//
you're reading...
IT, Scripting

HOW To: Squid AD Authentication

Squid AD Authentication

Transparent Active Directory user identification and group policies enabled within Squid.

Requirements

Platform: CentOS 5.2 

Package: Squid 2.6.STABLE6
Package: Samba 3.0.28
Package: Samba Common 3.0.28
Package: Samba Client 3.0.28
Package: pam smb 1.1.7
Package: krb5-devel 1.6.1
Package: pam krb5 2.2.14
Package: krb libs 1.6.1
Package: krb5 Workstation 1.6.1
Package: HTTPD 2.2.3
Package: MOD Auth Kerb 5.1

A full list of 640 packages can be made available.

The system hardware should be scaled to your needs but a single 2.8GHz CPU with 512MB of RAM and 20GB HDD will suffice to run most small installations.

Introduction

Over the years I have been looking into various technologies for integrating the User Authentication on the Opensource Squid Server to a Windows or LDAP based Directory.  Squid is a well respected Web Cache solution that is available from Squid Cache.

I have now been able to implement a solution that provides:

1.      User Credential verification against MS AD
2.      Group Access Policies based on  Groups in AD
3.      Transparent Single Sign On

I used a large number of How To’s on the Web to facilitate this.  I will publish a list when I can.  It is assumed that the reader has enough Linux knowledge to install the system from simple instructions and so experience as an administrator of Squid.

Throughout this document:
·        MYDOMAIN                           The AD domain
·        MYSHORTDOMAIN              The Short Name of the AD Domain
·        MyAdminServer                    The AD Administration / Password Server
·        MyAdministrator                    The AD user with Domain Administrator privileges
·        MyServer                                The NetBios and host name of the Squid server itself
·        SEC Restricted Users          Members of this AD Group have restricted Web Access

Entries highlighted in grey are commands to be run from the command line.
Entries marked in light green are the contents of files.
Entries marked in bright red are changes or items of particular interest.

Basic Installation

Install CentOS 5.2 from DVD/CDs/Network per your normal mechanism.  I would recommend no GUI (KDE, Gnome, X).

Install as a Server.  Select packages as applicable ensuring that you have, Squid, HTTPD and the development kits (Dev Libs, Dev Tools, Legacy Soft Dev etc.).  How much you strip down is your decision, it simply bulks out the installation.

Once First Boot is complete login and turn off the SE Linux features and firewall.  If you wish to add this later then please read up carefully first.
# system-config-securitylevel

Configurations

Configuring Kerberus

Edit the “/etc/krb5.conf” file.  Below is an example of the configuration required:

[libdefaults]
ticket_lifetime = 600
default_realm = MYDOMAIN

[realms]
MYDOMAIN = {
kdc = MyAdminServer.MYDOMAIN
admin_server = MyAdminServer.MYDOMAIN
default_domain = mydomain
}

[domain_realm]
.mydomain = MYDOMAIN
mydomain = MYDOMAIN

[kdc]
profile = /etc/krb5kdc/kdc.conf

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Enter your domain into the Kerberus Realms:
# echo “.mydomain mydomain” > /etc/krb.realms

Configure Samba

Edit the “/etc/samba/smb.conf” file.  Below is an example of the configuration required:

[global]
workgroup = MYSHORTDOMAIN
netbios name = MyServer
realm = MYDOMAIN
server string = Linux Samba Server
security = ads
encrypt passwords = Yes
password server = MyAuthServer.MyDomain
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
realm = MYDOMAIN
os level = 1
use kerberos keytab = yes

Configuring Squid

Edit the “/etc/squid/squid.conf” file.  Below is an example of the configuration required:

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl PURGE method PURGE
acl localhost src 127.0.0.1
http_access allow PURGE localhost
http_access deny PURGE
access_log /var/log/squid/access.log squid
log_fqdn on
debug_options “ALL,9”
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0

auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type nt_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/wbinfo_group_H.pl

acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 444 563 1494 2598
acl Safe_ports port 80 1494 2598
acl Safe_ports port 21
acl Safe_ports port 443 444 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488 8000
acl Safe_ports port 591
acl Safe_ports port 777 631
acl CONNECT method CONNECT
acl Bannedlist url_regex virtuagirl rotten.com hotpornhouse
acl Utility url_regex .samspade.org
acl Others url_regex .harlekwin.co.uk

acl msad proxy_auth REQUIRED
acl restrictedusers external nt_group SEC\ Restricted\ Users

http_access deny BannedList
http_access deny Utility restrictedusers
http_access allow Others restrictedusers
http_access allow msad

http_access allow all
http_access deny manager
http_access deny !Safe_ports
http_reply_access allow all
icp_access allow all

coredump_dir /var/spool/squid

Note that this is an example.  It provides the following functionality:
·        A list of URLs banned to all
·        A list of URLs banned to a particular group
·        A list of URLs allowed to a particular group
·        Access to the all URLs otherwise for all authenticated users

The backslashes before the spaces in “SEC\ Restricted\ Users” are required to allow the entry to be passed to the authentication script.

The built in Perl script to provision group access is not very sophisticated but does the job.  The only issue is if, as is likely, your AD group names contain spaces.  In this case it needs to be finessed slightly.

# cp /usr/lib/squid/wbinfo_group.pl /usr/lib/squid/wbinfo_group_H.pl
# chmod 755 /usr/lib/squid/wbinfo_group_H.pl

Edit the new file.  The example below will allow groups with spaces:

#!/usr/bin/perl –w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
#   Jerry Murdock <jmurdock@itraktech.com>
#
#   Harlekwin

#
# Version history:
#   2008-12-10 Harlekwin
#               Add Space Encapsulation in group names
#
#   2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
#               Add ‘-d’ command line debugging option
#
#   2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
#               Fix for wbinfo from Samba 3.0.21
#
#   2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
#               Helper protocol changed to URL escaped in Squid-3.0
#
#   2005-06-28 Arno Streuli <astreuli@gmail.com>
#               Add multi group check
#
#   2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
#               Initial release
#
# Globals
#
use vars qw/ %opt /;

# Disable output buffering
$|=1;
sub debug {
        print STDERR “@_\n” if $opt{d};
}

#
# Check if a user belongs to a group
#
sub check {
        local($user, $group) = @_;
        $groupSID = `wbinfo -n “$group” | cut -d” ” -f1`;
        chop  $groupSID;
        $groupGID = `wbinfo -Y “$groupSID”`;
        chop $groupGID;
        &debug( “User:  -$user-\nGroup: -$group-\nSID:   -$groupSID-\nGID:   -$groupGID-“);
        return ‘OK’ if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return ‘ERR’;
}

#
# Command line options processing
sub init()
{
    use Getopt::Std;
    my $opt_string = ‘hd’;
    getopts( “$opt_string”, \%opt ) or usage();
    usage() if $opt{h};
}

#
# Message about this program and how to use it
#
sub usage()
{
        print “Usage: wbinfo_group.pl -dh\n”;
        print “\t-d enable debugging\n”;
        print “\t-h print the help\n”;
        exit;
}

init();
print STDERR “Debugging mode ON.\n” if $opt{d};

#
# Main loop
#
while (<STDIN>) {
        chop;
        &debug (“Got $_ from squid”);
        ($user, @groups) = split(/\s+/);
        $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(“c”,hex($1))/eg;
        # test for each group squid send in it’s request
        $thegroup = “”;
        foreach $group (@groups) {
                if (length($thegroup) == 0) {
                        $thegroup = $group;
                } else {
                        $thegroup = $thegroup . ” ” . $group;
                }
        }
        $group = $thegroup;
        $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(“c”,hex($1))/eg;
        $ans = &check($user, $group);
        &debug (“Sending $ans to squid”);
        print “$ans\n”;
}

Join the Domain

Run the following commands in order.  You will be prompted for the MyAdministrator password from time to time.

# kinit MyAdministrator@MYDOMAIN
# net ads join -U MyAdministrator -S MyAuthServer.MyDomain
# net ads keytab create -U MyAdministrator
# net ads keytab add HTTP -U MyAdministrator

Start the Services

You need to start Samba, WinbindD and Squid to use the authentication mechanism.

Testing

The following command would test the raw AD authentication via Kerberus:
#/usr/bin/ntlm_auth –domain=mydomain  –username=AnyUser

The following tests whether WinbindD is available:
# wbinfo –p

The following will return a complete list of users visible on the AD:
# wbinfo –u

The following will return a complete list of groupsvisible on the AD:
# wbinfo –g

The following will test the group auth script.  It is interactive and you must use [CTRL]+C to exit.
# /usr/lib/squid/wbinfo_group_H.pl

At the prompt enter:
mydomain\AnyUser mydomain\SEC Restricted Users

Finishing up and some notes

Simply point your browsers Proxy settings to your Squid Server and give it a go.  If you follow these instructions the proxy will be on Port 8080.  You should not even be prompted for a username and password!

Following the squid logs will show you that each request generates a denied and allowed entry.  This is an unfortunate side effect of the NTLM mechanism.  A request has to be made before the authentication is requested.

Ensure that you set the services to start at boot.

Slap yourself on the back and go and have a coffee!

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.

Discussion

8 thoughts on “HOW To: Squid AD Authentication

  1. Thanks for the great page. The instructions were great. I got everything to run, except squid. When I try to run squid, I receive the following error:
    2009/01/28 11:37:05| Ready to serve requests.
    2009/01/28 11:37:05| helperStatefulHandleRead: unexpected read from ntlmauthenticator #3, 28 bytes ‘NT_STATUS_OK: Success (0x0)

    2009/01/28 11:37:05| StatefulHandleRead: no callback data registered
    2009/01/28 11:37:05| helperStatefulHandleRead: unexpected read from ntlmauthenticator #1, 28 bytes ‘NT_STATUS_OK: Success (0x0)

    2009/01/28 11:37:05| StatefulHandleRead: no callback data registered
    2009/01/28 11:37:05| helperStatefulHandleRead: unexpected read from ntlmauthenticator #2, 28 bytes ‘NT_STATUS_OK: Success (0x0)

    2009/01/28 11:37:05| StatefulHandleRead: no callback data registered
    2009/01/28 11:37:05| WARNING: ntlmauthenticator #3 (FD 8) exited
    2009/01/28 11:37:05| WARNING: ntlmauthenticator #1 (FD 6) exited
    2009/01/28 11:37:05| WARNING: ntlmauthenticator #2 (FD 7) exited
    2009/01/28 11:37:05| Too few ntlmauthenticator processes are running
    FATAL: The ntlmauthenticator helpers are crashing too rapidly, need help!

    anyone else have this?

    Posted by mark | 2009/01/28, 4:53 pm
  2. Hmm,
    I will look into this ASAP.
    Can you post your copy of /usr/lib/squid/wbinfo_group_H.pl?
    Regards,
    H

    Posted by admin | 2009/01/28, 5:16 pm
  3. #!/usr/bin/perl -w
    #
    # external_acl helper to Squid to verify NT Domain group
    # membership using wbinfo
    #
    # This program is put in the public domain by Jerry Murdock
    # . It is distributed in the hope that it will
    # be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
    # of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    #
    # Author:
    # Jerry Murdock
    #
    # Version history:
    # 2005-12-26 Guido Serassio
    # Add ‘-d’ command line debugging option
    #
    # 2005-12-24 Guido Serassio
    # Fix for wbinfo from Samba 3.0.21
    #
    # 2004-08-15 Henrik Nordstrom
    # Helper protocol changed to URL escaped in Squid-3.0
    #
    # 2005-06-28 Arno Streuli
    # Add multi group check
    #
    # 2002-07-05 Jerry Murdock
    # Initial release

    #
    # Globals
    #
    use vars qw/ %opt /;

    # Disable output buffering
    # $|=1; remmed out by me

    $|=1;sub debug {
    print STDERR “@_\n” if $opt{d};
    }

    #
    # Check if a user belongs to a group
    #
    sub check {
    local($user, $group) = @_;
    $groupSID = `wbinfo -n “$group” | cut -d” ” -f1`;
    chop $groupSID;
    $groupGID = `wbinfo -Y “$groupSID”`;
    chop $groupGID;
    &debug( “User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-“);
    return ‘OK’ if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
    return ‘ERR’;
    }

    #
    # Command line options processing
    #
    sub init()
    {
    use Getopt::Std;
    my $opt_string = ‘hd’;
    getopts( “$opt_string”, \%opt ) or usage();
    usage() if $opt{h};
    }

    #
    # Message about this program and how to use it
    #
    sub usage()
    {
    print “Usage: wbinfo_group.pl -dh\n”;
    print “\t-d enable debugging\n”;
    print “\t-h print the help\n”;
    exit;
    }

    init();
    print STDERR “Debugging mode ON.\n” if $opt{d};

    #
    # Main loop
    #
    while () {
    chop;
    &debug (“Got $_ from squid”);
    ($user, @groups) = split(/\s+/);
    $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(“c”,hex($1))/eg;
    # test for each group squid send in it’s request
    $thegroup = “”;
    foreach $group (@groups) {
    if (length($thegroup) ==0){
    $thegroup=$group;
    } else {
    $thegroup = $thegroup . ” ” . $group;
    }
    }
    $group = $thegroup;
    $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(“c”,hex($1))/eg;
    $ans = &check($user, $group);
    &debug (“Sending $ans to squid”);
    print “$ans\n”;
    }

    Posted by mark | 2009/01/28, 6:20 pm
  4. I got past the above error, but I am prompted for a username and password. When i try it won’t let me in, and gives me a cache access denied error. If after the auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp, I put –diagnostics –username=user –password=password –domain=domain. It will let only this user logon and no one else.

    Posted by Mark | 2009/01/29, 8:40 pm
  5. In my cache log I am see this:

    Could not lookup name myusername mygroupname
    Could not convert sid to gid
    Could not get groups for user 0
    Could not lookup name myusername mygroupname
    Could not convert sid to gid
    Could not get groups for user 0

    Posted by Mark | 2009/01/29, 10:54 pm
  6. Sorry for the delay.
    Please see the more recent posting “Squid AD”.
    try running:
    wbinfo_group_H.pl -d

    At the prompt type:
    YOURDOMAIN\userid YOURDOMAIN\accessgrp

    Replacing:
    YOURDOMAIN with the short name of your AD domain
    userid with a user login that is in “accessgrp”:
    accessgrp with a group that contains your users whom will be granted access.
    [CTRL] C to exit.

    Regards,
    –H

    Posted by admin | 2009/03/23, 3:06 pm
  7. I m a Regular Visitir of your Blog, I like your Blog due to Quality of your information, hope to see valuable information from you in future, i am much inpired from your blog

    Posted by exbar | 2010/09/02, 10:36 am
  8. Thanks for the feedback.
    Alas this particular entry is smi abandoned as I haven’t the time to update it.
    Alas my employer has almost abandoned the open source format. We are using RHEL for our Linux installations but all the Windows networking is now entirely AD and Windows Servers.

    Having said that I can’t blam them as we really struggled to stablise Samba.

    Posted by admin | 2010/09/02, 12:03 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Categories

RSS This Blog…

  • An error has occurred; the feed is probably down. Try again later.

Share me…

Bookmark and Share

Twitter Updates

December 2008
S M T W T F S
    Mar »
 123456
78910111213
14151617181920
21222324252627
28293031  
%d bloggers like this: