SQUID Proxy Server Integration with Windows 2008 R2 Active Directory server for User Authentication on RHEL / CENTOS 6.x

Learn | Teach Open Source Technologies

SQUID Proxy Server Integration with Windows 2008 R2 Active Directory server for User Authentication on RHEL / CENTOS 6.x

Software used:

Windows Server 2008 SP2 32-bit
CentOS 6.5 (Final)  i386
samba 3.5.10-114
samba-winbind 3.5.10-114
krb5-server 1.9-22
krb5-workstation 1.9-22
ntp 4.2.4p8-2

Ok, let’s start.
After initial installation of CentOS 6.5 minimal we got pure Linux box with no additional packages. So we have to install some:

yum install samba samba-winbind krb5-server krb5-workstation ntp

e have to have samba with winbind plugin in order to “talk” with AD like Windows machines do. Winbind plugin allows querying AD structure like “is thit user member of that group?”. The Kerberos server and workstation packages are needed to establish secure, trusted connection with AD. The last package “ntp” is used for time sync between our squid server and DC (domain controller).
After successful installation let’s begin with configuration.

The main configuration file of samba is smb.conf, which is located by default in /etc/samba directory. I wrote it from scratch.

realm = TEST.LOCALDOMAIN
security = ADS
idmap uid = 10000-20000
idmap gid = 10000-20000
workgroup = TEST
password server = test-srv.test.localdomain

winbind separator = \ The first parameter “realm” defines Kerberos realm which will be used. “security=ADS” parameter tell us that samba will authenticate users with DC (domain controller) and that our machine will be member of AD domain. “idmap” parameter is a range which will be used for allocating UNIX IDs for AD users and groups. “workgroup” is a NETBIOS name of our AD domain. “password server” is a GLOBAL CATALOG in AD. “winbind separator” is a sign which divides username with domain name like DOMAIN\User.

Next file is /etc/ntp.conf. By default we got 3 server options there:
– 0.centos.pool.ntp.org
– 1.centos.pool.ntp.org
– 2.centos.pool.ntp.org
We have to change those 3 entries with only one: test-srv.test.localdomain. After that:
Code:ntpdate test-srv.test.localdomain

 

/etc/init.d/ntpd start Next step is to configure Kerberos service. File

vi   /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.LOCALDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TEST.LOCALDOMAIN = {
kdc = test-srv.test.localdomain:88
admin_server = test-srv.test.localdomain:749 }
[domain_realm]
.test.localdomain = TEST.LOCALDOMAIN
test.localdomain = TEST.LOCALDOMAIN

 

“logging” section defines type of logging: syslog or file. “libdefaults” section is used when describing default Kerberos realm, if we want to set AD servers static or rely on DNS. “realms” section determine our Kerberos realm. “domain_realm” maps AD domains to Kerberos realms.

The file /var/kerberos/krb5kdc/kdc.conf:
Code:[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TEST.LOCALDOMAIN= {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
} “

 

kdcdefaults” section sets ports where Kerberos is running. Here we got default TCP port 88. “realms” describes Kerberos realms for access control.

Now we have to initialize Kerberos and join our Linux box to Active Directory:

Code:kinit [email protected]
kdb5_util create -s
net ads join -U “[email protected]” -S test-srv.test.localdomain
/etc/init.d/smb start
/etc/init.d/winbind start
/etc/init.d/krb5kdc start

 

“kdb5_util create -s”command creates Kerberos database along with “stash” file (admin_keytab in kdc.conf). “Stash” file is responsible for allowing access to database for Kerberos daemons. “net ads join” joins Linux box to AD.

wbinfo -u
wbinfo -g

 

should give us info aout users and groups in Active Directory.

Lesson 2. Configure squid to use samba and winbind when authorizing access to web pages.

So it’s time to configure Squid to use our connection to AD.

First install Squid:

yum install squid

Next, edit /etc/squid/squid.conf file:

auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

visible_hostname squid.test.localhost

acl testproxy proxy_auth -i TEST\administrator
acl site_example_com dstdomain .example.com
http_access allow testproxy site_example_com

http_access deny all

http_port 3128

hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
All the auth_param directoves are important for squid to work with AD. external_acl_type defines nt_group, Active Directory group if we want to use AD groups in our ACLs.

Defining AD group ACL:

acl accounting external nt_group TEST\accounting

Definig AD user ACL:

acl administrator proxy_auth -i TEST\administrator

Then you can use these ACLs entries in defining accessess like:

http_access allow testproxy site_example_com

Last step is to set proper permissions:

chmod 750 /var/lib/samba/winbindd_privileged/
chown root:squid /var/lib/samba/winbindd_privilege

if you have any query please  email at: [email protected]