odrakir.com

Recently I needed to integrate a Squid Proxy server in an Active Directory environment. The main objective was to grant / deny access to the Internet by user / group validation, using single sign on.

The solution might not be the most elegant, but it’s a working one. You’ll need to install the Kerberos, Samba, Squid and NTP packages.

In this solution will be allowing all users in the InternetOn AD group to have access automatically. Any users outside this group will be denied access. Computers outside the AD trying to use the proxy will be prompt for username and password. This is a simple way of keeping access restricted to certain groups without an unnecessary amount of fuss, whether you’re managing the office computers at http://www.partycasino.com/ or building a school network.

krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = YOURDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
YOURDOMAIN = {
kdc = yourpdc
admin_server = yourpdc
default_domain = YOURDOMAIN
kpasswd_server = yourpdc
}

[domain_realm]
.yourdomain = yourdomain

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

#####################################################

smb.conf

[global]
workgroup = YOURDOMAIN
server string = SQUIDPROXY (or any other name you want)
security = ADS
auth methods = winbind
encrypt passwords = yes
idmap uid = 70001-90000
winbind enum users = yes
winbind gid = 70001-90000
winbind enum groups = yes
client use spnego = yes
winbind separator = \\
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = yourpdcIP
realm = YOURDOMAIN
dns proxy = no

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /usr/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

#####################################################

squid.conf

http_port 8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
access_log /var/log/squid/access.log squid
emulate_httpd_log on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl
acl interneton external ADS InternetOn

acl blocksites url_regex "/etc/squid/squid-block.acl"
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 # https, snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # waisacl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl AuthorizedUsers proxy_auth REQUIRED

http_access deny blocksites
http_access allow interneton
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid

#####################################################

Start samba, winbind and squid by this order.

Synchronize your squid server with the AD

ntpdate yourprimarydomaincontroller

Initialise Kerberos

kinit administrator@YOURDOMAIN

Test Kerberos connection

klist

Join Squid Server to AD

net ads join -S yourpdc -U administrator

Validate Trust

wbinfo -t

Validate if the wbinfo_group.pl script is working

echo "youralloweduser InternetOn" | /usr/lib/squid/wbinfo_group.pl -d
(it returns OK or ERR if the user is in the InternetOn group or not)

You might have some problems with the winbindd_privileged directory. If that’s the case:

cd /var/cache/samba
chgrp squid winbindd_privileged
chmod 750 winbindd_privileged

The problem with this setup is that when you change the InternetOn members, Samba / Winbind aren’t aware of the change until the cache clears, so I made a small script you can run in cron or manually.

clearcache.sh

#!/bin/bash
/etc/init.d/smb stop
/etc/init.d/winbind stop
rm -f /var/cache/samba/*.tdb
/etc/init.d/smb start
/etc/init.d/winbind start
/etc/init.d/squid reload

Test this at your own risk. 🙂