{"id":926,"date":"2009-11-19T16:01:31","date_gmt":"2009-11-19T15:01:31","guid":{"rendered":"http:\/\/www.odrakir.com\/blog\/?p=926"},"modified":"2011-08-05T19:07:20","modified_gmt":"2011-08-05T18:07:20","slug":"integrating-squid-with-active-directory","status":"publish","type":"post","link":"https:\/\/www.odrakir.com\/blog\/2009\/11\/19\/integrating-squid-with-active-directory\/","title":{"rendered":"Integrating Squid with Active Directory"},"content":{"rendered":"

Recently I needed to integrate a Squid Proxy server in an Active Directory environment. The main objective was to grant \/ deny access to the Internet by user \/ group validation, using single sign on.<\/p>\n

The solution might not be the most elegant, but it’s a working one. You’ll need to install the Kerberos, Samba, Squid and NTP packages.<\/p>\n

In this solution will be allowing all users in the InternetOn<\/strong> AD group to have access automatically. Any users outside this group will be denied access. Computers outside the AD trying to use the proxy will be prompt for username and password. This is a simple way of keeping access restricted to certain groups without an unnecessary amount of fuss, whether you’re managing the office computers at http:\/\/www.partycasino.com\/<\/a> or building a school network. <\/p>\n

krb5.conf<\/strong><\/p>\n

[logging]\r\ndefault = FILE:\/var\/log\/krb5libs.log\r\nkdc = FILE:\/var\/log\/krb5kdc.log\r\nadmin_server = FILE:\/var\/log\/kadmind.log<\/pre>\n
[libdefaults]\r\ndefault_realm = YOURDOMAIN\r\ndns_lookup_realm = false\r\ndns_lookup_kdc = false\r\nticket_lifetime = 24h\r\nforwardable = yes<\/pre>\n
[realms]\r\nYOURDOMAIN = {\r\nkdc = yourpdc\r\nadmin_server = yourpdc\r\ndefault_domain = YOURDOMAIN\r\nkpasswd_server = yourpdc\r\n}<\/pre>\n
[domain_realm]\r\n.yourdomain = yourdomain<\/pre>\n
[kdc]\r\nprofile = \/var\/kerberos\/krb5kdc\/kdc.conf<\/pre>\n
[appdefaults]\r\npam = {\r\ndebug = false\r\nticket_lifetime = 36000\r\nrenew_lifetime = 36000\r\nforwardable = true\r\nkrb4_convert = false\r\n}<\/pre>\n
#####################################################<\/p>\n
smb.conf<\/strong><\/p>\n
[global]\r\nworkgroup = YOURDOMAIN\r\nserver string = SQUIDPROXY (or any other name you want)\r\nsecurity = ADS\r\nauth methods = winbind\r\nencrypt passwords = yes\r\nidmap uid = 70001-90000\r\nwinbind enum users = yes\r\nwinbind gid = 70001-90000\r\nwinbind enum groups = yes\r\nclient use spnego = yes\r\nwinbind separator = \\\\\r\nload printers = yes\r\ncups options = raw\r\nlog file = \/var\/log\/samba\/%m.log\r\nmax log size = 50\r\npassword server = yourpdcIP\r\nrealm = YOURDOMAIN\r\ndns proxy = no<\/pre>\n
[homes]\r\ncomment = Home Directories\r\nbrowseable = no\r\nwritable = yes\r\n\r\n[printers]\r\ncomment = All Printers\r\npath = \/usr\/spool\/samba\r\nbrowseable = no\r\nguest ok = no\r\nwritable = no\r\nprintable = yes<\/pre>\n
#####################################################<\/p>\n
squid.conf<\/strong><\/p>\n
http_port 8080\r\nhierarchy_stoplist cgi-bin ?\r\nacl QUERY urlpath_regex cgi-bin \\?\r\nno_cache deny QUERY\r\nhosts_file \/etc\/hosts\r\nrefresh_pattern ^ftp: 1440 20% 10080\r\nrefresh_pattern ^gopher: 1440 0% 1440\r\nrefresh_pattern . 0 20% 4320\r\naccess_log \/var\/log\/squid\/access.log squid\r\nemulate_httpd_log on<\/pre>\n
auth_param ntlm program \/usr\/bin\/ntlm_auth --helper-protocol=squid-2.5-ntlmssp<\/strong>\r\nauth_param ntlm children 5\r\nauth_param basic program \/usr\/bin\/ntlm_auth --helper-protocol=squid-2.5-basic<\/strong>\r\nauth_param basic children 5\r\nauth_param basic realm Squid proxy-caching web server\r\nauth_param basic credentialsttl 2 hours<\/pre>\n
external_acl_type ADS %LOGIN \/usr\/lib\/squid\/wbinfo_group.pl<\/strong>\r\nacl interneton external ADS InternetOn<\/strong>\r\n\r\nacl blocksites url_regex \"\/etc\/squid\/squid-block.acl\"\r\nacl all src 0.0.0.0\/0.0.0.0\r\nacl manager proto cache_object\r\nacl localhost src 127.0.0.1\/255.255.255.255\r\nacl to_localhost dst 127.0.0.0\/8\r\nacl SSL_ports port 443 563 # https, snews\r\nacl SSL_ports port 873 # rsync\r\nacl Safe_ports port 80 # http\r\nacl Safe_ports port 21 # ftp\r\nacl Safe_ports port 443 563 # https, snews\r\nacl Safe_ports port 70 # gopher\r\nacl Safe_ports port 210 # waisacl Safe_ports port 280 # http-mgmt\r\nacl Safe_ports port 488 # gss-http\r\nacl Safe_ports port 591 # filemaker\r\nacl Safe_ports port 777 # multiling http\r\nacl Safe_ports port 631 # cups\r\nacl Safe_ports port 873 # rsync\r\nacl Safe_ports port 901 # SWAT\r\nacl purge method PURGE\r\nacl CONNECT method CONNECT<\/pre>\n
acl AuthorizedUsers proxy_auth REQUIRED<\/strong><\/pre>\n
http_access deny blocksites\r\nhttp_access allow interneton<\/strong>\r\nhttp_access allow manager localhost\r\nhttp_access deny manager\r\nhttp_access allow purge localhost\r\nhttp_access deny purge\r\nhttp_access deny !Safe_ports\r\nhttp_access deny CONNECT !SSL_ports\r\nhttp_access allow localhost\r\nhttp_access deny all\r\nhttp_reply_access allow all\r\nicp_access allow all\r\ncoredump_dir \/var\/spool\/squid<\/pre>\n
#####################################################<\/p>\n
Start samba, winbind and squid by this order.<\/strong><\/p>\n
Synchronize your squid server with the AD<\/strong><\/p>\n
ntpdate yourprimarydomaincontroller<\/pre>\n
Initialise Kerberos<\/strong><\/p>\n
kinit administrator@YOURDOMAIN<\/pre>\n
Test Kerberos connection<\/strong><\/p>\n
klist<\/pre>\n
Join Squid Server to AD<\/strong><\/p>\n
net ads join -S yourpdc -U administrator<\/pre>\n
Validate Trust<\/strong><\/p>\n
wbinfo -t<\/pre>\n
Validate if the wbinfo_group.pl script is working<\/strong><\/p>\n
echo \"youralloweduser InternetOn\" | \/usr\/lib\/squid\/wbinfo_group.pl -d\r\n(it returns OK or ERR if the user is in the InternetOn group or not)<\/pre>\n
You might have some problems with the winbindd_privileged directory. If that’s the case:<\/strong><\/p>\n
cd \/var\/cache\/samba\r\nchgrp squid winbindd_privileged\r\nchmod 750 winbindd_privileged<\/pre>\n
The problem with this setup is that when you change the InternetOn members, Samba \/ Winbind aren’t aware of the change until the cache clears, so I made a small script you can run in cron or manually.<\/strong><\/p>\n
clearcache.sh<\/strong><\/p>\n
#!\/bin\/bash\r\n\/etc\/init.d\/smb stop\r\n\/etc\/init.d\/winbind stop\r\nrm -f \/var\/cache\/samba\/*.tdb\r\n\/etc\/init.d\/smb start\r\n\/etc\/init.d\/winbind start\r\n\/etc\/init.d\/squid reload<\/pre>\n
Test this at your own risk. \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Recently I needed to integrate a Squid Proxy server in an Active Directory environment. The main objective was to grant \/ deny access to the Internet by user \/ group validation, using single sign on. The solution might not be the most elegant, but it’s a working one. You’ll need to install the Kerberos, Samba, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[3,10,4],"tags":[],"class_list":["post-926","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking","category-windows"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/posts\/926","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/comments?post=926"}],"version-history":[{"count":5,"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/posts\/926\/revisions"}],"predecessor-version":[{"id":1230,"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/posts\/926\/revisions\/1230"}],"wp:attachment":[{"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/media?parent=926"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/categories?post=926"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.odrakir.com\/blog\/wp-json\/wp\/v2\/tags?post=926"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}