = off

forwardedfor = off

usexforwardedfor = off

logconnectionhandlingerrors = on

logchildprocesshandling = off

maxchildren = 50

minchildren = 8

minsparechildren = 4

preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

maxips = 0

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

ipipcfilename = '/tmp/.dguardianipipc'

nodaemon = off

nologger = off

logadblocks = on

loguseragent = off

daemonuser = 'squid'

daemongroup = 'squid'

softrestart = off

Issue the following commands

#chkconfig dansguardian on

#touch /var/log/dansguardian/access.log

#touch / var/log/dansguardian/ stats

#chown  :squid  /var/ log/dansguardian/*

#service smb start

#service winbind start

#service clamav start

#service squid start

#service dansguardian start
 
0
 
LVL 4

Author Closing Comment

by:pingvinos
ID: 33657598
Thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now