Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
Contents
Introduction
To Configure
3
4
Configuration
DNS ..................................................................................................................................................................... 4
NTP...................................................................................................................................................................... 5
SQUID Install ....................................................................................................................................................... 5
Kerberos Install and Configure ........................................................................................................................ 5
Install .............................................................................................................................................................. 5
Configure ........................................................................................................................................................ 5
Test ................................................................................................................................................................. 6
Samba Winbind................................................................................................................................................... 6
Install .............................................................................................................................................................. 6
Configure ........................................................................................................................................................ 6
More Config with net ads command .............................................................................................................. 7
Set Permissions ................................................................................................................................................... 8
Cron Computer Account Password Update ..................................................................................................... 8
Basic Authentication Configuration .................................................................................................................... 8
Install negotiate_wrapper .................................................................................................................................. 9
SQUID Configuration ......................................................................................................................................... 10
Authentication Config ................................................................................................................................... 10
ICAP Config ................................................................................................................................................... 11
User Machines .................................................................................................................................................. 12
Chrome ......................................................................................................................................................... 12
Firefox Browser ............................................................................................................................................. 13
Safari (Apple Devices) ................................................................................................................................... 13
Checking the Squid Log ..................................................................................................................................... 14
And Finally ........................................................................................................................................................ 14
References: ....................................................................................................................................................... 14
~1~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
Who
Date
Change
Version
Mark Dearlove
19 Jul 2012
Initial Draft
1.0
~2~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
Introduction
The primary motivation for writing this document was to show how Squid can be setup to pass Active
Directory (AD) user names to SurfProtect so that customers can have more granular control over web activity
in their network. The whole process of getting AD information to SurfProtect expects the customer to use our
SurfProtect ICAP service. This needs to be configured within an ICAP capable client like the NETASQ U70
appliance or in this scenario Squid proxy. More information about the U70 UTM can be found here http://www.netasq.com/en/firewall-services/u30-u70.php
One disadvantage that should be noted is that Squid can only pass AD usernames and NOT AD user groups
associated with the person requesting the webpage. User groups would be a more natural level to apply a
SurfProtect profile. Although this is not a major problem, you may find that you have to tackle the best
approach to authentication of users one login that one group of users can use or individual usernames for all
users? SurfProtect can apply a blanket profile to users whose names are not recognised or listed against a
particular profile. Then all that is left to deal with are the exceptions to the standard profile rule where you
would actually add specific usernames to a profile for their personal requirements.
Please note that my experience of setting this up was taken from several documents on the internet in which I
found some of the steps listed worked and others didnt, so what you have here is the parts that did work.
There are links to the websites I used at the end of the document.
~3~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
To Configure
For this magic to work we will need to configure:
DNS
NTP
Kerberos
Squid 3.1.19
Samba Winbind
OPTIONAL (SurfProtect ICAP Service details in Squid)
User computer proxy settings
Squid Server
Before we start installing various packages onto our server, I used Ubuntu 12.04 LTS (Precise Pangolin),
which can be obtained from http://gb.releases.ubuntu.com/12.04/
Configuration
DNS
On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a
corresponding PTR (reverse DNS) entry is also created and works.
Check that the proxy is using the Windows DNS Server for name resolution:
1. vi /etc/resolvconf/resolv.conf.d/head add
domain your.ad.domain.name.here
2.
vi /etc/resolvconf/resolv.conf.d/base add
search your.ad.domain.name.here
nameserver IP for your DNS server
3. resolvconf u
4. cat /etc/resolv.conf to ensure that the items have been added.
Ping an internal and external hostname to ensure DNS is operating.
ping wdc.your.ad.domain -c 4 && ping google.com -c 4
Check you can reverse lookup the Windows Server and the local proxy ip from the Windows DNS.
dig -x IP OF YOUR SQUID SERVER
dig -x IP OF YOUR WINDOWS PRIMARY DOMAIN CONTROLLER
The ANSWER SECTION should contain the DNS name of wdc.your.ad.domain and of wdc.your.ad.domain
Important: If either
~4~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
NTP
Time needs to be synchronised with Windows Domain Controllers for authentication, configure the proxy to
obtain time from them and test to ensure they are working as expected.
vi /etc/ntp.conf.d/head add
server IP TO YOUR WDC iburst
server ntp1.your.ad.domain iburst
iburst option will allow faster time sync ( i.e. 10-15 seconds instead of 5-9 minutes) in our case this difference
comes in handy. After saving the file issue the following command to check the config and restart the service:
chkconfig ntp on
service ntp start
Check the status of the time sync with the following commands:
ntptrace, ntpdc (listpeers, monlist, sysinfo,ctlstats)
SQUID Install
We will only install squid3 at this point and configure it later. Install with:
apt-get install squid3 ldap-utils
~5~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
[domain_realm]
.your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS
your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS
Test
Using the command below you can test If the link to the domain controller is working:
Kinit some_domain_user
Replace some_domain_user with a valid login name from your AD Domain
When prompted enter the Windows password for the chosen account. If all is well no response will be
shown.
Example Error when password is wrong kinit: Preauthentication failed while getting initial credentials
To confirm that the authentication has worked type:
klist
The result of this command if all is well will look something like:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: some_account_name@YOUR.AD.DOMAIN.HERE
Valid starting Expires
Service principal
19/07/12 16:03:57 20/07/12 02:04:05 krbtgt/YOUR.AD.DOMAIN.HERE@YOUR.AD.DOMAIN.HERE
renew until 20/07/12 16:03:57
Samba Winbind
Install
apt-get install samba winbind samba-common-bin
Configure
Stop both services with:
service smbd stop
service winbindstop
Edit the Samba Config file:
vi /etc/samba/smb.conf
Alter the sections in the file to include:
workgroup = YOUR.AD.DOMAIN SHORT NAME HERE
security = ads
realm = YOUR.AD.DOMAIN.HERE.IN.CAPITAL
password server = DOMAIN CONTROLLER IP
workgroup = SHORT AD DOMAIN NAME
netbios name = SQUIDPROXY-K
winbind enum groups = yes
~6~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
~7~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
wbinfo -a winbind%password
Check AD domain
wbinfo -D domain
Check Trust Secrets via RPC
wbinfo t
Check user information translation
wbinfo -i some_ad_username
List AD Users
wbinfo u
List AD Groups
wbinfo -g
Please note that in one set of instructions on the internet there was the use of a program called msktutil
which was a pain from the outset no package to install AND when a package was found for this version of
distribution the command always failed to talk to the Active Directory server. I think the net ads
commands achieved the same result.
Set Permissions
Set Permissions so the proxy user account can read /var/run/samba/winbindd_privileged.
gpasswd -a proxy winbindd_priv
Create a password file used by squid for ldap access and secure the file permissions (substitute the word
"YOURCHOSENACCOUNTPASSWORD" below with your password you set when creating the account in Active
Directory above).
echo ' YOURCHOSENACCOUNTPASSWORD ' > /etc/squid3/ldappass.txt
~8~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
Install negotiate_wrapper
Install negotiate_wrapper. Install the necessary build tools on Debian install :
apt-get install build-essential linux-headers-$(uname -r)
Then compile and install using:
cd /usr/local/src/
wget "http://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wrapper1.0.1/negotiate_wrapper-1.0.1.tar.gz"
tar -xvzf negotiate_wrapper-1.0.1.tar.gz
cd negotiate_wrapper-1.0.1/
./configure
make
make install
~9~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
SQUID Configuration
All that remains is to configure squid to use the authentication mechanism, apply the appropriate ACLs to control access to the web and configure the ICAP integration
(OPTIONAL)
Authentication Config
vi /etc/squid.conf
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp -domain=YOUR_SHORT_AD_DOMAIN_NAME --kerberos /usr/lib/sq$
auth_param negotiate children 10
auth_param negotiate keep_alive ooff
### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=YOUR_SHORT_AD_DOMAIN_NAME
auth_param ntlm children 10
auth_param ntlm keep_alive off
### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=YOUR,dc=FULL,dc=AD,dc=DOMAIN,dc=COMPONENTS" -D squid@YOUR_AD_DOMAIN_HERE -W
/etc/squid3/ldappass.txt -f sAMAccountName=%s -h $
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
### enforce authentication
http_access deny !auth
http_access allow auth
http_access deny all
~ 10 ~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
ICAP Config
icap_service service_req reqmod_precache bypass=0 routing=0 icap://icap.exa-networks.co.uk:1344/surfprotect/request/client,default
adaptation_access service_req allow all
adapted_http_access allow all
icap_client_username_header x-authenticated-user
icap_client_username_encode on
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_service_failure_limit -1
icap_service_revival_delay 30
icap_persistent_connections off
Now restart squid using:
service squid3 restart
~ 11 ~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
User Machines
The Internet Options (Windows PCs) on the user machines will need to reflect the IP address of your squid
server DNS name and the service port.
Also note that Internet Explorer requires this additional option Enable integrated Windows Authentication
Chrome
Chrome uses the system selected proxy so no changes needed.
~ 12 ~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
Firefox Browser
Notice also that I have added my Active Directory credentials in so I wont be prompted later.
When using iPad or iPhone devices similar configuration will be needed to tell the device which proxy to use.
~ 13 ~
Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access
And Finally
When using NTLM authentication it is normal to see two simultaneous TCP_DENIED/407 errors. This is due to
the nature of the challenge/response mechanism of NTLM authentication.
In the event that no username appear in the squid access log, or password dialogue boxes appear, then check
the squid.conf file to ensure that the ACLs are setup properly. Also ensure that winbind is functioning, as
depicted above. If changes are made to the squid.conf file then squid needs to be restarted in order for those
modifications to take affect.
If everything is working as planned then ensure that Squid and SAMBA start automatically upon reboot by
issuing the following:
update-rc.d squid3 defaults
update-rc.d smbd defaults
References:
I referred to several webpages to try to untangle how to achieve my aim, some helped some confused me
more but I will mention them here as you may get something extra out of them for your scenario.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
http://techmiso.com/1934/howto-install-squid-web-proxy-server-with-active-directory-authentication/
http://www.sghaida.com/squid3-ntlm-antivirus/
~ 14 ~