Friday, 8 February 2008

Squid proxy server with AD authorization

Step-by-step guide:
  1. AD installation

    1. Install AD and DNS

      1. Change AD mode to native 2003

        1. Add necessary groups and users

  2. Samba installation and configuration

    1. Configure name resolution

      1. /etc/hosts

Configure /etc/hosts

Even if your DNS servers are perfect in every way, it is a good idea to add important servers to your local /etc/hosts file. It speeds up lookups and provides a fallback in case the DNS servers go down:

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 pluto.msk.ancor.ru pluto localhost.localdomain localhost

::1 localhost6.localdomain6 localhost6

172.17.0.20 shrimps.herring.intra shrimps

172.17.0.1 server2003.herring.intra server2003


        1. /etc/resolv.conf

shrimps:/etc/samba # cat /etc/resolv.conf

search herring.intra

nameserver 172.17.0.10


    1. Kerberos installation and configuration

      1. Important note

Once you get Kerberos installed on your CentOS machine, there's a few critical things you need to check:


1. The time on your Win2003 AD server and your CentOS machine must match. The default Kerberos setting allows for a 5-minute discrepency. I reccomend setting them as close as possible to allow for drift over time. This is ABSOLUTELY CRITICAL! If the clocks don't match, it won't work. This also applies to any other machine in your AD domain you want to authenticate to from your CentOS machine using Kerberos.

2. Any user account in the Win2003 AD domain you are going to use for authentication using Kerberos must have had the password changed at least once since it was created. If the password has never been changed since the account was created THIS WON'T WORK!!. On the accounts I used, I just changed the passwords, then changed them right back to their originals.


        1. Install ntpd

1. yum install ntp

2. chkconfig ntpd on

/etc/ntp.conf:

Remove all lines that have server 0.redhat.pool.ntp.org, 1.redhat, 2.redhat, etc.

Add a single line of server server2003.herring.intra

1. Of course, use the public NTP pool that is appropriate for your country/locale.

      1. Install kerberous

yum install krb5-libs

yum install krb5-workstation

yum install krb5-server

        1. Configure kerberos

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = HERRING.INTRA

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[realms]

HERRING.INTRA = {

kdc = server2003.herring.intra:88

admin_server = server2003.herring.intra:749

default_domain = herring.intra

}

[domain_realm]

.herring.intra = HERRING.INTRA

herring.intra = HERRING.INTRA

[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

          1. Kerberos testing

kinit username@REALM

where username is the name of an account in your AD Domain. It should prompt you for a password. Enter the password for that user in the AD Domain. Note that you must enter the name of the realm in uppercase letters.

If it executes without error, then execute klist to see your Kerberos ticket.

    1. Samba configuration /etc/samba/smb.conf

shrimps:/etc/samba # cat /etc/samba/smb.conf

workgroup = HERRING

security = ads

realm = HERRING.INTRA

password server = server2003.herring.intra

#===========================

auth methods = winbind

winbind separator = /

encrypt passwords = yes

winbind cache time = 15

winbind enum users = yes

winbind enum groups = yes

winbind use default domain = no

idmap uid = 10000-20000

idmap gid = 10000-20000

local master = no

os level = 233

domain master = no

preferred master = no

domain logons = no

wins server = 172.17.0.10

dns proxy = no



      1. Tests on client side

smbclient -L /server2003 -k

OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]


Sharename Type Comment

--------- ---- -------

C$ Disk Default share

IPC$ IPC Remote IPC

ADMIN$ Disk Remote Admin

SYSVOL Disk Logon server share

NETLOGON Disk Logon server share

OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2]


Server Comment

--------- -------


Workgroup Master

--------- -------


        1. Check is winbind ready

wbinfo –t Verify connections

wbinfo –u List all users in AD

wbinfo –g List all groups in AD

          1. Hints

Write down Domain/Username separator

Switch off default domain additions: winbind use default domain = no

  1. Squid installation and configuration

ntlm_auth

    1. How to get AD group SID (unfortunately I can't use just group name I'll check later)

wbinfo -n "HERRING/internet"

S-1-5-21-2676649608-1390561597-1820524224-1106 Domain Group (2)

copy SID and insert to squid.conf


      1. SQUID AD domain authorization

http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

cache deny QUERY

acl apache rep_header Server ^Apache

broken_vary_encoding allow apache

access_log /var/log/squid/access.log squid

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

auth_param ntlm program ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param basic program ntlm_auth --helper-protocol=squid-2.5-basic

auth_param basic children 20

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hour

#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --require-membership-of='HERRING/internet'

#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --debug-level=10 --require-membership-of='HERRING/internet'

# REM: for stable work I use SID instead group name

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --require-membership-of=S-1-5-21-2676649608-1390561597-1820524224-1106

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --debug-level=10 --require-membership-of=S-1-5-21-2676649608-1390561597-1820524224-1106

# The following settings for test only

cache_peer 192.168.7.198 parent 3128 0 no-query

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

acl authenticated proxy_auth REQUIRED

http_access allow authenticated

http_reply_access allow all

icp_access allow all

coredump_dir /var/cache/squid

No comments: