Squid AD Authentication
Transparent Active Directory user identification and group policies enabled within Squid.
Platform: CentOS 5.2
Package: Squid 2.6.STABLE6
Package: Samba 3.0.28
Package: Samba Common 3.0.28
Package: Samba Client 3.0.28
Package: pam smb 1.1.7
Package: krb5-devel 1.6.1
Package: pam krb5 2.2.14
Package: krb libs 1.6.1
Package: krb5 Workstation 1.6.1
Package: HTTPD 2.2.3
Package: MOD Auth Kerb 5.1
A full list of 640 packages can be made available.
The system hardware should be scaled to your needs but a single 2.8GHz CPU with 512MB of RAM and 20GB HDD will suffice to run most small installations.
Over the years I have been looking into various technologies for integrating the User Authentication on the Opensource Squid Server to a Windows or LDAP based Directory. Squid is a well respected Web Cache solution that is available from Squid Cache.
I have now been able to implement a solution that provides:
1. User Credential verification against MS AD
2. Group Access Policies based on Groups in AD
3. Transparent Single Sign On
I used a large number of How To’s on the Web to facilitate this. I will publish a list when I can. It is assumed that the reader has enough Linux knowledge to install the system from simple instructions and so experience as an administrator of Squid.
Throughout this document:
· MYDOMAIN The AD domain
· MYSHORTDOMAIN The Short Name of the AD Domain
· MyAdminServer The AD Administration / Password Server
· MyAdministrator The AD user with Domain Administrator privileges
· MyServer The NetBios and host name of the Squid server itself
· SEC Restricted Users Members of this AD Group have restricted Web Access
Entries highlighted in grey are commands to be run from the command line.
Entries marked in light green are the contents of files.
Entries marked in bright red are changes or items of particular interest.
Install CentOS 5.2 from DVD/CDs/Network per your normal mechanism. I would recommend no GUI (KDE, Gnome, X).
Install as a Server. Select packages as applicable ensuring that you have, Squid, HTTPD and the development kits (Dev Libs, Dev Tools, Legacy Soft Dev etc.). How much you strip down is your decision, it simply bulks out the installation.
Once First Boot is complete login and turn off the SE Linux features and firewall. If you wish to add this later then please read up carefully first.
Edit the “/etc/krb5.conf” file. Below is an example of the configuration required:
ticket_lifetime = 600
default_realm = MYDOMAIN
Enter your domain into the Kerberus Realms:
# echo “.mydomain mydomain” > /etc/krb.realms
Edit the “/etc/samba/smb.conf” file. Below is an example of the configuration required:
workgroup = MYSHORTDOMAIN
netbios name = MyServer
realm = MYDOMAIN
server string = Linux Samba Server
security = ads
encrypt passwords = Yes
password server = MyAuthServer.MyDomain
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
realm = MYDOMAIN
os level = 1
use kerberos keytab = yes
Edit the “/etc/squid/squid.conf” file. Below is an example of the configuration required:
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl PURGE method PURGE
acl localhost src 127.0.0.1
http_access allow PURGE localhost
http_access deny PURGE
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320acl all src 0.0.0.0/0.0.0.0
auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
acl manager proto cache_object
http_access deny BannedList
Note that this is an example. It provides the following functionality:
· A list of URLs banned to all
· A list of URLs banned to a particular group
· A list of URLs allowed to a particular group
· Access to the all URLs otherwise for all authenticated users
The backslashes before the spaces in “SEC\ Restricted\ Users” are required to allow the entry to be passed to the authentication script.
The built in Perl script to provision group access is not very sophisticated but does the job. The only issue is if, as is likely, your AD group names contain spaces. In this case it needs to be finessed slightly.
# cp /usr/lib/squid/wbinfo_group.pl /usr/lib/squid/wbinfo_group_H.pl
# chmod 755 /usr/lib/squid/wbinfo_group_H.pl
Edit the new file. The example below will allow groups with spaces:
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
# This program is put in the public domain by Jerry Murdock
# <firstname.lastname@example.org>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# Jerry Murdock <email@example.com>
# Disable output buffering
Join the Domain
Run the following commands in order. You will be prompted for the MyAdministrator password from time to time.
# kinit MyAdministrator@MYDOMAIN
# net ads join -U MyAdministrator -S MyAuthServer.MyDomain
# net ads keytab create -U MyAdministrator
# net ads keytab add HTTP -U MyAdministrator
Start the Services
You need to start Samba, WinbindD and Squid to use the authentication mechanism.
The following command would test the raw AD authentication via Kerberus:
#/usr/bin/ntlm_auth –domain=mydomain –username=AnyUser
The following tests whether WinbindD is available:
# wbinfo –p
The following will return a complete list of users visible on the AD:
# wbinfo –u
The following will return a complete list of groupsvisible on the AD:
# wbinfo –g
The following will test the group auth script. It is interactive and you must use [CTRL]+C to exit.
At the prompt enter:
mydomain\AnyUser mydomain\SEC Restricted Users
Finishing up and some notes
Simply point your browsers Proxy settings to your Squid Server and give it a go. If you follow these instructions the proxy will be on Port 8080. You should not even be prompted for a username and password!
Following the squid logs will show you that each request generates a denied and allowed entry. This is an unfortunate side effect of the NTLM mechanism. A request has to be made before the authentication is requested.
Ensure that you set the services to start at boot.
Slap yourself on the back and go and have a coffee!