Debian Squeeze, Squid, Kerberos/LDAP Authentication, Active Directory Integration And Cyfin Reporter

Introduction

This document covers setup of a Squid Proxy which will seamlessly integrate with Active Directory for authentication using Kerberos with LDAP as a backup for users not authenticated via Kerberos. Authorisation is managed by Groups in Active Directory. This is especially useful for Windows 7 clients which no longer support NTLMv2 without changing the local computer policy. It is capable of using white lists and black lists for site access and restrictions.

For this guide the following examples are utilised - you should update any sections with the clients domain, hostnames and IP's where necessary.

  • Domain = example.local
  • Subnet = 192.168.0.0/24
  • Proxy Server: IP = 192.168.0.26, HOSTNAME = squidproxy.example.local
  • Windows Server 1: IP = 192.168.0.1, HOSTNAME = domaincontroller1.example.local
  • Windows Server 2: IP = 192.168.0.10, HOSTNAME = server2.example.local

A base install of Debian Squeeze is assumed as well as basic Debian administration skills. vi is assumed as the text editor.

 

Prerequisites

Client Internet Explorer Browsers need to have "Enable Integrated Windows Authentication" ticked in Internet Options :: Advanced settings as well as Proxy Auto detection enabled - google these if not sure. All modern web browsers will support proxy auto detection. Firefox and Chrome also support Windows Authentication.

 

DNS Configuration

Install dnsutils:

apt-get install dnsutils

On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works. Check that the proxy is using the Windows DNS Server for name resolution and update /etc/resolv.conf accordingly.

vi /etc/resolv.conf
search example.local
nameserver 192.168.0.1
nameserver 192.168.0.10

Ping an internal and external hostname to ensure DNS is operating.

ping domaincontroller1.example.local -c 4 && ping google.com -c 4

Check you can reverse look up the Windows Server and the local proxy ip from the Windows DNS.

dig -x 192.168.0.1
dig -x 192.168.0.26

Warning: If either DNS lookup fails do not proceed until fixed or proxy authentication will fail.

 

NTP Configuration

Install the ntp package:

apt-get install ntp

Because Kerberos needs to have the time synchronized with Windows Domain Controllers for authentication we configure the proxy to obtain time from the them.

vi /etc/ntp.conf

Locate the following section and update the ntp servers as required. If you have more than one Domain Controller or NTP Server you may add multiple lines.

# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
server domaincontroller1.example.local
server server2.example.local

Then restart and test NTP.

invoke-rc.d ntp restart
ntpq -p

You should see output that refers to the Domain Controllers and other NTP Servers which are processed in the order that they appear in the conf file.

 

Configure Kerberos

Install Kerberos packages:

apt-get install krb5-user libkrb53

Just accept the defaults presented to any debconf dialog's presented as we are overwriting them.

Set up Kerberos.

cp /etc/krb5.conf /etc/krb5.conf.default
cat /dev/null > /etc/krb5.conf
vi /etc/krb5.conf

Edit the file replacing the variables (highlighted) with the client's domain and server.

Warning: Depending on your Windows Domain Controllers OS Version un-comment the relevant Windows 200X section and comment out the opposing section.

If you only have 1 Domain Controller remove the additional "kdc" entry from the "[realms]" section.

[libdefaults]
        default_realm = EXAMPLE.LOCAL
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid3/PROXY.keytab
; for Windows 2003
        default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
;        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
        EXAMPLE.LOCAL = {
                kdc = domaincontroller1.example.local
                kdc = server2.example.local
                admin_server = domaincontroller1.example.local
                default_domain = example.local
        }
[domain_realm]
        .example.local = EXAMPLE.LOCAL
        example.local = EXAMPLE.LOCAL

 

Install Squid 3

apt-get install squid3 ldap-utils

Note: Squid configuration takes places after msktutil is configured.

 

Install and run msktutil

Obtain the msktutil package and install it.

cd /var/cache/apt/archives/ wget http://fuhm.net/software/msktutil/releases/msktutil_0.4-2_i386.deb
apt-get install libsasl2-modules-gssapi-mit libsasl2-modules
dpkg -i msktutil_0.4-2_i386.deb
cd

Initiate a kerberos session to the server so msktutil can use it to create our Proxy object in Active directory that will be used for access.

kinit administrator

Enter the domain administrator password.

It should then return without errors. You can see if you successfully obtained a ticket with:

klist

Now we configure the proxy in AD with service principles by running msktutil (update the highlighted values with your network).

Warning: You should not move the object from the OU that you use msktutil to create it in.

msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY \
--upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose

If you are using a Server 2008 domain then add "--enctypes 28" at the end of the command.

msktutil -c -b "CN=COMPUTERS" -s HTTP -k /etc/squid3/PROXY.keytab --computer-name SQUIDPROXY \
--upn HTTP/squidproxy.example.local --server domaincontroller1.example.local --verbose --enctypes 28

Set the permissions on the keytab so squid can read it.

chgrp proxy /etc/squid3/PROXY.keytab
chmod g+r /etc/squid3/PROXY.keytab

On the Windows Server reset the Computer Account in AD by right clicking on the SQUIDPROXY Computer and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly.

Reboot the proxy first to clear the kerberos tickets generated by kinit command then run the following:

msktutil --auto-update --verbose

If the keytab is not found try adding "-k /etc/squid3/PROXY.keytab" to the command to see if it works and then troubleshoot until resolved or users will not be able to authenticate with Squid.

Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically around 30 days). I pipe it through logger so I can see any errors in syslog if necessary. As stated the msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it.

The SHELL and PATH variables are there to ensure cron runs properly change this if you know what your doing.

crontab -e
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# m h  dom mon dow   command
00 4  *   *   *     msktutil --auto-update --verbose | logger -t msktutil
Share this page:

Suggested articles

22 Comment(s)

Add comment

Comments

By: anon

great write up, i could of done with this a month ago.

By: Anonymous

... you lost me at "Download some random program from the internet" (msktutil).

Anything downloaded and installed manually requires me to manually download and install security updates (best case), or patch and recompile, or even fix source code. And this, of course, requires me to monitor the msktutil website and possibly others for new versions and security advisories. Not worth it.

Interesting, but not usable in a production environment.

By:

If your that concerned about using a package from the software maintainer then you don't have to.  You can always use ktpass.exe from the Windows Server and place it on the proxy instead.  However you miss out on the convenience of updating your keytab automatically and will have to work out another method such as simply disabling expiry of the proxy accounts password in AD.

By: AndyRogers

Great guide, which we are using thanks.

One question though, does anyone who uses Windows 7 have problems with the pass through authentication working changing any local security settings?

 I have followed the guide to the letter, and have it working excellently in Windows Xp.

When we open up IE in Win7 we get prompted for username and password.

 

 

By:

Andy, This means that it's failing over to LDAP auth (I assume if they put their username and password in that it works). Do you notice whether the login prompt appears twice and the second time it works? I did have a handful of Windows 7 machines that I had to Reset Internet Explorer (cleared the cache as well) and this fixed it - must be some sort of hangover in IE that only a reset resolves, Does it work in FF or Chrome?

By: Marouane

Hello,

I have the same issue. I didn't try what you've already done on Internet Explorer.

I have this problem on Internet Explorer and Google Chrome, but it works perfectly on Firefox (I guess that Google Chrome gets all its parameters from Internet Explorer).

I wonder if there is any other solution to this problem, because since we have too many machines on the network it's going to be a hard work to do...

Thanks

By:

Computers/Users that are part of the domain will not be prompted as authentication occurs in the background.  Non domain users will be prompted to input a username which needs to be a valid account in active directory (this is done via an LDAP query).  we simply create a domain account called webaccess and add it to the Internet Users Group for any visitors etc. that might pop in the office and need net access.

By: Anonymous

Where do users set their passwords? This is a tutorial for users to connect to a domain?

By:

I was actually in the process of documenting this exact process myself.
Almost every step to the detail of using  msktutil, auto-configuration
of the web browser & even the logging!

If I may, I would like to point out the following because I have been
researching this and have a few of these setups in production as well.

  1. When configuring Kerberos, do make use of DNS. DNS resolution does work,
    so in the event that a controller goes offline it will failover to any other in the
    entire network and so users will not be interrupted.
    Yes I did notice that you had added two kdc's but in a larger network that doesn't
    always prove reliable. Been there done that...

  2. When configuring squid at auth_param basic program
    be sure to use the -W option NOT -w and put the password in a file in the
    /etc/squid folder. This is done for security purposes because the commandline
    is actually visible via ps x & that includes the password!

  3. Some servers will need direct access to the internet bypassing the proxy server.
    Adding an IP block with DIRECT access in the wpad.dat file will solve this issue
    for you and save you a lot of headaches in the future. For example the first 15 IP addresses.
    if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.240")) return "DIRECT";

  4. Adding a content filter to the mix will help improve overall network security,
    give you an option to allow untrusted/irresponsible  users to have access to the
    internet to just get their job done.
    Dansguardian is a good filter that requires very little maintenance after properly configured,
    gives you targeted levels of filter groups, and  adds the ability to use a virus scanner
    to the content being download. This has saved my bacon quite a few times.

 

Again Kudos Jelloir and keep up the good work!

By:

I have updated the guide to include some fixes and updates to the documentation.  It can be found at http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy

By: Anonymous

Your guide is much better than this one, but one question.

 When I add users to the 'Internet Users Standard' group, the user is able to surf.

But when I add a group (consisting of users) to the group 'Internet Users Standard', it doesn't work...

Any thoughts ?  Nested groups a problem ?

By: Anonymous

I post here because I can't find how to contribute to your updated guide on Bitbinary. This is about WPAD. You mention the DNS method (http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy#WPAD_DNS_entries). I suggest you can also publish WPAD configuration file via DHCP, by defining and using the option number 252. Example with ISC-DHCP server on Debian: 1 - Edit /etc/dhcp/dhcpd.conf 2 - Define the option 252 with the following: option my-wpad-server code 252 = text; 3 - Assign the value to the option 252 defined above. option my-wpad-server "http://squidproxy.example.local/wpad.dat";

By: Andrey

sometime need change

"CN=COMPUTERS"  ->  "OU=COMPUTERS"

By: Marouane

Hello,

 First of all, I would like to thank you for your tutorial, it's very instructive. I am still on test stage and it was working perfectly and without any modifications on the Debian server, Clients' browsers keep asking for Login and Password and these requests never end.

 I'm using Debian Squeeze as a Squid Server and Windows Server 2012 as Domain controller, the clients run under Windows XP, 7 and 8 but the only one I made the test on is Windows 7.

 Thank you in advance for your help.

 

By: Marouane

Hello All,

I have been searching on the net on how to implement Squid, squidGuard with Active Directory but I didn't really find anything that might help. My need is to keep the same reasoning (depending on AD Groups).

I finished the configuration of SquidGuard (Installation, Redirection...etc), but unfortunately the rule I applied on the file squidGuard.conf didn't work at all, I think that the only rules applied are these of squid.conf

I might be completely wrong but I think that it must be a way to implement both squid and squidGuard with Active Directory, so please I will so greatful if you help me out find a solution to my need.

Thank you very much guys, I know that I can count on you ;)

By: Mauro

Hi, excellent tutorial. This was a good guide for me.

This includes SSO ? because every time you open the brower asks password . You could indicate whether to do something else? 

 

Cheers

By: hackenoslo

And Samba ?

By: hackensolo

Hi,

thanks for this work !!

I create a Group named Webusers and I hope that when I put my user in this group the user can access to internet and when I remove the user, it cannot access to internet.... it's possible with this ?

Sorry for my english

 

By: Noob

Your helper paths are all wrong, plus none of them work against windows servers

By: Stan Glomb

Thanks, helped get me setup. Ran into issues with ntlm auth but it was a privelage problem with the newer ubuntu's. For anyone out there reading and having issues... do this-      chown root:winbindd_priv /var/lib/samba/winbindd_privileged/

By: Muhammad Asif

I am trying to follow this guide and implement it with in my network.

This guide does not work well with debain jessie. 

1 ) most of the mentioned paths are not correct

2 )apt-get install krb5-user libkrb53   ( libkrb53 does not exist)

3) when i try to restart squid .

Error:

FATAL: auth_param negotiate program /usr/lib/squid3/squid_kerb_auth: (2) No such file or…. faile

 

4 ) squid_kerb_auth. file is not present 

 

[email protected]:~# ls /usr/lib/squid3/

basic_db_auth        basic_pam_auth     cert_tool                    ext_ldap_group_acl    helper-mux.pl                 ntlm_fake_auth        url_fake_rewrite.sh

basic_fake_auth      basic_pop3_auth    digest_file_auth             ext_session_acl       log_db_daemon                 ntlm_smb_lm_auth

basic_getpwnam_auth  basic_radius_auth  digest_ldap_auth             ext_sql_session_acl   log_file_daemon               pinger

basic_ldap_auth      basic_sasl_auth    diskd                        ext_time_quota_acl    negotiate_kerberos_auth       storeid_file_rewrite

basic_ncsa_auth      basic_smb_auth     ext_file_userip_acl          ext_unix_group_acl    negotiate_kerberos_auth_test  unlinkd

basic_nis_auth       basic_smb_auth.sh  ext_kerberos_ldap_group_acl  ext_wbinfo_group_acl  negotiate_wrapper_auth        url_fake_rewrite

[email protected]:~# ls /usr/lib/squid3/s*

/usr/lib/squid3/storeid_file_rewrite

 

can you please revise this article and update it again so that it works well with new versions as well.

 

 

By: Jeroen Ruijter

I believe something is missing in between:-s HTTP -k