Configuring a Squid Server to authenticate off Active Directory
Configuring a Squid Server to authenticate off Active Directory
By Adrian Chadd (Techtoy edition)
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Contents
Configuring a Squid Server to authenticate off Active Directory
1. Basic Concepts
2. Environment
3. Packages to install
4. Files to modify
1. /etc/krb5.conf
2. /etc/samba.smb.conf
3. /var/kerberos/krb5kdc/kdc.conf
4. /var/kerberos/krb5kdc/kadm5.acl
5. Configure NTP time synchronisation
6. Joining the server to the AD domain
7. Fix Ownership
8. Configuring Squid to use the Samba 3 ntlm_auth program for authentication
Basic Concepts
In this example, a Squid installation will use the Samba ntlm_auth helper to authenticate against an Windows Active Directory. The server will be joined to the Active Directory domain and other services can use the ntlm_auth helper to authenticate users (but be out of the scope of this document.)
Environment
• Windows Server 2003 AD
• Ubuntu Dapper installation
• Squid-2.6
• Kerberos 5
• Samba + Winbind
• NTP server running on AD controller
Packages to install
• samba (3)
• ntp-server (Kerberos requires time-synchronised machines)
• krb5-doc, krb5-config, krb5-user, libkerb53, libkadm55 (Kerberos related user libraries)
• winbind
Files to modify
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log
[libdefaults]
default_realm = DOMAIN.COM.AU. <---Must have dot after domain name (.)
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
DOMAIN.COM.AU = {
kdc = ad-master.domain.com.au.:88
admin_server = ad-master.domain.com.au.:749 <---I use 464 not 749
default_domain = domain.
}
[domain_realm]
.domain. = DOMAIN.COM.AU.
domain. = DOMAIN.COM.AU.
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba.smb.conf
[global]
netbios name = SERVERNAME
workgroup = DOMAIN
realm = DOMAIN.COM.AU
server string = Domain Proxy Server
encrypt passwords = yes
security = ADS
password server = ad-master.domain.com.au
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
cups options = raw
/var/kerberos/krb5kdc/kdc.conf
[kdcdfefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = noreauth
[libdefaults]
default_realm = DOMAIN.
[realms]
DOMAIN. = {
master_key_type = des-cbc-crc
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
/var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
*/admin@Yourdomain.com *
Configure NTP time synchronisation
The server must time synchronise against the AD clock - so configure ntpd to sync against the same time source as the AD server is. You must do this step or random authentication failures will occur!
Joining the server to the AD domain
Once the files have been initialised, join the server to the Active Directory by using an AD account with sufficient privilege:
# kinit@
eg
# kinit chadda@DOMAIN.COM.AU.
You may need to do this a couple of times - it may take a while and fail; so try it once again.
Now, to do the actual join:
# net ads join -U @
eg
# net ads join -U chadda@DOMAIN.COM.AU.
This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain.
Next, restart samba and winbind, ie
# /etc/init.d/samba restart
# /etc/init.d/winbind restart
Note:
If you have error “ads_connect: Cannot find KDC for requested realm”
when restart winbind. Try delete secrets.tdb and then restart winbind again.
# rm –rf /etc/samba/secrets.tdb
# /etc/rc.d/init.d/winbind restart
'wbinfo' can tell you whether winbind has successfully negotiated and joined the network:
• wbinfo -t will check whether the trust exists
• wbinfo -u will list the users in the domain
Fix Ownership
By default Squid will run as a non-root user; but the directory with the winbind socket
(perhaps /var/run/winbindd_privileged/) is generally owned by root and only readable by people in the root group or user.
Or /var/cache/samba/winbindd_privileged
Don't try changing the ownership of the directory - it'll just revert at reboot. Instead you need to run Squid as the group root.
cache_effective_group root
(if not success you can change mode this file to 755) ^^
Configuring Squid to use the Samba 3 ntlm_auth program for authentication
Finally, configure Squid to talk to the NTLM authentication helper:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds
#Make sure you add the relevant ACL statements to force proxy authentication, eg:
acl lcl src 192.168.0.0/16 <--- your allow network or ip
acl auth proxy_auth REQUIRED
http_access allow lcl auth
http_access deny all
miss_access allow all
icp_access deny all
The ntlm authentication helper will start logging authentication attempts (success and failure) to the cache.log file.
-------------------------------------------------------------------------------------------------------------------
refer to :
http://kbase.redhat.com/faq/docs/DOC-3377;jsessionid=6DAC28F283609103447DF5BCB0D2FCC1.066ef7ba
By Adrian Chadd (Techtoy edition)
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
Contents
Configuring a Squid Server to authenticate off Active Directory
1. Basic Concepts
2. Environment
3. Packages to install
4. Files to modify
1. /etc/krb5.conf
2. /etc/samba.smb.conf
3. /var/kerberos/krb5kdc/kdc.conf
4. /var/kerberos/krb5kdc/kadm5.acl
5. Configure NTP time synchronisation
6. Joining the server to the AD domain
7. Fix Ownership
8. Configuring Squid to use the Samba 3 ntlm_auth program for authentication
Basic Concepts
In this example, a Squid installation will use the Samba ntlm_auth helper to authenticate against an Windows Active Directory. The server will be joined to the Active Directory domain and other services can use the ntlm_auth helper to authenticate users (but be out of the scope of this document.)
Environment
• Windows Server 2003 AD
• Ubuntu Dapper installation
• Squid-2.6
• Kerberos 5
• Samba + Winbind
• NTP server running on AD controller
Packages to install
• samba (3)
• ntp-server (Kerberos requires time-synchronised machines)
• krb5-doc, krb5-config, krb5-user, libkerb53, libkadm55 (Kerberos related user libraries)
• winbind
Files to modify
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log
[libdefaults]
default_realm = DOMAIN.COM.AU. <---Must have dot after domain name (.)
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
DOMAIN.COM.AU = {
kdc = ad-master.domain.com.au.:88
admin_server = ad-master.domain.com.au.:749 <---I use 464 not 749
default_domain = domain.
}
[domain_realm]
.domain. = DOMAIN.COM.AU.
domain. = DOMAIN.COM.AU.
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/samba.smb.conf
[global]
netbios name = SERVERNAME
workgroup = DOMAIN
realm = DOMAIN.COM.AU
server string = Domain Proxy Server
encrypt passwords = yes
security = ADS
password server = ad-master.domain.com.au
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = yes
cups options = raw
/var/kerberos/krb5kdc/kdc.conf
[kdcdfefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = noreauth
[libdefaults]
default_realm = DOMAIN.
[realms]
DOMAIN. = {
master_key_type = des-cbc-crc
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
/var/kerberos/krb5kdc/kadm5.acl
*/admin@EXAMPLE.COM *
*/admin@Yourdomain.com *
Configure NTP time synchronisation
The server must time synchronise against the AD clock - so configure ntpd to sync against the same time source as the AD server is. You must do this step or random authentication failures will occur!
Joining the server to the AD domain
Once the files have been initialised, join the server to the Active Directory by using an AD account with sufficient privilege:
# kinit
eg
# kinit chadda@DOMAIN.COM.AU.
You may need to do this a couple of times - it may take a while and fail; so try it once again.
Now, to do the actual join:
# net ads join -U
eg
# net ads join -U chadda@DOMAIN.COM.AU.
This will also take some time and may need to be repeated. It should eventually tell you that the server successfully joined the domain.
Next, restart samba and winbind, ie
# /etc/init.d/samba restart
# /etc/init.d/winbind restart
Note:
If you have error “ads_connect: Cannot find KDC for requested realm”
when restart winbind. Try delete secrets.tdb and then restart winbind again.
# rm –rf /etc/samba/secrets.tdb
# /etc/rc.d/init.d/winbind restart
'wbinfo' can tell you whether winbind has successfully negotiated and joined the network:
• wbinfo -t will check whether the trust exists
• wbinfo -u will list the users in the domain
Fix Ownership
By default Squid will run as a non-root user; but the directory with the winbind socket
(perhaps /var/run/winbindd_privileged/) is generally owned by root and only readable by people in the root group or user.
Or /var/cache/samba/winbindd_privileged
Don't try changing the ownership of the directory - it'll just revert at reboot. Instead you need to run Squid as the group root.
cache_effective_group root
(if not success you can change mode this file to 755) ^^
Configuring Squid to use the Samba 3 ntlm_auth program for authentication
Finally, configure Squid to talk to the NTLM authentication helper:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds
#Make sure you add the relevant ACL statements to force proxy authentication, eg:
acl lcl src 192.168.0.0/16 <--- your allow network or ip
acl auth proxy_auth REQUIRED
http_access allow lcl auth
http_access deny all
miss_access allow all
icp_access deny all
The ntlm authentication helper will start logging authentication attempts (success and failure) to the cache.log file.
-------------------------------------------------------------------------------------------------------------------
refer to :
http://kbase.redhat.com/faq/docs/DOC-3377;jsessionid=6DAC28F283609103447DF5BCB0D2FCC1.066ef7ba
ความคิดเห็น
Thank You!