Squid AD

I have recently been working on a new squid implementation and have noticed a few things.

1. If you copy and paste from this blog then the chances are that the format will be broken and that some characters have been replaced ( inverted commas for matched quotes for example) resulting in a non-functional script. — my apologies.
2. The helper program (wbinfo_group_H.pl)  required an extra check in the result of the AD match otherwise in the unlikely event of squid reporting a non-existant AD user to verify then the response would be “OK”.
3. the format of the previous posting varies greatly from browser to browser.  I will try to accommodate a sensible format that allows for note (1).  I actually think that posting the files direct may be a better option though.

As a result i am directly attaching a new version of the “wbinfo_group_H2.pl” script. 

So the link HERE will get you the new version.

 Regards,

 H.

HOW To: Squid AD Authentication

Squid AD Authentication

Transparent Active Directory user identification and group policies enabled within Squid.

Requirements

Platform: CentOS 5.2 

Package: Squid 2.6.STABLE6
Package: Samba 3.0.28
Package: Samba Common 3.0.28
Package: Samba Client 3.0.28
Package: pam smb 1.1.7
Package: krb5-devel 1.6.1
Package: pam krb5 2.2.14
Package: krb libs 1.6.1
Package: krb5 Workstation 1.6.1
Package: HTTPD 2.2.3
Package: MOD Auth Kerb 5.1

A full list of 640 packages can be made available.

The system hardware should be scaled to your needs but a single 2.8GHz CPU with 512MB of RAM and 20GB HDD will suffice to run most small installations.

Introduction

Over the years I have been looking into various technologies for integrating the User Authentication on the Opensource Squid Server to a Windows or LDAP based Directory.  Squid is a well respected Web Cache solution that is available from Squid Cache.

I have now been able to implement a solution that provides:

1.      User Credential verification against MS AD
2.      Group Access Policies based on  Groups in AD
3.      Transparent Single Sign On

I used a large number of How To’s on the Web to facilitate this.  I will publish a list when I can.  It is assumed that the reader has enough Linux knowledge to install the system from simple instructions and so experience as an administrator of Squid.

Throughout this document:
·        MYDOMAIN                           The AD domain
·        MYSHORTDOMAIN              The Short Name of the AD Domain
·        MyAdminServer                    The AD Administration / Password Server
·        MyAdministrator                    The AD user with Domain Administrator privileges
·        MyServer                                The NetBios and host name of the Squid server itself
·        SEC Restricted Users          Members of this AD Group have restricted Web Access

Entries highlighted in grey are commands to be run from the command line.
Entries marked in light green are the contents of files.
Entries marked in bright red are changes or items of particular interest.

Basic Installation

Install CentOS 5.2 from DVD/CDs/Network per your normal mechanism.  I would recommend no GUI (KDE, Gnome, X).

Install as a Server.  Select packages as applicable ensuring that you have, Squid, HTTPD and the development kits (Dev Libs, Dev Tools, Legacy Soft Dev etc.).  How much you strip down is your decision, it simply bulks out the installation.

Once First Boot is complete login and turn off the SE Linux features and firewall.  If you wish to add this later then please read up carefully first.
# system-config-securitylevel

Configurations

Configuring Kerberus

Edit the “/etc/krb5.conf” file.  Below is an example of the configuration required:

[libdefaults] ticket_lifetime = 600 default_realm = MYDOMAIN [realms] MYDOMAIN = { kdc = MyAdminServer.MYDOMAIN admin_server = MyAdminServer.MYDOMAIN default_domain = mydomain } [domain_realm] .mydomain = MYDOMAIN mydomain = MYDOMAIN [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Enter your domain into the Kerberus Realms:
# echo “.mydomain mydomain” > /etc/krb.realms

Configure Samba

Edit the “/etc/samba/smb.conf” file.  Below is an example of the configuration required:

[global] workgroup = MYSHORTDOMAIN netbios name = MyServer realm = MYDOMAIN server string = Linux Samba Server security = ads encrypt passwords = Yes password server = MyAuthServer.MyDomain log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = False local master = No domain master = False dns proxy = No winbind enum users = yes winbind enum groups = yes winbind use default domain = yes idmap uid = 10000-20000 idmap gid = 10000-20000 realm = MYDOMAIN os level = 1 use kerberos keytab = yes

Configuring Squid

Edit the “/etc/squid/squid.conf” file.  Below is an example of the configuration required:

http_port 8080 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl PURGE method PURGE acl localhost src 127.0.0.1 http_access allow PURGE localhost http_access deny PURGE access_log /var/log/squid/access.log squid log_fqdn on debug_options “ALL,9″ refresh_pattern ^ftp:           1440    20%     10080 refresh_pattern ^gopher:        1440    0%      1440 refresh_pattern .               0       20%     4320acl all src 0.0.0.0/0.0.0.0 auth_param ntlm program /usr/bin/ntlm_auth –helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours external_acl_type nt_group ttl=0 concurrency=5 %LOGIN /usr/lib/squid/wbinfo_group_H.pl acl manager proto cache_object acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 444 563 1494 2598 acl Safe_ports port 80 1494 2598 acl Safe_ports port 21 acl Safe_ports port 443 444 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 8000 acl Safe_ports port 591 acl Safe_ports port 777 631acl CONNECT method CONNECT acl Bannedlist url_regex virtuagirl rotten.com hotpornhouse acl Utility url_regex .samspade.org acl Others url_regex .harlekwin.co.uk acl msad proxy_auth REQUIRED acl restrictedusers external nt_group SEC\ Restricted\ Users http_access deny BannedList http_access deny Utility restrictedusers http_access allow Others restrictedusers http_access allow msad http_access allow all http_access deny manager http_access deny !Safe_ports http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid

Note that this is an example.  It provides the following functionality:
·        A list of URLs banned to all
·        A list of URLs banned to a particular group
·        A list of URLs allowed to a particular group
·        Access to the all URLs otherwise for all authenticated users

The backslashes before the spaces in “SEC\ Restricted\ Users” are required to allow the entry to be passed to the authentication script.

The built in Perl script to provision group access is not very sophisticated but does the job.  The only issue is if, as is likely, your AD group names contain spaces.  In this case it needs to be finessed slightly.

# cp /usr/lib/squid/wbinfo_group.pl /usr/lib/squid/wbinfo_group_H.pl
# chmod 755 /usr/lib/squid/wbinfo_group_H.pl

Edit the new file.  The example below will allow groups with spaces:

#!/usr/bin/perl –w # # external_acl helper to Squid to verify NT Domain group # membership using wbinfo # # This program is put in the public domain by Jerry Murdock # <jmurdock@itraktech.com>. It is distributed in the hope that it will # be useful, but WITHOUT ANY WARRANTY; without even the implied warranty # of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Author: #   Jerry Murdock <jmurdock@itraktech.com> # #   Harlekwin # # Version history: #   2008-12-10 Harlekwin #               Add Space Encapsulation in group names # #   2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it> #               Add ‘-d’ command line debugging option # #   2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it> #               Fix for wbinfo from Samba 3.0.21 # #   2004-08-15 Henrik Nordstrom <hno@squid-cache.org> #               Helper protocol changed to URL escaped in Squid-3.0 # #   2005-06-28 Arno Streuli <astreuli@gmail.com> #               Add multi group check # #   2002-07-05 Jerry Murdock <jmurdock@itraktech.com> #               Initial release# # Globals # use vars qw/ %opt /; # Disable output buffering $|=1;sub debug {         print STDERR “@_\n” if $opt{d}; } # # Check if a user belongs to a group # sub check {         local($user, $group) = @_;         $groupSID = `wbinfo -n “$group” | cut -d” ” -f1`;         chop  $groupSID;         $groupGID = `wbinfo -Y “$groupSID”`;         chop $groupGID;         &debug( “User:  -$user-\nGroup: -$group-\nSID:   -$groupSID-\nGID:   -$groupGID-”);         return ‘OK’ if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);         return ‘ERR’; } # # Command line options processing sub init() {     use Getopt::Std;     my $opt_string = ‘hd’;     getopts( “$opt_string”, \%opt ) or usage();     usage() if $opt{h}; } # # Message about this program and how to use it # sub usage() {         print “Usage: wbinfo_group.pl -dh\n”;         print “\t-d enable debugging\n”;         print “\t-h print the help\n”;         exit; } init(); print STDERR “Debugging mode ON.\n” if $opt{d}; # # Main loop # while (<STDIN>) {         chop;         &debug (“Got $_ from squid”);         ($user, @groups) = split(/\s+/);         $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(“c”,hex($1))/eg;         # test for each group squid send in it’s request         $thegroup = “”;         foreach $group (@groups) {                 if (length($thegroup) == 0) {                         $thegroup = $group;                 } else {                         $thegroup = $thegroup . ” ” . $group;                 }         }         $group = $thegroup;         $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack(“c”,hex($1))/eg;         $ans = &check($user, $group);         &debug (“Sending $ans to squid”);         print “$ans\n”; }

Join the Domain

Run the following commands in order.  You will be prompted for the MyAdministrator password from time to time.

# kinit MyAdministrator@MYDOMAIN
# net ads join -U MyAdministrator -S MyAuthServer.MyDomain
# net ads keytab create -U MyAdministrator
# net ads keytab add HTTP -U MyAdministrator

Start the Services

You need to start Samba, WinbindD and Squid to use the authentication mechanism.

Testing

The following command would test the raw AD authentication via Kerberus:
#/usr/bin/ntlm_auth –domain=mydomain  –username=AnyUser

The following tests whether WinbindD is available:
# wbinfo –p

The following will return a complete list of users visible on the AD:
# wbinfo –u

The following will return a complete list of groupsvisible on the AD:
# wbinfo –g

The following will test the group auth script.  It is interactive and you must use [CTRL]+C to exit.
# /usr/lib/squid/wbinfo_group_H.pl

At the prompt enter:
mydomain\AnyUser mydomain\SEC Restricted Users

Finishing up and some notes

Simply point your browsers Proxy settings to your Squid Server and give it a go.  If you follow these instructions the proxy will be on Port 8080.  You should not even be prompted for a username and password!

Following the squid logs will show you that each request generates a denied and allowed entry.  This is an unfortunate side effect of the NTLM mechanism.  A request has to be made before the authentication is requested.

Ensure that you set the services to start at boot.

Slap yourself on the back and go and have a coffee!