Table of Contents
Squid with Kerberos and LDAP authentication in Active Directory (quick start)
Problem
- Make users authenticate on Squid proxy
- Using Kerberos (single sing-on)
- Fall back to LDAP if Kerberos fails (plain text)
Prerequisites
- Active Directory on Windows Server 2003 R2 SP2
- Ubuntu Server 10.04 LTS + Squid 3.0 + Kerberos 5
Solution
Here is our example environment
Parameter name | Value |
---|---|
AD_SQUID_USER | squid |
AD_SQUID_PASSWORD | squid_password |
PROXY_FULL_DNS_NAME | proxy.company.ru |
DOMAIN_CONTROLLER | dc.company.lan |
REALM | COMPANY.LAN |
SQUID_DN | cn=squid,ou=users_special,dc=company,dc=lan |
BASE_DN | ou=users,dc=company,dc=lan |
Let's configure
- Ubuntu: install Squid and Kerberos
sudo apt-get install squid3 krb5-user
- Ubuntu: replace /etc/krb5.conf with the following config
[libdefaults] default_realm = COMPANY.LAN
- Windows: create user “squid” in Active Directory
- Windows: create keytab and map it to the user “squid” with password “squid_password” using ktpass (you can find ktpass in Windows Server 2003 Service Pack 1 Support Tools)
ktpass -princ HTTP/proxy.company.ru@COMPANY.LAN -mapuser squid -pass squid_password -ptype KRB5_NT_PRINCIPAL -out HTTP.keytab
- Ubuntu: move just created HTTP.keytab to /etc/squid3/HTTP.keytab
- Ubuntu: put the password to a separate file (it's going to be used for binding in LDAP)
echo "squid_password" | sudo tee /etc/squid3/LDAP.pass
- Ubuntu: fix permissions for security reasons
sudo chown proxy:proxy /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass sudo chmod 400 /etc/squid3/HTTP.keytab /etc/squid3/LDAP.pass
- Ubuntu: point Squid to the keytab file
echo "export KRB5_KTNAME=/etc/squid3/HTTP.keytab" | sudo tee /etc/default/squid3
- Ubuntu: add authentication parameters to the squid.conf
- Create /etc/squid3/suid.auth.conf with the following text
# Enable Kerberos authentication first auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s HTTP/proxy.company.ru@COMPANY.LAN auth_param negotiate children 10 auth_param negotiate keep_alive on # Fallback to LDAP if Kerberos fails auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "ou=users,dc=company,dc=lan" -f sAMAccountName=%s -h dc.company.lan -D "cn=squid,ou=users_special,dc=company,dc=lan" -W /etc/squid3/LDAP.pass auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours # Force authentication requirement acl auth proxy_auth REQUIRED http_access allow auth
- Patch /etc/squid3/squid.conf
--- squid.conf.orig 2011-02-18 22:43:47.000000000 +0300 +++ squid.conf 2011-11-23 20:36:10.348219178 +0400 @@ -646,6 +646,9 @@ #http_access allow localnet http_access allow localhost +# Include Kerberos and LDAP configuration +include /etc/squid3/squid.auth.conf + # And finally deny all other access to this proxy http_access deny all
- Ubuntu: restart squid
sudo /etc/init.d/squid3 restart
Troubleshooting
- You can check if your keytab works
kinit -V -kt /etc/squid3/HTTP.keytab HTTP/proxy.company.ru@COMPANY.LAN
Some notes
- Kerberos needs DNS to be configured properly (in that case you don't even need to configure /etc/krb5.conf)
- DNS needs to have a host DNS-records (A-record and reverse-record) for the proxy server (proxy.company.ru is in our example)
- To use Kerberos in Ubuntu you just need to install “krb5-user” and run “kinit username@COMPANY.LAN”
- Internet Explorer doesn't fall back to LDAP authentication if Kerberos fails. So if you can't use Kerberos (for example when PC isn't joined to the domain) you need to uncheck “Enable Integrated Windows Authentication” in Internet Options → Advanced → Security or use alternative browser.
- You need to use proxy by full DNS-name (proxy.company.ru is in our example) or by CNAME to this DNS-name to make Kerberos works. Overwise only LDAP plain text authentication will work.