Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

Want to support HowtoForge? Become a subscriber!
 
Submitted by Jelloir (Contact Author) (Forums) on Wed, 2011-06-15 17:53. :: Debian

Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

Introduction

This document covers setup of a Squid Proxy which will seamlessly integrate with Active Directory for authentication using Kerberos with LDAP as a backup for users not authenticated via Kerberos. Authorisation is managed by Groups in Active Directory. This is especially useful for Windows 7 clients which no longer support NTLMv2 without changing the local computer policy. It is capable of using white lists and black lists for site access and restrictions.

For this guide the following examples are utilised - you should update any sections with the clients domain, hostnames and IP's where necessary.

  • Domain = example.local
  • Subnet = 192.168.0.0/24
  • Proxy Server: IP = 192.168.0.26, HOSTNAME = squidproxy.example.local
  • Windows Server 1: IP = 192.168.0.1, HOSTNAME = domaincontroller1.example.local
  • Windows Server 2: IP = 192.168.0.10, HOSTNAME = server2.example.local

A base install of Debian Squeeze is assumed as well as basic Debian administration skills. vi is assumed as the text editor.

 

Prerequisites

Client Internet Explorer Browsers need to have "Enable Integrated Windows Authentication" ticked in Internet Options :: Advanced settings as well as Proxy Auto detection enabled - google these if not sure. All modern web browsers will support proxy auto detection. Firefox and Chrome also support Windows Authentication.

 

DNS Configuration

Install dnsutils:

apt-get install dnsutils

On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works. Check that the proxy is using the Windows DNS Server for name resolution and update /etc/resolv.conf accordingly.

vi /etc/resolv.conf

search example.local
nameserver 192.168.0.1
nameserver 192.168.0.10

Ping an internal and external hostname to ensure DNS is operating.

ping domaincontroller1.example.local -c 4 && ping google.com -c 4

Check you can reverse look up the Windows Server and the local proxy ip from the Windows DNS.

dig -x 192.168.0.1
dig -x 192.168.0.26

Warning: If either DNS lookup fails do not proceed until fixed or proxy authentication will fail.

 

NTP Configuration

Install the ntp package:

apt-get install ntp

Because Kerberos needs to have the time synchronized with Windows Domain Controllers for authentication we configure the proxy to obtain time from the them.

vi /etc/ntp.conf

Locate the following section and update the ntp servers as required. If you have more than one Domain Controller or NTP Server you may add multiple lines.

# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
server domaincontroller1.example.local
server server2.example.local

Then restart and test NTP.

invoke-rc.d ntp restart
ntpq -p

You should see output that refers to the Domain Controllers and other NTP Servers which are processed in the order that they appear in the conf file.

 

Configure Kerberos

Install Kerberos packages:

apt-get install krb5-user libkrb53

Just accept the defaults presented to any debconf dialog's presented as we are overwriting them.

Set up Kerberos.

cp /etc/krb5.conf /etc/krb5.conf.default
cat /dev/null > /etc/krb5.conf
vi /etc/krb5.conf

Edit the file replacing the variables (highlighted) with the client's domain and server.

Warning: Depending on your Windows Domain Controllers OS Version un-comment the relevant Windows 200X section and comment out the opposing section.

If you only have 1 Domain Controller remove the additional "kdc" entry from the "[realms]" section.

[libdefaults]
        default_realm = EXAMPLE.LOCAL
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid3/PROXY.keytab
; for Windows 2003
        default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
;        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
        EXAMPLE.LOCAL = {
                kdc = domaincontroller1.example.local
                kdc = server2.example.local
                admin_server = domaincontroller1.example.local
                default_domain = example.local
        }
[domain_realm]
        .example.local = EXAMPLE.LOCAL
        example.local = EXAMPLE.LOCAL

 

Install Squid 3

apt-get install squid3 ldap-utils

Note: Squid configuration takes places after msktutil is configured.

 

Install and run msktutil

Obtain the msktutil package and install it.

cd /var/cache/apt/archives/ wget http://fuhm.net/software/msktutil/releases/msktutil_0.4-2_i386.deb
apt-get install libsasl2-modules-gssapi-mit libsasl2-modules
dpkg -i msktutil_0.4-2_i386.deb
cd

Initiate a kerberos session to the server so msktutil can use it to create our Proxy object in Active directory that will be used for access.

kinit administrator

Enter the domain administrator password.

It should then return without errors. You can see if you successfully obtained a ticket with:

klist

Now we configure the proxy in AD with service principles by running msktutil (update the highlighted values with your network).

Warning: You should not move the object from the OU that you use msktutil to create it in.

msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY \
--upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose

If you are using a Server 2008 domain then add "--enctypes 28" at the end of the command.

msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY \
--upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose --enctypes 28

Set the permissions on the keytab so squid can read it.

chgrp proxy /etc/squid3/PROXY.keytab
chmod g+r /etc/squid3/PROXY.keytab

On the Windows Server reset the Computer Account in AD by right clicking on the SQUIDPROXY Computer and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly.

Reboot the proxy first to clear the kerberos tickets generated by kinit command then run the following:

msktutil --auto-update --verbose

If the keytab is not found try adding "-k /etc/squid3/PROXY.keytab" to the command to see if it works and then troubleshoot until resolved or users will not be able to authenticate with Squid.

Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically around 30 days). I pipe it through logger so I can see any errors in syslog if necessary. As stated the msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it.

The SHELL and PATH variables are there to ensure cron runs properly change this if you know what your doing.

crontab -e

SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# m h  dom mon dow   command
00 4  *   *   *     msktutil --auto-update --verbose | logger -t msktutil

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Marouane (not registered) on Fri, 2014-08-01 12:20.
Hello All,

I have been searching on the net on how to implement Squid, squidGuard with Active Directory but I didn't really find anything that might help. My need is to keep the same reasoning (depending on AD Groups).

I finished the configuration of SquidGuard (Installation, Redirection...etc), but unfortunately the rule I applied on the file squidGuard.conf didn't work at all, I think that the only rules applied are these of squid.conf

I might be completely wrong but I think that it must be a way to implement both squid and squidGuard with Active Directory, so please I will so greatful if you help me out find a solution to my need.

Thank you very much guys, I know that I can count on you ;)

Submitted by Marouane (not registered) on Thu, 2014-07-31 18:14.
Hello,

 First of all, I would like to thank you for your tutorial, it's very instructive. I am still on test stage and it was working perfectly and without any modifications on the Debian server, Clients' browsers keep asking for Login and Password and these requests never end.

 I'm using Debian Squeeze as a Squid Server and Windows Server 2012 as Domain controller, the clients run under Windows XP, 7 and 8 but the only one I made the test on is Windows 7.

 Thank you in advance for your help.

 

Submitted by Andrey (not registered) on Tue, 2012-03-27 13:57.

sometime need change

"CN=COMPUTERS"  ->  "OU=COMPUTERS"

Submitted by Anonymous (not registered) on Fri, 2012-03-09 17:48.

I post here because I can't find how to contribute to your updated guide on Bitbinary.

This is about WPAD.
You mention the DNS method (http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#WPAD_DNS_entries).
I suggest you can also publish WPAD configuration file via DHCP, by defining and using the option number 252.

Example with ISC-DHCP server on Debian:

1 - Edit /etc/dhcp/dhcpd.conf
2 - Define the option 252 with the following:

option my-wpad-server code 252 = text;

3 - Assign the value to the option 252 defined above.

option my-wpad-server "http://squidproxy.example.local/wpad.dat";

Submitted by Jelloir (registered user) on Tue, 2012-01-10 10:36.
I have updated the guide to include some fixes and updates to the documentation.  It can be found at http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
Submitted by Anonymous (not registered) on Wed, 2012-03-28 12:20.

Your guide is much better than this one, but one question.

 When I add users to the 'Internet Users Standard' group, the user is able to surf.

But when I add a group (consisting of users) to the group 'Internet Users Standard', it doesn't work...

Any thoughts ?  Nested groups a problem ?

Submitted by archerjd (registered user) on Wed, 2011-07-27 06:33.

I was actually in the process of documenting this exact process myself.
Almost every step to the detail of using  msktutil, auto-configuration
of the web browser & even the logging!

If I may, I would like to point out the following because I have been
researching this and have a few of these setups in production as well.

  1. When configuring Kerberos, do make use of DNS. DNS resolution does work,
    so in the event that a controller goes offline it will failover to any other in the
    entire network and so users will not be interrupted.
    Yes I did notice that you had added two kdc's but in a larger network that doesn't
    always prove reliable. Been there done that...

  2. When configuring squid at auth_param basic program
    be sure to use the -W option NOT -w and put the password in a file in the
    /etc/squid folder. This is done for security purposes because the commandline
    is actually visible via ps x & that includes the password!

  3. Some servers will need direct access to the internet bypassing the proxy server.
    Adding an IP block with DIRECT access in the wpad.dat file will solve this issue
    for you and save you a lot of headaches in the future. For example the first 15 IP addresses.
    if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.240")) return "DIRECT";

  4. Adding a content filter to the mix will help improve overall network security,
    give you an option to allow untrusted/irresponsible  users to have access to the
    internet to just get their job done.
    Dansguardian is a good filter that requires very little maintenance after properly configured,
    gives you targeted levels of filter groups, and  adds the ability to use a virus scanner
    to the content being download. This has saved my bacon quite a few times.

 

Again Kudos Jelloir and keep up the good work!

Submitted by Anonymous (not registered) on Thu, 2011-07-21 15:45.
Where do users set their passwords? This is a tutorial for users to connect to a domain?
Submitted by Jelloir (registered user) on Thu, 2011-07-28 06:30.
Computers/Users that are part of the domain will not be prompted as authentication occurs in the background.  Non domain users will be prompted to input a username which needs to be a valid account in active directory (this is done via an LDAP query).  we simply create a domain account called webaccess and add it to the Internet Users Group for any visitors etc. that might pop in the office and need net access.
Submitted by AndyRogers (not registered) on Thu, 2011-07-14 19:10.

Great guide, which we are using thanks.

One question though, does anyone who uses Windows 7 have problems with the pass through authentication working changing any local security settings?

 I have followed the guide to the letter, and have it working excellently in Windows Xp.

When we open up IE in Win7 we get prompted for username and password.

 

 

Submitted by Jelloir (registered user) on Thu, 2011-07-28 06:55.
Andy, This means that it's failing over to LDAP auth (I assume if they put their username and password in that it works). Do you notice whether the login prompt appears twice and the second time it works? I did have a handful of Windows 7 machines that I had to Reset Internet Explorer (cleared the cache as well) and this fixed it - must be some sort of hangover in IE that only a reset resolves, Does it work in FF or Chrome?
Submitted by Marouane (not registered) on Fri, 2014-08-01 11:46.

Hello,

I have the same issue. I didn't try what you've already done on Internet Explorer.

I have this problem on Internet Explorer and Google Chrome, but it works perfectly on Firefox (I guess that Google Chrome gets all its parameters from Internet Explorer).

I wonder if there is any other solution to this problem, because since we have too many machines on the network it's going to be a hard work to do...

Thanks

Submitted by anon (not registered) on Thu, 2011-06-23 15:30.
great write up, i could of done with this a month ago.
Submitted by Anonymous (not registered) on Sun, 2011-06-19 22:34.

... you lost me at "Download some random program from the internet" (msktutil).

Anything downloaded and installed manually requires me to manually download and install security updates (best case), or patch and recompile, or even fix source code. And this, of course, requires me to monitor the msktutil website and possibly others for new versions and security advisories. Not worth it.

Interesting, but not usable in a production environment.

Submitted by Jelloir (registered user) on Mon, 2011-06-20 12:12.

If your that concerned about using a package from the software maintainer then you don't have to.  You can always use ktpass.exe from the Windows Server and place it on the proxy instead.  However you miss out on the convenience of updating your keytab automatically and will have to work out another method such as simply disabling expiry of the proxy accounts password in AD.