Configuring Squid Proxy, Active Directory
Authentication and SurfProtect ICAP Access
~ 1 ~
Contents
Introduction
3
To Configure
4
Squid Server ... 4
Windows Domain Controller ... 4
Configuration
4
DNS ... 4NTP... 5
SQUID Install ... 5
Kerberos – Install and Configure ... 5
Install ... 5 Configure ... 5 Test ... 6 Samba Winbind ... 6 Install ... 6 Configure ... 6
More Config with net ads command ... 7
Set Permissions ... 8
Cron – Computer Account Password Update ... 8
Basic Authentication Configuration ... 8
Install negotiate_wrapper ... 9 SQUID Configuration ... 10 Authentication Config ... 10 ICAP Config ... 11 User Machines ... 12 Chrome ... 12 Firefox Browser ... 13
Safari (Apple Devices) ... 13
Checking the Squid Log ... 14
And Finally ... 14
~ 2 ~
Who Date Change Version
~ 3 ~
Introduction
The primary motivation for writing this document was to show how Squid can be setup to pass Active Directory (AD) user names to SurfProtect so that customers can have more granular control over web activity in their network. The whole process of getting AD information to SurfProtect expects the customer to use our SurfProtect ICAP service. This needs to be configured within an ICAP capable client like the NETASQ U70 appliance or in this scenario Squid proxy. More information about the U70 UTM can be found here - http://www.netasq.com/en/firewall-services/u30-u70.php
One disadvantage that should be noted is that Squid can only pass AD usernames and NOT AD user groups associated with the person requesting the webpage. User groups would be a more natural level to apply a SurfProtect profile. Although this is not a major problem, you may find that you have to tackle the best approach to authentication of users – one login that one group of users can use or individual usernames for all users? SurfProtect can apply a “blanket” profile to users whose names are not recognised or listed against a particular profile. Then all that is left to deal with are the exceptions to the standard profile rule where you would actually add specific usernames to a profile for their personal requirements.
Please note that my experience of setting this up was taken from several documents on the internet in which I found some of the steps listed worked and others didn’t, so what you have here is the parts that did work. There are links to the websites I used at the end of the document.
The information provided here is “as-is” with no support or guarantee of
suitability.
~ 4 ~
To Configure
For this magic to work we will need to configure: DNS
NTP Kerberos Squid 3.1.19 Samba Winbind
OPTIONAL (SurfProtect ICAP Service details in Squid) User computer proxy settings
Squid Server
Before we start installing various packages onto our server, I used Ubuntu 12.04 LTS (Precise Pangolin), which can be obtained from http://gb.releases.ubuntu.com/12.04/
Windows Domain Controller
Our installation has Windows 2008 R2 Standard Edition
Configuration
DNS
On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works.
Check that the proxy is using the Windows DNS Server for name resolution: 1. vi /etc/resolvconf/resolv.conf.d/head – add
domain your.ad.domain.name.here 2. vi /etc/resolvconf/resolv.conf.d/base – add
search your.ad.domain.name.here nameserver IP for your DNS server 3. resolvconf –u
4. cat /etc/resolv.conf to ensure that the items have been added. Ping an internal and external hostname to ensure DNS is operating. ping wdc.your.ad.domain -c 4 && ping google.com -c 4
Check you can reverse lookup the Windows Server and the local proxy ip from the Windows DNS. dig -x IP OF YOUR SQUID SERVER
dig -x IP OF YOUR WINDOWS PRIMARY DOMAIN CONTROLLER
The ANSWER SECTION should contain the DNS name ofwdc.your.ad.domain and ofwdc.your.ad.domain
~ 5 ~
NTP
Time needs to be synchronised with Windows Domain Controllers for authentication, configure the proxy to obtain time from them and test to ensure they are working as expected.
vi /etc/ntp.conf.d/head – add server IP TO YOUR WDC iburst server ntp1.your.ad.domain iburst
iburst
option will allow faster time sync ( i.e. 10-15 seconds instead of 5-9 minutes) in our case this difference comes in handy. After saving the file issue the following command to check the config and restart the service:chkconfig ntp on service ntp start
Check the status of the time sync with the following commands: ntptrace, ntpdc (listpeers, monlist, sysinfo,ctlstats)
SQUID Install
We will only install squid3 at this point and configure it later. Install with:
apt-get install squid3 ldap-utils
Kerberos – Install and Configure
Install
apt-get install krb5-user libkrb53 libsasl2-modules-gssapi-mit libsasl2-modules
Configure
vi /etc/krb5.conf
Add/update the file so the lines below are present [libdefaults]
default_realm = YOUR.AD.DOMAIN.IN.CAPITALS dns_lookup_kdc = no
dns_lookup_realm = no ticket_lifetime = 24h ; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] YOUR.AD.DOMAIN.IN.CAPITALS = { kdc = dc1.your.ad.domain.here admin_server = dc1.your.ad.domain.here default_domain = your.ad.domain.here }
~ 6 ~
[domain_realm].your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS Test
Using the command below you can test If the link to the domain controller is working:
Kinit some_domain_user
Replace “some_domain_user” with a valid login name from your AD Domain
When prompted – enter the Windows password for the chosen account. If all is well no response will be shown.
Example Error when password is wrong “kinit: Preauthentication failed while getting initial credentials” To confirm that the authentication has worked type:
klist
The result of this command if all is well will look something like: Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected] Valid starting Expires Service principal
19/07/12 16:03:57 20/07/12 02:04:05 krbtgt/[email protected] renew until 20/07/12 16:03:57
Samba Winbind
Install
apt-get install samba winbind samba-common-bin Configure
Stop both services with: service smbd stop service winbindstop Edit the Samba Config file: vi /etc/samba/smb.conf
Alter the sections in the file to include:
workgroup = YOUR.AD.DOMAIN SHORT NAME HERE security = ads
realm = YOUR.AD.DOMAIN.HERE.IN.CAPITAL password server = DOMAIN CONTROLLER IP workgroup = SHORT AD DOMAIN NAME netbios name = SQUIDPROXY-K
~ 7 ~
winbind enum users = yeswinbind use default domain = yes
Note in the example above we have called the Squid Proxy server SQUIDPROXY-K for the short name used in Active Directory
More Config with net ads command
The net ads command allows us to interact with Active Directory. We will now use a command to join our machine to the domain Issue the following commands to join Active Directory and to Validate net ads join -U Administrator
net rpc join -U Administrator
If you look on your Domain controller you should have a “Computer Account” in your Active Directory Users and Computers admin screen.
Test Active directory Join net ads testjoin -U Administrator Validate Kerberos Server Keytab net ads keytab list -U Administrator Check trusted domains
net rpc trustdom list -U Administrator List Active Directory Users
net ads user -U Administrator List Active Directory Groups net ads group -U Administrator chkconfig winbind on
service winbind start Check authentication
~ 8 ~
wbinfo -a winbind%passwordCheck AD domain wbinfo -D domain
Check Trust Secrets via RPC wbinfo –t
Check user information translation wbinfo -i some_ad_username List AD Users
wbinfo –u List AD Groups wbinfo -g
Please note that in one set of instructions on the internet there was the use of a program called “msktutil”
which was a pain from the outset – no package to install AND when a package was found for this version of distribution – the command always failed to talk to the Active Directory server. I think the “net ads” commands achieved the same result.
Set Permissions
Set Permissions so the proxy user account can read /var/run/samba/winbindd_privileged. gpasswd -a proxy winbindd_priv
Cron – Computer Account Password Update
Add a cron job to /etc/cron.d folder called “squidpassword” which contains: 05 4 * * * net ads changetrustpw -d 1 | logger -t changetrustpw
Basic Authentication Configuration
In order to use basic authentication by way of LDAP we need to create an account with which to access Active Directory.
In Active Directory create a user called "Squid Proxy" with the logon name [email protected]. Ensure the following is true when creating the account.
User must change password at next logon Unticked
User cannot change password Ticked
Password never expires Ticked
Account is disabled Unticked
Create a password file used by squid for ldap access and secure the file permissions (substitute the word "YOURCHOSENACCOUNTPASSWORD" below with your password you set when creating the account in Active Directory above).
~ 9 ~
chmod o-r /etc/squid3/ldappass.txtchgrp proxy /etc/squid3/ldappass.txt
Install negotiate_wrapper
Install negotiate_wrapper. Install the necessary build tools on Debian install :
apt-get install build-essential linux-headers-$(uname -r)
Then compile and install using:
cd /usr/local/src/ wget "http://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wrapper-1.0.1/negotiate_wrapper-1.0.1.tar.gz" tar -xvzf negotiate_wrapper-1.0.1.tar.gz cd negotiate_wrapper-1.0.1/ ./configure make make install
~ 10 ~
SQUID Configuration
All that remains is to configure squid to use the authentication mechanism, apply the appropriate ACL’s to control access to the web and configure the ICAP integration (OPTIONAL)
Authentication Config
vi /etc/squid.conf
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d ntlm /usr/bin/ntlm_auth diagnostics helper-protocol=squid-2.5-ntlmssp --domain=YOUR_SHORT_AD_DOMAIN_NAME --kerberos /usr/lib/sq$
auth_param negotiate children 10 auth_param negotiate keep_alive ooff ### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=YOUR_SHORT_AD_DOMAIN_NAME auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=YOUR,dc=FULL,dc=AD,dc=DOMAIN,dc=COMPONENTS" -D squid@YOUR_AD_DOMAIN_HERE -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h $
auth_param basic children 10
auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED
### enforce authentication http_access deny !auth http_access allow auth http_access deny all
~ 11 ~
ICAP Configicap_service service_req reqmod_precache bypass=0 routing=0 icap://icap.exa-networks.co.uk:1344/surfprotect/request/client,default adaptation_access service_req allow all
adapted_http_access allow all
icap_client_username_header x-authenticated-user icap_client_username_encode on icap_enable on icap_send_client_ip on icap_send_client_username on icap_service_failure_limit -1 icap_service_revival_delay 30 icap_persistent_connections off Now restart squid using:
~ 12 ~
User Machines
The Internet Options (Windows PC’s) on the user machines will need to reflect the IP address of your squid server DNS name and the service port.
Also note that Internet Explorer requires this additional option “Enable integrated Windows Authentication”
Chrome
~ 13 ~
Firefox BrowserSafari (Apple Devices)
This browser uses the system defined Web Proxy settings for the current connection you are using on the Mac.
Notice also that I have added my Active Directory credentials in so I won’t be prompted later.
~ 14 ~
Checking the Squid Log
You can take a look in the “/var/squid3/access.log” or similar name to check that the authenticated user is mentioned in the request lines. So for example:
1342694083.704 349 192.0.2.131 TCP_MISS/200 338 GET http://ec.atdmt.com/images/pixel.gif
mark_dearlove DIRECT/213.199.149.244 image/gif
And Finally
When using NTLM authentication it is normal to see two simultaneous TCP_DENIED/407 errors. This is due to the nature of the challenge/response mechanism of NTLM authentication.
In the event that no username appear in the squid access log, or password dialogue boxes appear, then check the squid.conf file to ensure that the ACL’s are setup properly. Also ensure that winbind is functioning, as depicted above. If changes are made to the squid.conf file then squid needs to be restarted in order for those modifications to take affect.
If everything is working as planned then ensure that Squid and SAMBA start automatically upon reboot by issuing the following:
update-rc.d squid3 defaults update-rc.d smbd defaults
References:
I referred to several webpages to try to untangle how to achieve my aim, some helped some confused me more but I will mention them here as you may get something extra out of them for your scenario. http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
http://techmiso.com/1934/howto-install-squid-web-proxy-server-with-active-directory-authentication/ http://www.sghaida.com/squid3-ntlm-antivirus/
