Squid with Kerberos and LDAP authentication in Active Directory (quick start)

Squid with Kerberos and LDAP authentication in Active Directory (quick start)

Problem

Make users authenticate on Squid proxy
- Using Kerberos (single sing-on)
- Fall back to LDAP if Kerberos fails (plain text)

Prerequisites

Active Directory on Windows Server 2003 R2 SP2
Ubuntu Server 10.04 LTS + Squid 3.0 + Kerberos 5

Solution

Here is our example environment

Parameter name	Value
AD_SQUID_USER	squid
AD_SQUID_PASSWORD	squid_password
PROXY_FULL_DNS_NAME	proxy.company.ru
DOMAIN_CONTROLLER	dc.company.lan
REALM	COMPANY.LAN
SQUID_DN	cn=squid,ou=users_special,dc=company,dc=lan
BASE_DN	ou=users,dc=company,dc=lan

Let's configure

Ubuntu: install Squid and Kerberos
```
sudo apt-get install squid3 krb5-user
```
Ubuntu: replace /etc/krb5.conf with the following config
```
[libdefaults]
        default_realm = COMPANY.LAN
```
Windows: create user “squid” in Active Directory
Windows: create keytab and map it to the user “squid” with password “squid_password” using ktpass (you can find ktpass in Windows Server 2003 Service Pack 1 Support Tools)
```
ktpass -princ HTTP/proxy.company.ru@COMPANY.LAN -mapuser squid -pass squid_password -ptype KRB5_NT_PRINCIPAL -out HTTP.keytab
```
Ubuntu: move just created HTTP.keytab to /etc/squid3/HTTP.keytab
Ubuntu: put the password to a separate file (it's going to be used for binding in LDAP)
```
echo "squid_password" | sudo tee /etc/squid3/LDAP.pass
```

Ubuntu: fix permissions for security reasons

sudo chown proxy:proxy /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass
sudo chmod 400 /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass

Ubuntu: point Squid to the keytab file

echo "export KRB5_KTNAME=/etc/squid3/HTTP.keytab" | sudo tee /etc/default/squid3

Ubuntu: add authentication parameters to the squid.conf

Create /etc/squid3/suid.auth.conf with the following text

# Enable Kerberos authentication first
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s HTTP/proxy.company.ru@COMPANY.LAN
auth_param negotiate children 10
auth_param negotiate keep_alive on

# Fallback to LDAP if Kerberos fails
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "ou=users,dc=company,dc=lan" -f sAMAccountName=%s -h dc.company.lan -D "cn=squid,ou=users_special,dc=company,dc=lan" -W /etc/squid3/LDAP.pass
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

# Force authentication requirement
acl auth proxy_auth REQUIRED
http_access allow auth

Patch /etc/squid3/squid.conf

--- squid.conf.orig	2011-02-18 22:43:47.000000000 +0300
+++ squid.conf	2011-11-23 20:36:10.348219178 +0400
@@ -646,6 +646,9 @@
 #http_access allow localnet
 http_access allow localhost
 
+# Include Kerberos and LDAP configuration
+include /etc/squid3/squid.auth.conf
+
 # And finally deny all other access to this proxy
 http_access deny all

Ubuntu: restart squid
```
sudo /etc/init.d/squid3 restart
```

Troubleshooting

You can check if your keytab works

kinit -V -kt /etc/squid3/HTTP.keytab HTTP/proxy.company.ru@COMPANY.LAN

Some notes

Kerberos needs DNS to be configured properly (in that case you don't even need to configure /etc/krb5.conf)
DNS needs to have a host DNS-records (A-record and reverse-record) for the proxy server (proxy.company.ru is in our example)
To use Kerberos in Ubuntu you just need to install “krb5-user” and run “kinit username@COMPANY.LAN”
Internet Explorer doesn't fall back to LDAP authentication if Kerberos fails. So if you can't use Kerberos (for example when PC isn't joined to the domain) you need to uncheck “Enable Integrated Windows Authentication” in Internet Options → Advanced → Security or use alternative browser.
You need to use proxy by full DNS-name (proxy.company.ru is in our example) or by CNAME to this DNS-name to make Kerberos works. Overwise only LDAP plain text authentication will work.

squid, kerberos, ldap, proxy, ubuntu