Integrating Squid with Active Directory
Recently I needed to integrate a Squid Proxy server in an Active Directory environment. The main objective was to grant / deny access to the Internet by user / group validation, using single sign on.
The solution might not be the most elegant, but it’s a working one. You’ll need to install the Kerberos, Samba, Squid and NTP packages.
In this solution will be allowing all users in the InternetOn AD group to have access automatically. Any users outside this group will be denied access. Computers outside the AD trying to use the proxy will be prompt for username and password. This is a simple way of keeping access restricted to certain groups without an unnecessary amount of fuss, whether you’re managing the office computers at http://www.partycasino.com/ or building a school network.
krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = YOURDOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] YOURDOMAIN = { kdc = yourpdc admin_server = yourpdc default_domain = YOURDOMAIN kpasswd_server = yourpdc }
[domain_realm] .yourdomain = yourdomain
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
#####################################################
smb.conf
[global] workgroup = YOURDOMAIN server string = SQUIDPROXY (or any other name you want) security = ADS auth methods = winbind encrypt passwords = yes idmap uid = 70001-90000 winbind enum users = yes winbind gid = 70001-90000 winbind enum groups = yes client use spnego = yes winbind separator = \\ load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 password server = yourpdcIP realm = YOURDOMAIN dns proxy = no
[homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /usr/spool/samba browseable = no guest ok = no writable = no printable = yes
#####################################################
squid.conf
http_port 8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 access_log /var/log/squid/access.log squid emulate_httpd_log on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl acl interneton external ADS InternetOn acl blocksites url_regex "/etc/squid/squid-block.acl" acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # waisacl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
http_access deny blocksites http_access allow interneton http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid
#####################################################
Start samba, winbind and squid by this order.
Synchronize your squid server with the AD
ntpdate yourprimarydomaincontroller
Initialise Kerberos
kinit administrator@YOURDOMAIN
Test Kerberos connection
klist
Join Squid Server to AD
net ads join -S yourpdc -U administrator
Validate Trust
wbinfo -t
Validate if the wbinfo_group.pl script is working
echo "youralloweduser InternetOn" | /usr/lib/squid/wbinfo_group.pl -d (it returns OK or ERR if the user is in the InternetOn group or not)
You might have some problems with the winbindd_privileged directory. If that’s the case:
cd /var/cache/samba chgrp squid winbindd_privileged chmod 750 winbindd_privileged
The problem with this setup is that when you change the InternetOn members, Samba / Winbind aren’t aware of the change until the cache clears, so I made a small script you can run in cron or manually.
clearcache.sh
#!/bin/bash /etc/init.d/smb stop /etc/init.d/winbind stop rm -f /var/cache/samba/*.tdb /etc/init.d/smb start /etc/init.d/winbind start /etc/init.d/squid reload
Test this at your own risk. 🙂
Aren’t there a couple of files missing there? Such as /var/kerberos/krb5kdc/kdc.conf ? 🙂
Perhaphs… let me check the production server tomorrow and I’ll get back to you on this 😉
Hi, thanks for the great tutorial but it’s missing something on the wbinfo_group.pl test
echo “youralloweduser InternetOn” | /usr/lib/squidwbinfo_group.pl -d
the right command it ‘s
echo “YOURDOMAIN+youralloweduser YOURDOMAIN+yourallowedgroup” | /usr/lib/squid/wbinfo_group.pl -d
Best regards