Squid AD Authentication
Transparent Active Directory user identification and group policies enabled within Squid.
Requirements
Platform: CentOS 5.2
Package: Squid 2.6.STABLE6
Package: Samba 3.0.28
Package: Samba Common 3.0.28
Package: Samba Client 3.0.28
Package: pam smb 1.1.7
Package: krb5-devel 1.6.1
Package: pam krb5 2.2.14
Package: krb libs 1.6.1
Package: krb5 Workstation 1.6.1
Package: HTTPD 2.2.3
Package: MOD Auth Kerb 5.1
A full list of 640 packages can be made available.
The system hardware should be scaled to your needs but a single 2.8GHz CPU with 512MB of RAM and 20GB HDD will suffice to run most small installations.
Introduction
Over the years I have been looking into various technologies for integrating the User Authentication on the Opensource Squid Server to a Windows or LDAP based Directory. Squid is a well respected Web Cache solution that is available from Squid Cache.
I have now been able to implement a solution that provides:
1. User Credential verification against MS AD
2. Group Access Policies based on Groups in AD
3. Transparent Single Sign On
I used a large number of How To’s on the Web to facilitate this. I will publish a list when I can. It is assumed that the reader has enough Linux knowledge to install the system from simple instructions and so experience as an administrator of Squid.
Throughout this document:
· MYDOMAIN The AD domain
· MYSHORTDOMAIN The Short Name of the AD Domain
· MyAdminServer The AD Administration / Password Server
· MyAdministrator The AD user with Domain Administrator privileges
· MyServer The NetBios and host name of the Squid server itself
· SEC Restricted Users Members of this AD Group have restricted Web Access
Entries highlighted in grey are commands to be run from the command line.
Entries marked in light green are the contents of files.
Entries marked in bright red are changes or items of particular interest.
Basic Installation
Install CentOS 5.2 from DVD/CDs/Network per your normal mechanism. I would recommend no GUI (KDE, Gnome, X).
Install as a Server. Select packages as applicable ensuring that you have, Squid, HTTPD and the development kits (Dev Libs, Dev Tools, Legacy Soft Dev etc.). How much you strip down is your decision, it simply bulks out the installation.
Once First Boot is complete login and turn off the SE Linux features and firewall. If you wish to add this later then please read up carefully first.
# system-config-securitylevel
Configurations
Configuring Kerberus
Edit the “/etc/krb5.conf” file. Below is an example of the configuration required:
| [libdefaults] ticket_lifetime = 600 default_realm = MYDOMAIN [realms] [domain_realm] [kdc] [logging] [appdefaults] |
Enter your domain into the Kerberus Realms:
# echo “.mydomain mydomain” > /etc/krb.realms
Configure Samba
Edit the “/etc/samba/smb.conf” file. Below is an example of the configuration required:
| [global] workgroup = MYSHORTDOMAIN netbios name = MyServer realm = MYDOMAIN server string = Linux Samba Server security = ads encrypt passwords = Yes password server = MyAuthServer.MyDomain log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = False local master = No domain master = False dns proxy = No winbind enum users = yes winbind enum groups = yes winbind use default domain = yes idmap uid = 10000-20000 idmap gid = 10000-20000 realm = MYDOMAIN os level = 1 use kerberos keytab = yes |
Configuring Squid
Edit the “/etc/squid/squid.conf” file. Below is an example of the configuration required:
| http_port 8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl PURGE method PURGE acl localhost src 127.0.0.1 http_access allow PURGE localhost http_access deny PURGE access_log /var/log/squid/access.log squid log_fqdn on debug_options “ALL,9” refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320acl all src 0.0.0.0/0.0.0.0 auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp acl manager proto cache_object http_access deny BannedList coredump_dir /var/spool/squid |
Note that this is an example. It provides the following functionality:
· A list of URLs banned to all
· A list of URLs banned to a particular group
· A list of URLs allowed to a particular group
· Access to the all URLs otherwise for all authenticated users
The backslashes before the spaces in “SEC\ Restricted\ Users” are required to allow the entry to be passed to the authentication script.
The built in Perl script to provision group access is not very sophisticated but does the job. The only issue is if, as is likely, your AD group names contain spaces. In this case it needs to be finessed slightly.
# cp /usr/lib/squid/wbinfo_group.pl /usr/lib/squid/wbinfo_group_H.pl
# chmod 755 /usr/lib/squid/wbinfo_group_H.pl
Edit the new file. The example below will allow groups with spaces:
| #!/usr/bin/perl –w # # external_acl helper to Squid to verify NT Domain group # membership using wbinfo # # This program is put in the public domain by Jerry Murdock # <jmurdock@itraktech.com>. It is distributed in the hope that it will # be useful, but WITHOUT ANY WARRANTY; without even the implied warranty # of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Author: # Jerry Murdock <jmurdock@itraktech.com> # # Harlekwin # # Disable output buffering # # # init(); # |
Join the Domain
Run the following commands in order. You will be prompted for the MyAdministrator password from time to time.
# kinit MyAdministrator@MYDOMAIN
# net ads join -U MyAdministrator -S MyAuthServer.MyDomain
# net ads keytab create -U MyAdministrator
# net ads keytab add HTTP -U MyAdministrator
Start the Services
You need to start Samba, WinbindD and Squid to use the authentication mechanism.
Testing
The following command would test the raw AD authentication via Kerberus:
#/usr/bin/ntlm_auth –domain=mydomain –username=AnyUser
The following tests whether WinbindD is available:
# wbinfo –p
The following will return a complete list of users visible on the AD:
# wbinfo –u
The following will return a complete list of groupsvisible on the AD:
# wbinfo –g
The following will test the group auth script. It is interactive and you must use [CTRL]+C to exit.
# /usr/lib/squid/wbinfo_group_H.pl
At the prompt enter:
mydomain\AnyUser mydomain\SEC Restricted Users
Finishing up and some notes
Simply point your browsers Proxy settings to your Squid Server and give it a go. If you follow these instructions the proxy will be on Port 8080. You should not even be prompted for a username and password!
Following the squid logs will show you that each request generates a denied and allowed entry. This is an unfortunate side effect of the NTLM mechanism. A request has to be made before the authentication is requested.
Ensure that you set the services to start at boot.
Slap yourself on the back and go and have a coffee!
harlekwin 
Thanks for the great page. The instructions were great. I got everything to run, except squid. When I try to run squid, I receive the following error:
2009/01/28 11:37:05| Ready to serve requests.
2009/01/28 11:37:05| helperStatefulHandleRead: unexpected read from ntlmauthenticator #3, 28 bytes ‘NT_STATUS_OK: Success (0x0)
‘
2009/01/28 11:37:05| StatefulHandleRead: no callback data registered
2009/01/28 11:37:05| helperStatefulHandleRead: unexpected read from ntlmauthenticator #1, 28 bytes ‘NT_STATUS_OK: Success (0x0)
‘
2009/01/28 11:37:05| StatefulHandleRead: no callback data registered
2009/01/28 11:37:05| helperStatefulHandleRead: unexpected read from ntlmauthenticator #2, 28 bytes ‘NT_STATUS_OK: Success (0x0)
‘
2009/01/28 11:37:05| StatefulHandleRead: no callback data registered
2009/01/28 11:37:05| WARNING: ntlmauthenticator #3 (FD 8) exited
2009/01/28 11:37:05| WARNING: ntlmauthenticator #1 (FD 6) exited
2009/01/28 11:37:05| WARNING: ntlmauthenticator #2 (FD 7) exited
2009/01/28 11:37:05| Too few ntlmauthenticator processes are running
FATAL: The ntlmauthenticator helpers are crashing too rapidly, need help!
anyone else have this?
Posted by mark | 2009/01/28, 4:53 pmHmm,
I will look into this ASAP.
Can you post your copy of /usr/lib/squid/wbinfo_group_H.pl?
Regards,
H
Posted by admin | 2009/01/28, 5:16 pm#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# . It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock
#
# Version history:
# 2005-12-26 Guido Serassio
# Add ‘-d’ command line debugging option
#
# 2005-12-24 Guido Serassio
# Fix for wbinfo from Samba 3.0.21
#
# 2004-08-15 Henrik Nordstrom
# Helper protocol changed to URL escaped in Squid-3.0
#
# 2005-06-28 Arno Streuli
# Add multi group check
#
# 2002-07-05 Jerry Murdock
# Initial release
#
# Globals
#
use vars qw/ %opt /;
# Disable output buffering
# $|=1; remmed out by me
$|=1;sub debug {
print STDERR “@_\n” if $opt{d};
}
#
# Check if a user belongs to a group
#
sub check {
local($user, $group) = @_;
$groupSID = `wbinfo -n “$group” | cut -d” ” -f1`;
chop $groupSID;
$groupGID = `wbinfo -Y “$groupSID”`;
chop $groupGID;
&debug( “User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-“);
return ‘OK’ if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return ‘ERR’;
}
#
# Command line options processing
#
sub init()
{
use Getopt::Std;
my $opt_string = ‘hd’;
getopts( “$opt_string”, \%opt ) or usage();
usage() if $opt{h};
}
#
# Message about this program and how to use it
#
sub usage()
{
print “Usage: wbinfo_group.pl -dh\n”;
print “\t-d enable debugging\n”;
print “\t-h print the help\n”;
exit;
}
init();
print STDERR “Debugging mode ON.\n” if $opt{d};
#
# Main loop
#
while () {
chop;
&debug (“Got $_ from squid”);
($user, @groups) = split(/\s+/);
$user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(“c”,hex($1))/eg;
# test for each group squid send in it’s request
$thegroup = “”;
foreach $group (@groups) {
if (length($thegroup) ==0){
$thegroup=$group;
} else {
$thegroup = $thegroup . ” ” . $group;
}
}
$group = $thegroup;
$group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(“c”,hex($1))/eg;
$ans = &check($user, $group);
&debug (“Sending $ans to squid”);
print “$ans\n”;
}
Posted by mark | 2009/01/28, 6:20 pmI got past the above error, but I am prompted for a username and password. When i try it won’t let me in, and gives me a cache access denied error. If after the auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp, I put –diagnostics –username=user –password=password –domain=domain. It will let only this user logon and no one else.
Posted by Mark | 2009/01/29, 8:40 pmIn my cache log I am see this:
Could not lookup name myusername mygroupname
Could not convert sid to gid
Could not get groups for user 0
Could not lookup name myusername mygroupname
Could not convert sid to gid
Could not get groups for user 0
Posted by Mark | 2009/01/29, 10:54 pmSorry for the delay.
Please see the more recent posting “Squid AD”.
try running:
wbinfo_group_H.pl -d
At the prompt type:
YOURDOMAIN\userid YOURDOMAIN\accessgrp
Replacing:
YOURDOMAIN with the short name of your AD domain
userid with a user login that is in “accessgrp”:
accessgrp with a group that contains your users whom will be granted access.
[CTRL] C to exit.
Regards,
–H
Posted by admin | 2009/03/23, 3:06 pmI m a Regular Visitir of your Blog, I like your Blog due to Quality of your information, hope to see valuable information from you in future, i am much inpired from your blog
Posted by exbar | 2010/09/02, 10:36 amThanks for the feedback.
Alas this particular entry is smi abandoned as I haven’t the time to update it.
Alas my employer has almost abandoned the open source format. We are using RHEL for our Linux installations but all the Windows networking is now entirely AD and Windows Servers.
Having said that I can’t blam them as we really struggled to stablise Samba.
Posted by admin | 2010/09/02, 12:03 pm