Configsquidadicap PDF

Configuring Squid Proxy, Active Directory
Authentication and SurfProtect ICAP Access
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
Contents
Introduction
To Configure
3
4
Squid Server ........................................................................................................................................................ 4

Windows Domain Controller .............................................................................................................................. 4
Configuration
DNS ..................................................................................................................................................................... 4
NTP...................................................................................................................................................................... 5
SQUID Install ....................................................................................................................................................... 5
Kerberos Install and Configure ........................................................................................................................ 5
Install .............................................................................................................................................................. 5
Configure ........................................................................................................................................................ 5
Test ................................................................................................................................................................. 6
Samba Winbind................................................................................................................................................... 6
Install .............................................................................................................................................................. 6
Configure ........................................................................................................................................................ 6
More Config with net ads command .............................................................................................................. 7
Set Permissions ................................................................................................................................................... 8
Cron Computer Account Password Update ..................................................................................................... 8
Basic Authentication Configuration .................................................................................................................... 8
Install negotiate_wrapper .................................................................................................................................. 9
SQUID Configuration ......................................................................................................................................... 10
Authentication Config ................................................................................................................................... 10
ICAP Config ................................................................................................................................................... 11
User Machines .................................................................................................................................................. 12
Chrome ......................................................................................................................................................... 12
Firefox Browser ............................................................................................................................................. 13
Safari (Apple Devices) ................................................................................................................................... 13
Checking the Squid Log ..................................................................................................................................... 14
And Finally ........................................................................................................................................................ 14
References: ....................................................................................................................................................... 14
~1~
Who
Date
Change
Version
Mark Dearlove
19 Jul 2012
Initial Draft
1.0
~2~
Introduction
The primary motivation for writing this document was to show how Squid can be setup to pass Active
Directory (AD) user names to SurfProtect so that customers can have more granular control over web activity
in their network. The whole process of getting AD information to SurfProtect expects the customer to use our
SurfProtect ICAP service. This needs to be configured within an ICAP capable client like the NETASQ U70
appliance or in this scenario Squid proxy. More information about the U70 UTM can be found here http://www.netasq.com/en/firewall-services/u30-u70.php
One disadvantage that should be noted is that Squid can only pass AD usernames and NOT AD user groups
associated with the person requesting the webpage. User groups would be a more natural level to apply a
SurfProtect profile. Although this is not a major problem, you may find that you have to tackle the best
approach to authentication of users one login that one group of users can use or individual usernames for all
users? SurfProtect can apply a blanket profile to users whose names are not recognised or listed against a
particular profile. Then all that is left to deal with are the exceptions to the standard profile rule where you
would actually add specific usernames to a profile for their personal requirements.
Please note that my experience of setting this up was taken from several documents on the internet in which I
found some of the steps listed worked and others didnt, so what you have here is the parts that did work.
There are links to the websites I used at the end of the document.
The information provided here is as-is with no support or guarantee of

suitability.
~3~
To Configure
For this magic to work we will need to configure:
DNS
NTP
Kerberos
Squid 3.1.19
Samba Winbind
OPTIONAL (SurfProtect ICAP Service details in Squid)
User computer proxy settings
Squid Server
Before we start installing various packages onto our server, I used Ubuntu 12.04 LTS (Precise Pangolin),
which can be obtained from http://gb.releases.ubuntu.com/12.04/
Windows Domain Controller

Our installation has Windows 2008 R2 Standard Edition
Configuration
DNS
On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a
corresponding PTR (reverse DNS) entry is also created and works.
Check that the proxy is using the Windows DNS Server for name resolution:
1. vi /etc/resolvconf/resolv.conf.d/head add
domain your.ad.domain.name.here
2.
vi /etc/resolvconf/resolv.conf.d/base add
search your.ad.domain.name.here
nameserver IP for your DNS server
3. resolvconf u
4. cat /etc/resolv.conf to ensure that the items have been added.
Ping an internal and external hostname to ensure DNS is operating.
ping wdc.your.ad.domain -c 4 && ping google.com -c 4
Check you can reverse lookup the Windows Server and the local proxy ip from the Windows DNS.
dig -x IP OF YOUR SQUID SERVER
dig -x IP OF YOUR WINDOWS PRIMARY DOMAIN CONTROLLER
The ANSWER SECTION should contain the DNS name of wdc.your.ad.domain and of wdc.your.ad.domain
Important: If either
lookup fails do not proceed until fixed or authentication may fail.
~4~
NTP
Time needs to be synchronised with Windows Domain Controllers for authentication, configure the proxy to
obtain time from them and test to ensure they are working as expected.
vi /etc/ntp.conf.d/head add
server IP TO YOUR WDC iburst
server ntp1.your.ad.domain iburst
iburst option will allow faster time sync ( i.e. 10-15 seconds instead of 5-9 minutes) in our case this difference
comes in handy. After saving the file issue the following command to check the config and restart the service:
chkconfig ntp on
service ntp start
Check the status of the time sync with the following commands:
ntptrace, ntpdc (listpeers, monlist, sysinfo,ctlstats)
SQUID Install
We will only install squid3 at this point and configure it later. Install with:
apt-get install squid3 ldap-utils
Kerberos Install and Configure

Install
apt-get install krb5-user libkrb53 libsasl2-modules-gssapi-mit libsasl2-modules
Configure
vi /etc/krb5.conf
Add/update the file so the lines below are present
[libdefaults]
default_realm = YOUR.AD.DOMAIN.IN.CAPITALS
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
YOUR.AD.DOMAIN.IN.CAPITALS = {
kdc = dc1.your.ad.domain.here
admin_server = dc1.your.ad.domain.here
default_domain = your.ad.domain.here
}
~5~
[domain_realm]
.your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS
your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS
Test
Using the command below you can test If the link to the domain controller is working:
Kinit some_domain_user
Replace some_domain_user with a valid login name from your AD Domain
When prompted enter the Windows password for the chosen account. If all is well no response will be
shown.
Example Error when password is wrong kinit: Preauthentication failed while getting initial credentials
To confirm that the authentication has worked type:
klist
The result of this command if all is well will look something like:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: some_account_name@YOUR.AD.DOMAIN.HERE
Valid starting Expires
Service principal
19/07/12 16:03:57 20/07/12 02:04:05 krbtgt/YOUR.AD.DOMAIN.HERE@YOUR.AD.DOMAIN.HERE
renew until 20/07/12 16:03:57
Samba Winbind
Install
apt-get install samba winbind samba-common-bin
Configure
Stop both services with:
service smbd stop
service winbindstop
Edit the Samba Config file:
vi /etc/samba/smb.conf
Alter the sections in the file to include:
workgroup = YOUR.AD.DOMAIN SHORT NAME HERE
security = ads
realm = YOUR.AD.DOMAIN.HERE.IN.CAPITAL
password server = DOMAIN CONTROLLER IP
workgroup = SHORT AD DOMAIN NAME
netbios name = SQUIDPROXY-K
winbind enum groups = yes
~6~
winbind enum users = yes

winbind use default domain = yes
Note in the example above we have called the Squid Proxy server SQUIDPROXY-K for the short name used in
Active Directory
More Config with net ads command
The net ads command allows us to interact with Active Directory.
We will now use a command to join our machine to the domain
Issue the following commands to join Active Directory and to Validate
net ads join -U Administrator
net rpc join -U Administrator
If you look on your Domain controller you should have a Computer Account in your Active Directory Users
and Computers admin screen.
Test Active directory Join

net ads testjoin -U Administrator
Validate Kerberos Server Keytab
net ads keytab list -U Administrator
Check trusted domains
net rpc trustdom list -U Administrator
List Active Directory Users
net ads user -U Administrator
List Active Directory Groups
net ads group -U Administrator
chkconfig winbind on
service winbind start
Check authentication
~7~
wbinfo -a winbind%password
Check AD domain
wbinfo -D domain
Check Trust Secrets via RPC
wbinfo t
Check user information translation
wbinfo -i some_ad_username
List AD Users
wbinfo u
List AD Groups
wbinfo -g
Please note that in one set of instructions on the internet there was the use of a program called msktutil
which was a pain from the outset no package to install AND when a package was found for this version of
distribution the command always failed to talk to the Active Directory server. I think the net ads
commands achieved the same result.
Set Permissions
Set Permissions so the proxy user account can read /var/run/samba/winbindd_privileged.
gpasswd -a proxy winbindd_priv
Cron Computer Account Password Update

Add a cron job to /etc/cron.d folder called squidpassword which contains:
05 4 * * * net ads changetrustpw -d 1 | logger -t changetrustpw
Basic Authentication Configuration

In order to use basic authentication by way of LDAP we need to create an account with which to access Active
Directory.
In Active Directory create a user called "Squid Proxy" with the logon name squid@your.ad.domain.here.
Ensure the following is true when creating the account.
User must change password at next logon Unticked
User cannot change password Ticked
Password never expires Ticked
Account is disabled Unticked
Create a password file used by squid for ldap access and secure the file permissions (substitute the word
"YOURCHOSENACCOUNTPASSWORD" below with your password you set when creating the account in Active
Directory above).
echo ' YOURCHOSENACCOUNTPASSWORD ' > /etc/squid3/ldappass.txt
~8~
chmod o-r /etc/squid3/ldappass.txt

chgrp proxy /etc/squid3/ldappass.txt
Install negotiate_wrapper
Install negotiate_wrapper. Install the necessary build tools on Debian install :
apt-get install build-essential linux-headers-$(uname -r)
Then compile and install using:
cd /usr/local/src/
wget "http://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wrapper1.0.1/negotiate_wrapper-1.0.1.tar.gz"
tar -xvzf negotiate_wrapper-1.0.1.tar.gz
cd negotiate_wrapper-1.0.1/
./configure
make
make install
~9~
SQUID Configuration
All that remains is to configure squid to use the authentication mechanism, apply the appropriate ACLs to control access to the web and configure the ICAP integration
(OPTIONAL)
Authentication Config
vi /etc/squid.conf
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp -domain=YOUR_SHORT_AD_DOMAIN_NAME --kerberos /usr/lib/sq$
auth_param negotiate children 10
auth_param negotiate keep_alive ooff
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=YOUR_SHORT_AD_DOMAIN_NAME
auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=YOUR,dc=FULL,dc=AD,dc=DOMAIN,dc=COMPONENTS" -D squid@YOUR_AD_DOMAIN_HERE -W
/etc/squid3/ldappass.txt -f sAMAccountName=%s -h $
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
### enforce authentication
http_access deny !auth
http_access allow auth
http_access deny all
~ 10 ~
ICAP Config
icap_service service_req reqmod_precache bypass=0 routing=0 icap://icap.exa-networks.co.uk:1344/surfprotect/request/client,default
adaptation_access service_req allow all
adapted_http_access allow all
icap_client_username_header x-authenticated-user
icap_client_username_encode on
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_service_failure_limit -1
icap_service_revival_delay 30
icap_persistent_connections off
Now restart squid using:
service squid3 restart
~ 11 ~
User Machines
The Internet Options (Windows PCs) on the user machines will need to reflect the IP address of your squid
server DNS name and the service port.
Also note that Internet Explorer requires this additional option Enable integrated Windows Authentication
Chrome
Chrome uses the system selected proxy so no changes needed.
~ 12 ~
Firefox Browser
Safari (Apple Devices)

This browser uses the system defined Web Proxy settings for the current connection you are using on the Mac.
Notice also that I have added my Active Directory credentials in so I wont be prompted later.
When using iPad or iPhone devices similar configuration will be needed to tell the device which proxy to use.
~ 13 ~
Checking the Squid Log

You can take a look in the /var/squid3/access.log or similar name to check that the authenticated user is
mentioned in the request lines. So for example:
1342694083.704 349 192.0.2.131 TCP_MISS/200 338 GET http://ec.atdmt.com/images/pixel.gif
mark_dearlove DIRECT/213.199.149.244 image/gif
And Finally
When using NTLM authentication it is normal to see two simultaneous TCP_DENIED/407 errors. This is due to
the nature of the challenge/response mechanism of NTLM authentication.
In the event that no username appear in the squid access log, or password dialogue boxes appear, then check
the squid.conf file to ensure that the ACLs are setup properly. Also ensure that winbind is functioning, as
depicted above. If changes are made to the squid.conf file then squid needs to be restarted in order for those
modifications to take affect.
If everything is working as planned then ensure that Squid and SAMBA start automatically upon reboot by
issuing the following:
update-rc.d squid3 defaults
update-rc.d smbd defaults
References:
I referred to several webpages to try to untangle how to achieve my aim, some helped some confused me
more but I will mention them here as you may get something extra out of them for your scenario.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
http://techmiso.com/1934/howto-install-squid-web-proxy-server-with-active-directory-authentication/
http://www.sghaida.com/squid3-ntlm-antivirus/
~ 14 ~

Configsquidadicap PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Configsquidadicap PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

Configuring Squid Proxy, Active Directory

Authentication and SurfProtect ICAP Access

Squid Server ........................................................................................................................................................ 4

The information provided here is as-is with no support or guarantee of

Windows Domain Controller

lookup fails do not proceed until fixed or authentication may fail.

Kerberos Install and Configure

winbind enum users = yes

Test Active directory Join

Cron Computer Account Password Update

Basic Authentication Configuration

User must change password at next logon Unticked

User cannot change password Ticked

Password never expires Ticked

Account is disabled Unticked

chmod o-r /etc/squid3/ldappass.txt

Safari (Apple Devices)

Checking the Squid Log

Anda mungkin juga menyukai