Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter
Introduction
This document covers setup of a Squid Proxy which will seamlessly integrate with Active Directory for authentication using Kerberos with LDAP as a backup for users not authenticated via Kerberos. Authorisation is managed by Groups in Active Directory. This is especially useful for Windows 7 clients which no longer support NTLMv2 without changing the local computer policy. It is capable of using white lists and black lists for site access and restrictions.
For this guide the following examples are utilised - you should update any sections with the clients domain, hostnames and IP's where necessary.
- Domain = example.local
- Subnet = 192.168.0.0/24
- Proxy Server: IP = 192.168.0.26, HOSTNAME = squidproxy.example.local
- Windows Server 1: IP = 192.168.0.1, HOSTNAME = domaincontroller1.example.local
- Windows Server 2: IP = 192.168.0.10, HOSTNAME = server2.example.local
A base install of Debian Squeeze is assumed as well as basic Debian administration skills. vi is assumed as the text editor.
Prerequisites
Client Internet Explorer Browsers need to have "Enable Integrated Windows Authentication" ticked in Internet Options :: Advanced settings as well as Proxy Auto detection enabled - google these if not sure. All modern web browsers will support proxy auto detection. Firefox and Chrome also support Windows Authentication.
DNS Configuration
Install dnsutils:
apt-get install dnsutils
On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works. Check that the proxy is using the Windows DNS Server for name resolution and update /etc/resolv.conf accordingly.
vi /etc/resolv.conf
search example.local nameserver 192.168.0.1 nameserver 192.168.0.10
Ping an internal and external hostname to ensure DNS is operating.
ping domaincontroller1.example.local -c 4 && ping google.com -c 4
Check you can reverse look up the Windows Server and the local proxy ip from the Windows DNS.
dig -x 192.168.0.1
dig -x 192.168.0.26
Warning: If either DNS lookup fails do not proceed until fixed or proxy authentication will fail.
NTP Configuration
Install the ntp package:
apt-get install ntp
Because Kerberos needs to have the time synchronized with Windows Domain Controllers for authentication we configure the proxy to obtain time from the them.
vi /etc/ntp.conf
Locate the following section and update the ntp servers as required. If you have more than one Domain Controller or NTP Server you may add multiple lines.
# You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example server domaincontroller1.example.local server server2.example.local
Then restart and test NTP.
invoke-rc.d ntp restart
ntpq -p
You should see output that refers to the Domain Controllers and other NTP Servers which are processed in the order that they appear in the conf file.
Configure Kerberos
Install Kerberos packages:
apt-get install krb5-user libkrb53
Just accept the defaults presented to any debconf dialog's presented as we are overwriting them.
Set up Kerberos.
cp /etc/krb5.conf /etc/krb5.conf.default
cat /dev/null > /etc/krb5.conf
vi /etc/krb5.conf
Edit the file replacing the variables (highlighted) with the client's domain and server.
Warning: Depending on your Windows Domain Controllers OS Version un-comment the relevant Windows 200X section and comment out the opposing section.
If you only have 1 Domain Controller remove the additional "kdc" entry from the "[realms]" section.
[libdefaults] default_realm = EXAMPLE.LOCAL dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h default_keytab_name = /etc/squid3/PROXY.keytab ; for Windows 2003 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; for Windows 2008 with AES ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] EXAMPLE.LOCAL = { kdc = domaincontroller1.example.local kdc = server2.example.local admin_server = domaincontroller1.example.local default_domain = example.local } [domain_realm] .example.local = EXAMPLE.LOCAL example.local = EXAMPLE.LOCAL
Install Squid 3
apt-get install squid3 ldap-utils
Note: Squid configuration takes places after msktutil is configured.
Install and run msktutil
Obtain the msktutil package and install it.
cd /var/cache/apt/archives/
wget http://fuhm.net/software/msktutil/releases/msktutil_0.4-2_i386.deb
apt-get install libsasl2-modules-gssapi-mit libsasl2-modules
dpkg -i msktutil_0.4-2_i386.deb
cd
Initiate a kerberos session to the server so msktutil can use it to create our Proxy object in Active directory that will be used for access.
kinit administrator
Enter the domain administrator password.
It should then return without errors. You can see if you successfully obtained a ticket with:
klist
Now we configure the proxy in AD with service principles by running msktutil (update the highlighted values with your network).
Warning: You should not move the object from the OU that you use msktutil to create it in.
msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY \
--upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose
If you are using a Server 2008 domain then add "--enctypes 28" at the end of the command.
msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY \
--upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose --enctypes 28
Set the permissions on the keytab so squid can read it.
chgrp proxy /etc/squid3/PROXY.keytab
chmod g+r /etc/squid3/PROXY.keytab
On the Windows Server reset the Computer Account in AD by right clicking on the SQUIDPROXY Computer and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly.
Reboot the proxy first to clear the kerberos tickets generated by kinit command then run the following:
msktutil --auto-update --verbose
If the keytab is not found try adding "-k /etc/squid3/PROXY.keytab" to the command to see if it works and then troubleshoot until resolved or users will not be able to authenticate with Squid.
Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically around 30 days). I pipe it through logger so I can see any errors in syslog if necessary. As stated the msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it.
The SHELL and PATH variables are there to ensure cron runs properly change this if you know what your doing.
crontab -e
SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # m h dom mon dow command 00 4 * * * msktutil --auto-update --verbose | logger -t msktutil