Sie sind auf Seite 1von 6


Configuring a Squid Server to authenticate off Active Directory

By Adrian Chadd Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list. Contents 1. Configuring a Squid Server to authenticate off Active Directory 1. Basic Concepts 2. Environment 3. Packages to install 4. Files to modify 1. /etc/krb5.conf 2. /etc/samba.smb.conf 3. /var/kerberos/krb5kdc/kdc.conf 4. /var/kerberos/krb5kdc/kadm5.acl 5. Configure NTP time synchronisation 6. Joining the server to the AD domain 7. Squid Configuration 1. Test Squid without auth 2. Test the helpers 3. squid.conf Settings 4. Test Squid with auth

Basic Concepts
In this example, a Squid installation will use the Samba ntlm_auth helper to authenticate against an Windows Active Directory. The server will be joined to the Active Directory domain and other services can use the ntlm_auth helper to authenticate users (but be out of the scope of this document.) Windows 2003 Active Directory is also capable of LDAP authentication

Windows Server 2003 AD Ubuntu Dapper installation Squid-2.6 Kerberos 5 Samba + Winbind NTP server running on AD controller

Packages to install

1 de 6

26-07-2011 12:44


samba (3) ntp-server (Kerberos requires time-synchronised machines) krb5-doc, krb5-config, krb5-user, libkerb53, libkadm55 (Kerberos related user libraries) winbind

Files to modify
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/ksadmind.log [libdefaults] default_realm = DOMAIN.COM.AU. dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC [realms] DOMAIN.COM.AU = { kdc = admin_server = default_domain = domain. } [domain_realm] .domain. = DOMAIN.COM.AU. domain. = DOMAIN.COM.AU. [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }


2 de 6

26-07-2011 12:44


[global] netbios name = SERVERNAME workgroup = DOMAIN realm = DOMAIN.COM.AU server string = Domain Proxy Server encrypt passwords = yes security = ADS password server = log level = 3 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap preferred master = No dns proxy = No ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes cups options = raw

[kdcdfefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = noreauth [libdefaults] default_realm = DOMAIN. [realms] DOMAIN. = { master_key_type = des-cbc-crc supported_enctypes = des3-hmac-sha1:normal arcfourhmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 }

*/admin@EXAMPLE.COM *

Configure NTP time synchronisation

The server must time synchronise against the AD clock - so configure ntpd to sync against the same

3 de 6

26-07-2011 12:44


time source as the AD server is. You must do this step or random authentication failures will occur!

Joining the server to the AD domain

Once the files have been initialised, join the server to the Active Directory by using an AD account with sufficient privilege:
# kinit <admin user>@<fulldomain>

kinit chadda@DOMAIN.COM.AU.

You may need to do this a couple of times - it may take a while and fail; so try it once again. Now, to do the actual join:
# net ads join -U <admin user>@<fulldomain>

# net ads join -U chadda@DOMAIN.COM.AU.

This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain. Next, restart samba and winbind, ie
# /etc/init.d/samba restart # /etc/init.d/winbind restart

'wbinfo' can tell you whether winbind has successfully negotiated and joined the network:
wbinfo -t wbinfo -u

will check whether the trust exists will list the users in the domain

ntlm_auth requires access to the privileged winbind pipe in order to function properly. You enable this access by adding the security user Squid runs as to the winbindd_priv group.
gpasswd -a proxy winbindd_priv

Remove the cache_effective_group setting in squid.conf, if present. This setting causes squid to ignore the auxiliary winbindd_priv group membership. the default user Squid is bundled as nobody though some distribution packages are built with squid or proxy or other similar low-access user.

4 de 6

26-07-2011 12:44


Squid Configuration
As Samba-3.x has it's own authentication helper there is no need to build any of the Squid authentication helpers for use with Samba-3.x (and the helpers provided by Squid won't work if you do). You do however need to enable support for the NTLM scheme if you plan on using this. Also you may want to use the wbinfo_group helper for group lookups
--enable-auth="ntlm,basic" --enable-external-acl-helpers="wbinfo_group"

Test Squid without auth

Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization.

Test the helpers

Testing the winbind ntlm helper is not really possible from the command line, but the winbind basic authenticator can be tested like any other basic helper. Make sure to run the test as your cache_effective_user
# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic mydomain+myuser mypasswd OK

The helper should return "OK" if given a valid username/password. + is the domain separator set in your smb.conf

squid.conf Settings
Add the following to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:
auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on # warning: basic authentication sends passwords plaintext # a network sniffer can and will discover passwords auth_param basic program /usr/local/bin/ntlm_auth --helperprotocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server

5 de 6

26-07-2011 12:44

CongExamples/Authenticate/WindowsActiveDir... auth_param basic credentialsttl 2 hours

And the following acl entries to require authentication:

acl AuthorizedUsers proxy_auth REQUIRED .. http_access allow all AuthorizedUsers

Test Squid with auth

Internet Explorer, Mozilla, Firefox: Test browsing through squid with a NTLM capable browser. If logged into the domain, a password prompt should NOT pop up. Confirm the traffic really is being authorized by tailing access.log. The domain\username should be present. Netscape, Mozilla ( < 1.4), Opera...: Test with a NTLM non-capable browser. A standard password dialog should appear. Entering the domain should not be required if the user is in the default domain and "winbind use default domain = yes" is set in smb.conf. Otherwise, the username must be entered in "domain+username" format. (where + is the domain separator set in smb.conf) If no usernames appear in access.log and/or no password dialogs appear in either browser, then the acl/http_access portions of squid.conf are not correct. Note that when using NTLM authentication, you will see two "TCP_DENIED/407" entries in access.log for every request. This is due to the challenge-response process of NTLM. CategoryConfigExample
ConfigExamples/Authenticate/WindowsActiveDirectory (last edited 2009-02-11 12:51:19 by Amos Jeffries)

6 de 6

26-07-2011 12:44