Squid authenticating against Active Directory on Debian Squeeze

Install Debian squeeze on you target (virtual) machine choosing only "Standard system utilities" during package selection.


I would normally logon and install ssh and vim to make life a little easier

# apt-get install ssh vim

Samba
we will need to install samba, winbind and kerberos client to get authentication working with Active Directory:

# apt-get install samba winbind krb5-user

If the Samba Server configuration asks you for a "Workgroup/Domain name" you can use short name that you specified for the domain when you created it but as we will replace this file shortly it doesn't actually matter what you put.

Now run re-configuration for krb5-config: 

# dpkg-reconfigure krb5-config

Default Kerberos version 5 realm: <FQDN for your AD domain in caps>
Add the kerberos server names for your domain: yes
Kerberos servers for your realm: <FQDN of your primary domain controller>
Administrative server for your kerberos realm:        <FQDN of your primary domain controller>


We can test that kerberos is working by running the kinit command, the format of the command is:

kinit <username>@<FQDN for your AD domain in caps> 

So for example, if our FQDN for the domain is test.local and we are using the administrator account we would type:

kinit administrator@TEST.LOCAL

If all is well it will ask for the password for the above account, if it accepts the password it will simply return you to the prompt, if there is something amiss it will report an error.


Move the /etc/samba/smb.conf file somewhere safe:

# mv /etc/samba/smb.conf /etc/samba/smb.old.conf

Create a new file containing the following:

netbios name = <this machine name>
workgroup = <shortname for you domain>
password server = <FQDN for your domain controller>
realm = <FQDN for your domain>
security = ads
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = yes

Restart the samba services:

/etc/init.d/samba restart ; /etc/init.d/winbind restart

Join the active directory with:

net ads join -U administrator

If you receive a "DNS update failed" error you should manually add this server to the DNS server for the domain.
Restart the samba services:

/etc/init.d/samba restart ;  /etc/init.d/winbind restart

Check the the following commands return with a success:

# wbinfo -t

Success of the above command confirms connection to the domain controller.

# wbinfo -u

Lists users (local and domain).

# wbinfo -g

Lists domain groups.

Squid
Install the squid packages:

# apt-get install squid

Copy the squid.conf somewhere safe:

# cp /etc/squid/squid.conf /etc/squid/squid.conf.old

Edit /etc/squid/squid.conf and uncomment (remove the hash from) the following line:

#http_access allow localnet

Assuming you are using a RFC1918 network range on your network this will allow you to use the proxy. Save the file and restart squid with:

/etc/init.d/squid restart

Log in to a domain joined windows box that is logged on as a domain user in the inetaccess group (or which ever group you chose earlier to add to the auth_param directives). Set the browser to use squid as it's proxy server (squid runs on port 3128) and see if you can get to the internet. If not, you will need to concentrate on getting squid working as a simple proxy before you try to add authentication into the mix.

You will need to choose or create a security group within your Active Directory domain that we will use for deciding which users can authenticate with squid. I have chosen the group named inetaccess (a single word for the name of the group so we don't have to deal with spaces in the group name) and added as members all the users I want to give internet access to this group.

Edit squid.conf with the following changes:

Add the following auth_param section:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=<short name of the domain>+inetaccess
auth_param ntlm children 5

If you want basic (very insecure, but handy for fallback) authentication then you will also need the following auth_param section.

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=<short name of the domain>+inetaccess
auth_param basic children 3
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hours

To stop the leaking of your client IP addresses out of the proxy, set forwarded_for to off

forwarded_for off

Add the following after the existing acl entries:

acl users proxy_auth REQUIRED

Comment out (add a hash to the front of) the line we uncommented before:


http_access allow localnet


Add the following after the http_access, but BEFORE http_access deny all

http_access allow users

Restart squid 

/etc/init.d/squid restart

Using the same domain joined windows box that is logged on as a domain user that you confirmed things were working from earlier see if you still have access.


Trouble shooting
If you are not sure why squid is not letting you through, try changing the debug in the squid.conf to:

debug_options ALL,1 33,8

Try the proxy again and then look though the log file /var/log/squid/cache.log for clues as to what is going on.

Gotchas:

Windows machines running on the Vista or Windows 7 code base (so this includes Windows server 2008 & 2008 R2) by default have a local policy setting that prevents you from authenticating with squid using the older version of NTLM. If you go into the local security policy management console then "local Policies"->"Security Options"->"Network security: LAN Manager authentication level" and set it to "Send LM & NTLM - Use NTLMv2 session security if negotiated" then reboot.
You can set this by group policy if you have a lot of machines to change, also if you find that this setting is not taking effect then maybe group policy is changing it back.