Squid Authentication Against Active Directory

For some time I have a problem with the following:
I have an Active Directory domain with several computers.I have made group in AD for AD users who should be allowed to access internet. I have configured Squid proxy server to authenticate users based on their AD membership,but one thing is missing:the users,when starting their web browsers,have to enter username/password (domain one).It is embarrassing to them,although they can click OK and use stored passwords...I know that it is possible to configure Squid with Kerberos,so that the credentials of AD user logged on machine are used,and it is completely transparent top user,no prompt for username/password.
If you can help me,please explain which services needs to be configured (samba,kerberos?).Please do not post if you haven't already done it by yourself,because I have read tons of how-to's and they don't work...Thanks!
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Fadi SODAH (aka madunix)Connect With a Mentor Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
read my own notes, actually what i have done to get it up and running::

Install and configure internet gateway using squid proxy server, which retrieves the users who are allowed to connect to the internet from active directory group via samba server and winbind, the scenario is using NTLM for SSO, that’s why we have to configure Kerberos, the gateway is protected with clamAV antivirus, and dansguardian for content filtering.

Installation requirements

   1. Kerberos v5
   2. Samba v3.2.4
   3. Dansguardian v
   4. ClamAV v0.94
   5. Squid 2.6 or newer version


   1. Linux server and active directory are time synced ( using NTP )
   2. Active directory is running in native mode
   3. Zlib + zlib devel is installed
   4. Perl modules are installed
   5. Libstdc++ , and libstdc++ devel is installed
   6. gcc and its components, ld, ldconfig
   7. The user account which used in binding Linux machine a member of domain admins


Installation process

   1. Install  Kerberos v5(workstation+server+lib+devel)
   2. Download  samba-3.2.4.tar.gz from www.samba.org and extract it
   3. Compile samba with the following options

      ./configure --prefix=/usr --sbindir=/usr/sbin/ --bindir=/usr/bin/ --libexecdir=/usr/sbin/ --sysconfdir=/etc/samba --localstatedir=/var --libdir=/usr/lib --datarootdir=/usr/share/ --enable-nss-wrapper=yes --enable-swat=yes --enable-cups=yes --with-privatedir=/etc/samba/ --with-ldap --with-ads --with-krb5 --with-automount --with-cifsmount --with-pam --with-pam_smbpass --with-syslog --with-utmp --with-libtdb --with-included-iniparser --with-winbind --with-quotas --with-pammodulesdir=/lib/security/ --enable-shared-libs --with-rootsbindir=/usr/sbin/ --with-lockdir=/var/lock/samba --with-piddir=/var/lock/samba --with-configdir=/etc/samba --with-logfilebase=/var/log/samba/

      After that issue the command (make) and (make install)

   4. Download ClamAV v0.94 from http://www.clamav.net/
   5. Compile ClamAV with the following options

      ./configure --prefix=/usr/ --bindir=/usr/bin/ --sbindir=/usr/sbin/ --libexecdir=/usr/sbin/ --sysconfdir=/etc/clamav/ --localstatedir=/var/clamav/ --libdir=/usr/lib/ --enable-debug --enable-dns-fix --enable-readdir_r --with-zlib=/usr/ --with-libbz2-prefix --with-user=root --with-group=root --with-dbdir=/var/clamav/db/

      After that issue the commands (make) and (make install)

   6. Download Dansguardian v2.9.9.8 from http://dansguardian.org/ and extract it
   7. Compile Dansguardian with the following options

      ./configure --prefix=/usr --bindir=/usr/bin/ --sbindir=/usr/sbin/ --libexecdir=/usr/sbin/ --sysconfdir=/etc/ --localstatedir=/var/dansguardian --libdir=/usr/lib/ --enable-clamav=yes --enable-clamd=yes --enable-ntlm=yes --with-proxyuser=squid --with-proxygroup=squid --with-piddir=/var/run/ --with-logdir=/var/log/dansguardian/ --with-sysconfsubdir=/etc/dansguardian/ --enable-pcre=no  

      After that issue the commands (make) and (make install)

Configuration steps  

         1. Kerberos

            Edit /etc/krb5.conf Remove its content and add the


                  default = FILE:/var/log/krb5libs.log

                  kdc = FILE:/var/log/krb5kdc.log

                  admin_server = FILE:/var/log/kadmind.log


                  default_realm = TESTING.RND

                  dns_lookup_realm = true

                  dns_lookup_kdc = true

                  ticket_lifetime = 24h

                  forwardable = yes


                  TESTING.RND = {

                        kdc = win-vmware.testing.rnd:88

                        admin_server = win-vmware.testing.rnd:749

                        kdc = win-vmware.testing.rnd



                  .testing.rnd = TESTING.RND

                  testing.rnd = TESTING.RND


                  pam = {

                        debug = false

                        ticket_lifetime = 36000

                        renew_lifetime = 36000

                        forwardable = true

                        krb4_convert = false


      Then Issue the following commands

            #chkconfig kadmin on

            #chkconfig krb5kdc on

         2. Edit /etc/samba/smb.conf

               1. Copy smb.conf to smb.conf.default
               2. Replace the content of smb.conf with the following

workgroup = TESTING

server string = Samba Server Version %v

#machine name

netbios name = testing-rnd

#if there is no Microsoft wins server  

wins support = yes

#admin path in the directory tree

ldap admin dn = cn=administrator,dc=testing,dc=rnd

#sam accounts will be taken from active directory

security = ads

#hostname or ip of the active directory server

password server = win-vmware.testing.rnd

#Kerberos REALM  


socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

#samba ID mapping for active directory users and groups

idmap uid = 10000-20000

idmap gid = 16777216-33554431

winbind enum users = yes

winbind enum groups = yes

#winbind mapping for active directory users and groups

winbind uid = 10000-20000

winbind gid = 10000-20000

#domain and username separators like TESTING+saddam

winbind separator = +

winbind use default domain = true

prefered master = yes

encrypt passwords = yes

log level = 3 passdb:5 auth:10 winbind:5

template shell = /bin/bash

               3. Issue the following command  from root

                  #chmod 750 /var/lock/samba/winbindd_privileged

                  #chown :squid /var/lock/samba/winbindd_privileged

                  # /usr/bin/net join -w TESTING -S win-vmware.testing.rnd -U Administrator

                  #chkconfig smb on

                  #chkconfig winbind on  


               4. Test that everything is working fine in winbind by issuing the following command

                  #net ads testjoin //to test workstation membership

                  #wbinfo  -u //to get the user list from active directory

                  #wbinfo -g  //to get the group list from active directory

                  #wbinfo –t  //to check domain trusts


                  From setup choose authentication -> choose winbind from the authentication and information colons + Kerberos

                  Choose next -> next -> ok


         3. edit /etc/squid/squid.conf

               1. Copy squid.conf to squid.conf.default
               2. Replace the content of squid.conf with the following



hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

auth_param ntlm children 30

auth_param basic children 5

auth_param basic casesensitive off

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 1 hours

auth_param basic program /usr/lib/squid/squid_ldap_auth -u cn -b "cn=Users,dc=testing,dc=rnd" -D "cn=administrator,cn=Users,dc=testing,dc=rnd" -w cccisdrnd

-f "(&(sAMAccountName=%s)(memberOf=CN=internet,CN=Users,DC=testing,DC=rnd))"

auth_param basic children 10

auth_param basic realm Web-Proxy

auth_param basic credentialsttl 1 minute

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src

acl lan src

acl manager proto cache_object

acl localhost src

acl localIP  src

acl to_localhost dst

acl SSL_ports port 443

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http


external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "cn=Users,dc=testing,dc=rnd" -D "cn=Administrator,cn=Users,dc=testing,dc=rnd" -w cccisdrnd -f "(&(cn=%g)(member=%u))" -F "(sAMAccountName=%s)" -h

acl InetAccess external InetGroup internet

acl authenticated_users proxy_auth REQUIRED

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost

http_access deny !InetAccess

http_access allow lan authenticated_users

http_access deny all

http_reply_access allow all

icp_access allow all

coredump_dir /var/spool/squid

Issue the following command

#chkconfig squid on


               1. Copy /etc/clamav/clamd.conf  to  /etc/clamav/clamd.conf .default

               Replace the content of clamd.con with the following  

            TemporaryDirectory /var/tmp

            DatabaseDirectory /var/clamav/db/

            LocalSocket /tmp/clamd.socket

            TCPSocket 3310


            StreamMaxLength 20M

            ExcludePath ^/proc/

            ExcludePath ^/sys/

            ExcludePath ^/selinux

            MaxDirectoryRecursion 20

            SelfCheck 600

            VirusEvent /usr/bin/mail -s "VIRUS ALERT: %v" root

            User root

            AllowSupplementaryGroups yes

            LeaveTemporaryFiles yes

            ScanPE yes

            ScanELF yes

            DetectBrokenExecutables yes

            ScanOLE2 yes

            ScanPDF yes

            HeuristicScanPrecedence yes

            ScanHTML yes

            ScanArchive yes

            MaxScanSize 1000M

            MaxFileSize 1000M

            MaxRecursion 10

            MaxFiles 15000

               2. Copy /etc/clamav/ freshclam.conf  to  /etc/clamav/ freshclam.conf.default

               Replace the content of clamd.con with the following  

            UpdateLogFile /var/log/freshclam.log

            LogFileMaxSize 3M

            LogTime yes

            LogVerbose yes

            PidFile /var/run/freshclam.pid

            DatabaseOwner root

            AllowSupplementaryGroups yes

            DNSDatabaseInfo current.cvd.clamav.net

            DatabaseMirror database.clamav.net

            MaxAttempts 5

            ScriptedUpdates yes

            Checks 24  

            Issue the following command

            #crontab –e

            And add this line

            06   *  *  *  *  *  /usr/bin/freshclam

            #touch  /var/log/clamav.log

            #touch /etc/init.d/clamav

            Add the following lines  

            #! /bin/bash

            # processname: clamd

            # config: /etc/clamav/


            start() {

                    echo -n $"Starting $prog: "

                            /usr/sbin/clamd &> /dev/null

                            if [ $? -eq 0 ];then

                               echo "[ok]"


                            if [ $? -eq 1 ];then

                               echo "clamAV already running"




            stop() {

                    killall -15 clamd &> /dev/null

                    if [ $? -eq 0 ];then

                       echo "Stopping $prog: [ok]"


                       killall -9 clamd &> /dev/null

                       echo "Stopping $prog: [ok]"



            restart() {




            reload() {

                    echo -n $"Reloading cron daemon configuration: "

                    killall -1 clamd


            case "$1" in














                    echo $"Usage: $0 {start|stop|reload|restart}"

                    exit 1


         5. Copy /etc/dansguardian/dansguardian.conf to /etc/dansguardian/dansguardian.conf.default

            Replace the content of dansguardian.conf with the following  

reportinglevel = 3

languagedir = '/usr/share/dansguardian/languages'

language = 'ukenglish'

loglevel = 3

logexceptionhits = 2

logfileformat = 3

maxlogitemlength = 400

anonymizelogs = off

syslog = on

loglocation = '/var/log/dansguardian//access.log'

statlocation = '/var/log/dansguardian//stats'

filterip =

filterport = 3128

proxyip =

proxyport = 8888

nonstandarddelimiter = on

usecustombannedimage = on

custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'

filtergroups = 1

filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannediplist = '/etc/dansguardian/lists/bannediplist'

exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 1000

urlcacheage = 900

scancleancache = on

phrasefiltermode = 2

preservecase = 0

hexdecodecontent = off

forcequicksearch = off

reverseaddresslookups = off

reverseclientiplookups = off

logclienthostnames = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 256

maxcontentramcachescansize = 2000

maxcontentfilecachescansize = 20000

filecachedir = '/tmp'

deletedownloadedtempfiles = on

initialtrickledelay = 20

trickledelay = 10

downloadmanager = '/etc/dansguardian/downloadmanagers/fancy.conf'

downloadmanager = '/etc/dansguardian/downloadmanagers/default.conf'

contentscanner = '/etc/dansguardian/contentscanners/clamav.conf'

contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'

contentscannertimeout = 180

contentscanexceptions = off

authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'

authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'

recheckreplacedurls = off

forwardedfor = off

usexforwardedfor = off

logconnectionhandlingerrors = on

logchildprocesshandling = off

maxchildren = 50

minchildren = 8

minsparechildren = 4

preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

maxips = 0

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

ipipcfilename = '/tmp/.dguardianipipc'

nodaemon = off

nologger = off

logadblocks = on

loguseragent = off

daemonuser = 'squid'

daemongroup = 'squid'

softrestart = off

Issue the following commands

#chkconfig dansguardian on

#touch /var/log/dansguardian/access.log

#touch / var/log/dansguardian/ stats

#chown  :squid  /var/ log/dansguardian/*

#service smb start

#service winbind start

#service clamav start

#service squid start

#service dansguardian start
pingvinosAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.