Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

Introduction

This document covers setup of a Squid Proxy which will seamlessly integrate with Active Directory for authentication using Kerberos with LDAP as a backup for users not authenticated via Kerberos. Authorisation is managed by Groups in Active Directory. This is especially useful for Windows 7 clients which no longer support NTLMv2 without changing the local computer policy. It is capable of using white lists and black lists for site access and restrictions.

For this guide the following examples are utilised - you should update any sections with the clients domain, hostnames and IP's where necessary.

• Domain = example.local
• Subnet = 192.168.0.0/24
• Proxy Server: IP = 192.168.0.26, HOSTNAME = squidproxy.example.local
• Windows Server 1: IP = 192.168.0.1, HOSTNAME = domaincontroller1.example.local
• Windows Server 2: IP = 192.168.0.10, HOSTNAME = server2.example.local

A base install of Debian Squeeze is assumed as well as basic Debian administration skills. vi is assumed as the text editor.

Prerequisites

Client Internet Explorer Browsers need to have "Enable Integrated Windows Authentication" ticked in Internet Options :: Advanced settings as well as Proxy Auto detection enabled - google these if not sure. All modern web browsers will support proxy auto detection. Firefox and Chrome also support Windows Authentication.

DNS Configuration

Install dnsutils:

apt-get install dnsutils

On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works. Check that the proxy is using the Windows DNS Server for name resolution and update /etc/resolv.conf accordingly.

vi /etc/resolv.conf

search example.local
nameserver 192.168.0.1
nameserver 192.168.0.10

Ping an internal and external hostname to ensure DNS is operating.

ping domaincontroller1.example.local -c 4 && ping google.com -c 4

Check you can reverse look up the Windows Server and the local proxy ip from the Windows DNS.

dig -x 192.168.0.1
dig -x 192.168.0.26

Warning: If either DNS lookup fails do not proceed until fixed or proxy authentication will fail.

NTP Configuration

Install the ntp package:

apt-get install ntp

Because Kerberos needs to have the time synchronized with Windows Domain Controllers for authentication we configure the proxy to obtain time from the them.

vi /etc/ntp.conf

Locate the following section and update the ntp servers as required. If you have more than one Domain Controller or NTP Server you may add multiple lines.

# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
server domaincontroller1.example.local
server server2.example.local

Then restart and test NTP.

invoke-rc.d ntp restart
ntpq -p

You should see output that refers to the Domain Controllers and other NTP Servers which are processed in the order that they appear in the conf file.

Configure Kerberos

Install Kerberos packages:

apt-get install krb5-user libkrb53

Just accept the defaults presented to any debconf dialog's presented as we are overwriting them.

Set up Kerberos.

cp /etc/krb5.conf /etc/krb5.conf.default
cat /dev/null > /etc/krb5.conf
vi /etc/krb5.conf

Edit the file replacing the variables (highlighted) with the client's domain and server.

Warning: Depending on your Windows Domain Controllers OS Version un-comment the relevant Windows 200X section and comment out the opposing section.

If you only have 1 Domain Controller remove the additional "kdc" entry from the "[realms]" section.

[libdefaults]
        default_realm = EXAMPLE.LOCAL
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid3/PROXY.keytab
; for Windows 2003
        default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
;        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
        EXAMPLE.LOCAL = {
                kdc = domaincontroller1.example.local
                kdc = server2.example.local
                admin_server = domaincontroller1.example.local
                default_domain = example.local
        }
[domain_realm]
        .example.local = EXAMPLE.LOCAL
        example.local = EXAMPLE.LOCAL

Install Squid 3

apt-get install squid3 ldap-utils

Note: Squid configuration takes places after msktutil is configured.

Install and run msktutil

Obtain the msktutil package and install it.

cd /var/cache/apt/archives/ wget http://fuhm.net/software/msktutil/releases/msktutil_0.4-2_i386.deb
apt-get install libsasl2-modules-gssapi-mit libsasl2-modules
dpkg -i msktutil_0.4-2_i386.deb
cd

Initiate a kerberos session to the server so msktutil can use it to create our Proxy object in Active directory that will be used for access.

kinit administrator

Enter the domain administrator password.

It should then return without errors. You can see if you successfully obtained a ticket with:

klist

Now we configure the proxy in AD with service principles by running msktutil (update the highlighted values with your network).

Warning: You should not move the object from the OU that you use msktutil to create it in.

msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY \
--upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose

If you are using a Server 2008 domain then add "--enctypes 28" at the end of the command.

msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY \
--upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose --enctypes 28

Set the permissions on the keytab so squid can read it.

chgrp proxy /etc/squid3/PROXY.keytab
chmod g+r /etc/squid3/PROXY.keytab

On the Windows Server reset the Computer Account in AD by right clicking on the SQUIDPROXY Computer and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly.

Reboot the proxy first to clear the kerberos tickets generated by kinit command then run the following:

msktutil --auto-update --verbose

If the keytab is not found try adding "-k /etc/squid3/PROXY.keytab" to the command to see if it works and then troubleshoot until resolved or users will not be able to authenticate with Squid.

Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically around 30 days). I pipe it through logger so I can see any errors in syslog if necessary. As stated the msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it.

The SHELL and PATH variables are there to ensure cron runs properly change this if you know what your doing.

crontab -e

SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# m h  dom mon dow   command
00 4  *   *   *     msktutil --auto-update --verbose | logger -t msktutil

This page is licensed under a Creative Commons License.