Comments on Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter
Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter This document covers setup of a Squid Proxy which will seamlessly integrate with Active Directory for authentication using Kerberos with LDAP as a backup for users not authenticated via Kerberos. Authorisation is managed by Groups in Active Directory. This is especially useful for Windows 7 clients which no longer support NTLMv2 without changing the local computer policy. It is capable of using white lists and black lists for site access and restrictions.
22 Comment(s)
Comments
great write up, i could of done with this a month ago.
... you lost me at "Download some random program from the internet" (msktutil).
Anything downloaded and installed manually requires me to manually download and install security updates (best case), or patch and recompile, or even fix source code. And this, of course, requires me to monitor the msktutil website and possibly others for new versions and security advisories. Not worth it.
Interesting, but not usable in a production environment.
If your that concerned about using a package from the software maintainer then you don't have to. You can always use ktpass.exe from the Windows Server and place it on the proxy instead. However you miss out on the convenience of updating your keytab automatically and will have to work out another method such as simply disabling expiry of the proxy accounts password in AD.
Great guide, which we are using thanks.
One question though, does anyone who uses Windows 7 have problems with the pass through authentication working changing any local security settings?
I have followed the guide to the letter, and have it working excellently in Windows Xp.
When we open up IE in Win7 we get prompted for username and password.
Andy, This means that it's failing over to LDAP auth (I assume if they put their username and password in that it works). Do you notice whether the login prompt appears twice and the second time it works? I did have a handful of Windows 7 machines that I had to Reset Internet Explorer (cleared the cache as well) and this fixed it - must be some sort of hangover in IE that only a reset resolves, Does it work in FF or Chrome?
I have the same issue. I didn't try what you've already done on Internet Explorer.
I have this problem on Internet Explorer and Google Chrome, but it works perfectly on Firefox (I guess that Google Chrome gets all its parameters from Internet Explorer).
I wonder if there is any other solution to this problem, because since we have too many machines on the network it's going to be a hard work to do...
Thanks
Computers/Users that are part of the domain will not be prompted as authentication occurs in the background. Non domain users will be prompted to input a username which needs to be a valid account in active directory (this is done via an LDAP query). we simply create a domain account called webaccess and add it to the Internet Users Group for any visitors etc. that might pop in the office and need net access.
Where do users set their passwords? This is a tutorial for users to connect to a domain?
I was actually in the process of documenting this exact process myself.
Almost every step to the detail of using msktutil, auto-configuration
of the web browser & even the logging!
If I may, I would like to point out the following because I have been
researching this and have a few of these setups in production as well.
- When configuring Kerberos, do make use of DNS. DNS resolution does work,
so in the event that a controller goes offline it will failover to any other in the
entire network and so users will not be interrupted.
Yes I did notice that you had added two kdc's but in a larger network that doesn't
always prove reliable. Been there done that...
- When configuring squid at auth_param basic program
be sure to use the -W option NOT -w and put the password in a file in the
/etc/squid folder. This is done for security purposes because the commandline
is actually visible via ps x & that includes the password! - Some servers will need direct access to the internet bypassing the proxy server.
Adding an IP block with DIRECT access in the wpad.dat file will solve this issue
for you and save you a lot of headaches in the future. For example the first 15 IP addresses.
if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.240")) return "DIRECT"; - Adding a content filter to the mix will help improve overall network security,
give you an option to allow untrusted/irresponsible users to have access to the
internet to just get their job done.
Dansguardian is a good filter that requires very little maintenance after properly configured,
gives you targeted levels of filter groups, and adds the ability to use a virus scanner
to the content being download. This has saved my bacon quite a few times.
Again Kudos Jelloir and keep up the good work!
I have updated the guide to include some fixes and updates to the documentation. It can be found at http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
Your guide is much better than this one, but one question.
When I add users to the 'Internet Users Standard' group, the user is able to surf.
But when I add a group (consisting of users) to the group 'Internet Users Standard', it doesn't work...
Any thoughts ? Nested groups a problem ?
I post here because I can't find how to contribute to your updated guide on Bitbinary.
This is about WPAD.
You mention the DNS method (http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#WPAD_DNS_entries).
I suggest you can also publish WPAD configuration file via DHCP, by defining and using the option number 252.
Example with ISC-DHCP server on Debian:
1 - Edit /etc/dhcp/dhcpd.conf
2 - Define the option 252 with the following:
option my-wpad-server code 252 = text;
3 - Assign the value to the option 252 defined above.
option my-wpad-server "http://squidproxy.example.local/wpad.dat";
sometime need change
"CN=COMPUTERS" -> "OU=COMPUTERS"
First of all, I would like to thank you for your tutorial, it's very instructive. I am still on test stage and it was working perfectly and without any modifications on the Debian server, Clients' browsers keep asking for Login and Password and these requests never end.
I'm using Debian Squeeze as a Squid Server and Windows Server 2012 as Domain controller, the clients run under Windows XP, 7 and 8 but the only one I made the test on is Windows 7.
Thank you in advance for your help.
I have been searching on the net on how to implement Squid, squidGuard with Active Directory but I didn't really find anything that might help. My need is to keep the same reasoning (depending on AD Groups).
I finished the configuration of SquidGuard (Installation, Redirection...etc), but unfortunately the rule I applied on the file squidGuard.conf didn't work at all, I think that the only rules applied are these of squid.conf
I might be completely wrong but I think that it must be a way to implement both squid and squidGuard with Active Directory, so please I will so greatful if you help me out find a solution to my need.
Thank you very much guys, I know that I can count on you ;)
Hi, excellent tutorial. This was a good guide for me.
This includes SSO ? because every time you open the brower asks password . You could indicate whether to do something else?
Cheers
And Samba ?
Hi,
thanks for this work !!
I create a Group named Webusers and I hope that when I put my user in this group the user can access to internet and when I remove the user, it cannot access to internet.... it's possible with this ?
Sorry for my english
Your helper paths are all wrong, plus none of them work against windows servers
Thanks, helped get me setup. Ran into issues with ntlm auth but it was a privelage problem with the newer ubuntu's. For anyone out there reading and having issues... do this- chown root:winbindd_priv /var/lib/samba/winbindd_privileged/
I am trying to follow this guide and implement it with in my network.
This guide does not work well with debain jessie.
1 ) most of the mentioned paths are not correct
2 )apt-get install krb5-user libkrb53 ( libkrb53 does not exist)
3) when i try to restart squid .
Error:
FATAL: auth_param negotiate program /usr/lib/squid3/squid_kerb_auth: (2) No such file or…. faile
4 ) squid_kerb_auth. file is not present
root@squidproxy:~# ls /usr/lib/squid3/
basic_db_auth basic_pam_auth cert_tool ext_ldap_group_acl helper-mux.pl ntlm_fake_auth url_fake_rewrite.sh
basic_fake_auth basic_pop3_auth digest_file_auth ext_session_acl log_db_daemon ntlm_smb_lm_auth
basic_getpwnam_auth basic_radius_auth digest_ldap_auth ext_sql_session_acl log_file_daemon pinger
basic_ldap_auth basic_sasl_auth diskd ext_time_quota_acl negotiate_kerberos_auth storeid_file_rewrite
basic_ncsa_auth basic_smb_auth ext_file_userip_acl ext_unix_group_acl negotiate_kerberos_auth_test unlinkd
basic_nis_auth basic_smb_auth.sh ext_kerberos_ldap_group_acl ext_wbinfo_group_acl negotiate_wrapper_auth url_fake_rewrite
root@squidproxy:~# ls /usr/lib/squid3/s*
/usr/lib/squid3/storeid_file_rewrite
can you please revise this article and update it again so that it works well with new versions as well.
I believe something is missing in between:-s HTTP -k