Squid on AD

First off we need to join our server to the Active Directory. The Red Hat Samba packages that come with CentOS provide all the features we need.

Step 1: Configure and Test Kerberos
Find out the Fully Qualified Domain Name (FQDN) of the Primary Domain Controller(PDC) for the Windows network.
Assuming the PDC is is bigserver.domain.net edit /etc/krb5.conf as follows:
PLEASE NOTE: The capitalization of the sections below is VERY important.

Code: Select all
[libdefaults]
default_realm = DOMAIN.NET
[realms] DOMAIN.NET = {
kdc = bigserver.domain.net
}
[domain_realms]
.kerberos.server = DOMAIN.NET

Test the Kerberos part of the authentication with the following command:

Code: Select all
# kinit Administrator@DOMAIN.NET
Password for Administrator@DOMAIN.NET

The following tool from Microsoft can help you get the right Kerberos details, by running it on a Windows workstation already joined to the domain:
Windows 2000 Resource Kit Tool: Kerbtray.exe

Step 2: Configure /etc/hosts
Edit /etc/hosts so you can rule out DNS issues for bigserver.domain.net

Code: Select all
192.168.10.5 bigserver.domain.net bigserver

Step 3: Configure Samba
Edit the Global section of /etc/samba/smb.conf to contain the following:

Code: Select all
# Global parameters
[global]
workgroup = BIGSERVER
realm = DOMAIN.NET
preferred master = no
server string = Samba file and print server
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000

Run testparam to test your Samba configuration.
Now join your server to the AD Domain:

Code: Select all
# net ads join -U Administrator
Administrator’s password:
Joined ‘SAMBA1’ to realm ‘DOMAIN.NET.’

Step 4: Enable and Test Winbind
Edit /etc/nsswitch.conf and change the lines appropriate lines to look like the following:

Code: Select all
passwd: compat winbind
group: compat winbind
shadow: compat

Restart Samba with a /etc/init.d/samba restart
Test winbind with the following commands:

Code: Select all
# wbinfo -u
BIGSERVER+Administrator
BIGSERVER+Guest
BIGSERVER+cschroder
BIGSERVER+mhall
# wbinfo -g
BIGSERVER+Domain Computers
BIGSERVER+Domain Admins
BIGSERVER+Domain Guests
BIGSERVER+Domain Users
# getent passwd
BIGSERVER+cschroder:x:1000:1000:,,,:/home/BIGSERVER/cschroder:/bin/bash

If winbind is not working and local authentication is still active, they will not have the BIGSERVER+ prefix. Run

Code: Select all
net ads info

to display the AD server information.

Step 4: Test the Squid helpers
Test the Squid ntlm authentication helper before you break Squid

Code: Select all
# /usr/local/bin/ntlm_auth –helper-protocol=squid-2.5-basic
BIGSERVER+myuser mypasswd
OK

Step 5: Configure and Test Squid
Add the following to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:

Code: Select all
auth_param ntlm program /usr/local/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/local/bin/ntlm_auth –helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Change auth_param basic realm to something nice for the client e.g. PCB Proxy server
Add the following acl entries to require authentication:

Code: Select all
acl AuthorizedUsers proxy_auth REQUIRED
..
http_access allow all AuthorizedUsers

Point your test machine to the proxy server and you should be authenticating against the server.
You can now go on and configure any further acl for the server.
AD group ACLs
Example
Say I had a domain group called “directors”

Code: Select all
[root@localhost ~]# getent group | grep directors
POSTMANPAT+directors:*:10012:POSTMANPAT+michael

Add to /etc/squid/squid.conf

Code: Select all
external_acl_type nt_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/wbinfo_group.pl protocol=2.5
# ACLs
acl directors external nt_group directors
http_access allow directors

Be sure to change permissions on /var/cache/samba/winbindd_privileged

Code: Select all
chgrp squid /var/cache/samba/winbindd_privileged
chmod g+rx /var/cache/samba/winbindd_privileged

Winbind
They use AD for authenticating with SQUID.
The wanted to know why this user could browse,
So we checked what groups the user belongs to,

Code: Select all
[root@nsaproxy etc]# wbinfo -r recpdca
10089
10091
10002
10452
10333
10222
10417
10449

(Which is useless)

Code: Select all
[root@nsaproxy etc]# for x in $(wbinfo -r recpdca) ; do SID=$(wbinfo -G $x) ; NAME=$(wbinfo -s $SID) ; echo $NAME ; done
ITPD+Internet User 2
ITPD+Virusfree 2
ITPD+Domain Users 2
ITPD+internetuser 2
ITPD+Protection Services Induction (R) 2
ITPD+Security Properties 2
ITPD+MAILUSER 4
BUILTIN+Users 4

Explanation

Code: Select all
for x in $(wbinfo -r recpdca)

………This gets all the group ID’s for that user

Code: Select all
do SID=$(wbinfo \-G $x)

……….Based on the GID we generate a SID

Code: Select all
NAME=$(wbinfo \-s $SID)

…………Based on the SID we generate a group name

Code: Select all
echo $NAME ; done

………..Echo what we just descovered