[squid-users] Informal HOWTO - transparent authentication and optional outbound web filtering using Samba 3.0.13, Squid 2.5.STABLE7, SmartFilter 4.01, RedHat 9.0 in a Win2003 AD domain

From: Greg Scott <GregScott@dont-contact.us>
Date: Tue, 5 Apr 2005 07:35:07 -0500

Thanks to everyone for all the help getting this done. As promised,
here are the detailed notes I put together. These step by step
instructions should work starting with a raw RedHat Linux 9.0 system.

- Greg Scott
  GregScott@InfraSupportEtc.com

These are step by step instructions for how to install and configure the
Squid
proxy server with transparent authentication for users in a Microsoft AD
domain,
optionally using SmartFilter from Secure Computing to support outbound
web filtering.

This was tested in two Windows 2003 AD domains, one with SmartFilter,
the other
without SmartFilter.

These instructions use the following versions of these packages:

RedHat Linux 9.0 with various kernels from kernel.org
MIT Kerberos 1.4 built from source
Samba 3.0.13 built from source
Squid 2.5.STABLE7 built from sourc
SmartFilter 4.01 from Secure Computing (optional)

Note that it may be easier to do all this starting with fc3 or fc4 as a
base. However,
as of this writing (April 5, 2005) SmartFilter only supports RH 9.0 and
does not yet
support any of the Fedora Core releases.

************************************************************************
*******************
First, install and test Squid without any authentication:

See the notes in Chapter 4 of the Smartfilter 4.01 Installation Guide
PDF file
for the recommended way to build Squid.

For Squid-specific documentation, see this URL:
http://squid-docs.sourceforge.net/latest/html/x354.html (This may be
obsolete)

cd /usr/local
mkdir squid
mkdir squid/src

Put a copy of squid-2.5.STABLE7.tar.gz into /usr/local/squid/src
cp squid-2.5.STABLE7.tar.bz2 /usr/local/squid/src

Now extract and build it.

cd /usr/local/squid/src
bunzip2 squid-2.5.STABLE7.tar.bz2
tar -xvf squid-2.5.STABLE7.tar

cd /usr/local/squid/src/squid-2.5.STABLE7
./configure --enable-async-io --prefix=/usr/local/squid

(Note that the --enable-async-io is not in the Smartfilter
documentation.)

(lots of output)

make all
make install

(lots more output and a few minutes)

Create a user and group called squid, make it the owner of all squid
stuff
/usr/sbin/useradd squid
cd /usr/local
chown -R squid squid
chgrp -R squid squid

Now edit the squid.conf file

********* From the Squid documentation but not Smartfilter

/usr/local/squid/etc/squid.conf common parameters:
    http_port leave as default
    cache_mgr email settings
    cache_effective_user squid
    cache_effective_group squid
    ftp_user Leave alone for now
    visible_hostname Set this to the IP hostname

Search for "INSERT YOUR OWN RULE" and put in an appropriate ACL entry
for the internal network, like this:

# Exampe rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks

acl greg_network src 10.10.10.0/24 127.0.0.1/32
http_access allow greg_network

# And finally deny all other access to this proxy
http_access deny all

To Run Squid in a transparent mode, enable the following directives in
Squid.conf.
(See http://squid.visolve.com/white_papers/trans_caching.htm)

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

***************** Now from SmartFilter documentation
Make sure of these parameters:

cache_mem 8MB
cache_dir /usr/local/squid/cache 100 16 256

Change http_access deny all to http_access allow all. (May not need
this!)

Uncomment the cache_effective_user "username" statement and change
"username to "squid" to match the user/group created above.

Uncomment the "cache_effective_group" statement and use "squid" as the
group name.

************ More settings
Squid won't start unless you set this setting:
visible_hostname host.domain

Now run squid for the first time

/usr/local/squid/sbin/squid -z (To create swap directories)
/usr/local/squid/sbin/squid -N -d 1 (To run for the first time at the
                                     terminal window.)
   -N means No daemon mode
   -d 1 means debug level 1

(Note that Squid 2.5.n uses sbin instead of bin for the squid
executable.)

Squid will be running in a terminal window.

Startup another terminal window and do this:
        telnet localhost 3128
        get http://www.infrasupportetc.com HTTP/1.0 (Press "Enter"
twice)

HTML should come back from that website.

If any errors come back, shut down Squid, like this:
/usr/local/squid/sbin/squid -k shutdown

Fix the errors and repeat. The problem is likely a parameter in
squid.conf.

Startup squid for production like this: /usr/local/squid/sbin/squid

Shutdown squid like this:
/usr/local/squid/sbin/squid -k shutdown

************************************************************************
****************
Now that Squid works, integrate the optional SmartFilter plugin for
outbound web filtering

Download the SmartFilter binary and save a copy in /home/gregs or
someplace convenient.

cd /usr/local/squid/src
cp /home/gregs/sf401_redhat_squid.bin ./
chmod 700 sf401_redhat_squid.bin
./sf401_redhat_squid.bin

See sf401install_guide.pdf for detailed installation instructions.

After running the install program, rebuild squid, like this:
cd /usr/local/squid/src/squid-2.5.STABLE7
./configure --enable-smartfilter
make clean
make all
make install

Also add the following lines to squid.conf:

smartfilter_state on
smartfilter_config /usr/local/squid/etc/config.txt

For LDAP support, see the SmartFilter Installation Guide. Add these
additional lines to squid.conf (Note, no line continuation characters):
smartfilter_userinfo_program /usr/local/squid/libexec/sf_userinfo -f
/usr/local/squid/etc/config.txt
smartfilter_userinfo_children 5

Now start squid like this:
/usr/local/squid/sbin/squid

Also, be sure to start the sfagent program, like this:
/usr/local/squid/etc/sfagent

You need this program running so the Admin Server can communicate with
it.
This is not documented in any of the SmartFilter documentation.

Put the reference to these programs in rc.local or other convenient
startup location.

Now install the SmartFilter admin server and console on a Windows
System. Register the
appropriate serial number on the Secure Computing website and set up
regular control list
downloads. See the SmartFilter Installation Guide for details.

************************************************************************
****************
Now the fun part. Time to integrate Samba and set up AD authentication

For Squid authentication with an Active Directory domain, we need Samba,
set
up with Kerberos.

Redhat Linux 9.0 ships with Kerberos version 5, revision 1.2.7-10.
Unfortunately,
we need at least rev 1.3 to work with Windows 2003. See this URL for a
discussion:
http://lists.samba.org/archive/samba/2004-July/090137.html

The fc3 RPM directory has krb5 rev 1.3 RPMs. Unfortunately, several
dozen
components in RedHat 9.0 depend on the 1.2.7 RPMs installed, especially
the Kerberos libraries. So the krb5 rev 1.3 RPMs are worthless in this
case.

We need to build a copy of Kerberos from source and put it in an
alternate
directory. Then we'll build a copy of Samba using this Kerberos build.

We get the latest and greatest Kerberos from MIT.

For the MIT Kerberos download, see:
http://web.mit.edu/kerberos/www/

FOr release notes, see:
http://web.mit.edu/kerberos/www/krb5-1.4/README-1.4.txt

FOr the Installation Guide see:
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4/doc/krb5-install.html#
Building%20Kerberos%20V5

Download and save a copy of krb5-1.4-signed.tar from the MIT Kerberos
website.

Put a copy of the download into /usr/src
cp krb5-1.4-signed.tar /usr/src

Do this to unpack the download.
cd /usr/src
tar -xvf krb5-1.4-signed.tar

This extracts these two files:
krb5-1.4.tar.gz - the actual software
krb5-1.4.tar.gz.asc - a signature

Now do this to unpack the Kerberos software:
tar -xvzf krb5-1.4.tar.gz

Now build it. By default, Kerberos will install the package's files
rooted
at `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. (Pasted
from
the Installation Guide). We will need this later on when we build
Samba.

cd /usr/src/krb5-1.4
cd src
./configure
make
make install

Some notes:

Make sure /etc/hosts has the FQDN of this system in place, similar to
below:

[root@squidtest src]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 squidtest.infrasupportetc.com
localhost.localdomain localhost
10.10.10.2 squidtest.infrasupportetc.com

Test the build like this:

cd /usr/src/krb5-1.4/src
make check

Fix any problems it calls out and keep running until it finishes
cleanly.

************************************************************************
***************************
Now to build Samba from source to take advantage of the newest Kerberos

Download samba-3.0.13.tar.gz from here:
http://us4.samba.org/samba/

Put the saveset in the source directory:
cp samba-3.0.13.tar.gz /usr/src

Unpack it
cd /usr/src
tar -xvzf samba-3.0.13.tar.gz

Now build it with the Kerberos flavor installed earlier
cd /usr/src/samba-3.0.13/source
./configure --with-ads --with-krb5=/usr/local
make
make install

************************************************************************
**************************
Configure Samba to work with Kerberos

Set up smb.conf and krb5.conf.
(The paths are /usr/local/samba/lib/smb.conf and /etc/krb5.conf.)

(Extracted from the email Chris Cinnamo from Secure Computing sent.)

Edit /usr/local/samba/lib/smb.conf
----------------------------------

smb.conf

realm = <YOUR DOMAIN> ex. support.com
workgroup = <DOMAIN> ex. support
security = ADS
encrypt passwords = yes
password server = 192.168.100.12

# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

[test]
comment = Samba functionality test directory
path = /home/ryan/
read only = no
browsable = yes
writable = yes
guest ok = yes
valid users = @SUPPORT\"Domain Users"

------------------------------------

/etc/krb5.conf should look like this:
(Note that Kerberos uses realms named the same as the AD domain name.
BUt --IMPORTANT-- the realm name must be in all UPPER CASE. So
infrasupportetc.com becomes INFRASUPPORTETC.COM)

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = INFRASUPPORTETC.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 INFRASUPPORTETC.COM = {
  kdc = 10.10.10.100:88
  admin_server = 10.10.10.100:749
  default_domain = INFRASUPPORTETC.COM
 }

[domain_realm]
 .infrasupportetc.com = INFRASUPPORTETC.COM
 infrasupportetc.com = INFRASUPPORTETC.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Add following entries in nssswitch.conf:

  passwd: files winbind
  group: files winbind

Samba uses a daemon called winbindd that handles the authentication
between Windows and Linux.
When a Windows system tries to look at a share on the Samba server, it
passes credentials.
The Samba server needs to know where to look to validate the
credentials. The above entries
tell the Samba server to first check the local passwd file and if not
there, then have Winbindd
look back in the Windows AD. It turns out, there is more to the story.
In order for the Samba
server to have a clue how to tell winbindd what to do, we need to put
some Samba libraries in
the right place. As of 4/3/2005, the documentation in the
Samba-HOWTO-Collection is wrong.
Use this script provided by Doug VanLeuven to set up the libraries:

#!/bin/sh

# Save this script in /home/gregs or someplace convenient.
# cd /usr/src/samba-3.0.13/source and run this script from there.

echo "Copying nsswitch modules to system library"

CWD=`pwd`

cd /lib
rm -f libnss_winbind.so libnss_winbind.so.1 libnss_winbind.so.2
rm -f libnss_wins.so libnss_wins.so.1 libnss_wins.so.2
cd /usr/lib
rm -f libnss_winbind.so libnss_wins.so

cd $CWD
cp -f nsswitch/libnss_winbind.so /lib
cp -f nsswitch/libnss_wins.so /lib

cd /lib
ln -sf libnss_winbind.so libnss_winbind.so.1
ln -sf libnss_winbind.so libnss_winbind.so.2
ln -sf libnss_wins.so libnss_wins.so.1
ln -sf libnss_wins.so libnss_wins.so.2

cd /usr/lib
ln -sf ../../lib/libnss_winbind.so libnss_winbind.so
ln -sf ../../lib/libnss_wins.so libnss_wins.so

/sbin/ldconfig

Here is Doug's explanation for this script:

> I made this script to update the library after each samba build. Run
it from the samba
> source directory. Should be more robust about the source dir, but I'm
the only one who
> uses it. Remove the libnss_wins.so lines if you don't use it.
Probably don't need
> the .1 links, but I was shotgunning in the beginning and never went
back. The version
> number X is 1 for glibc 2.0 and 2 for glibc 2.1. I have some old
stuff.

We need a place for log files. The smb.conf template points here:
mkdir /var/log/samba

(Also look in the already existing directory, /usr/local/samba/var for
logfiles.)

Since we are building from source, we need a script to fire up the
daemons, like this:

#!/bin/sh
/usr/local/samba/sbin/nmbd
/usr/local/samba/sbin/smbd
/usr/local/samba/sbin/winbindd

Save this script someplace convenient, perhaps /firewall-scripts.

Now join this system to the Win2003 domain. Here is an extract:

[root@infra-fw gregs]# /usr/local/samba/bin/net ads join -S 10.10.10.100
-U administrator
administrator's password:
Using short domain name -- INFRASUPPORTETC
Joined 'SQUIDTEST' to realm 'INFRASUPPORTETC.COM'

Here are a few useful commands for testing:

kinit username@DOMAIN.SUFFIX Use Kerberos to get a ticket (prompts
for password)
klist -e Lists cached kerberos tickets

/usr/local/samba/bin/wbinfo -t Check the trust relationship
/usr/local/samba/bin/wbinfo -g Enumerate groups in the AD domain
/usr/local/samba/bin/wbinfo -u Enumerate users in the AD domain

/usr/local/samba/bin/testparm Checks the syntax for smb.conf
/usr/local/samba/bin/testparm -sv Shows all the Samba parameters,
                                        including default options.

The following examples will be useful later. Squid will use this Samba
program as an
authentication helper.

[root@squidtest etc]# /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
infrasupportetc\username badpassword
ERR
infrasupportetc\username goodpassword
OK

The following also returns output, but testing from the keyboard has no
value:

/usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

You can also test the authentication helper like this:

/usr/bin/ntlm_auth --username=[username]

[root@Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs
password:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
[root@Stylmark-fw etc]#
[root@Stylmark-fw etc]#
[root@Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs
password:
NT_STATUS_OK: Success (0x0)

************************************************************************
***************************
Now rebuild Squid
(The following modified from the explanation from Secure Computing Tech
Support)

cd /usr/local/squid/src/squid-2.5.STABLE7
./configure \
        --enable-smartfilter \
        --enable-async-io \
        --enable-linux-netfilter \
        --enable-underscores \
        --prefix=/usr/local/squid \
        --enable-auth="ntlm,basic" \
        --enable-external-acl-helpers="wbinfo_group" \
        --enable-delay-pools \
        --with-samba-sources=/usr/src/samba-3.0.13

Note that the wbinfo_group switch doesn't seem to be important. These
switches:
# --enable-external-acl-helpers="winbind_group" \
# --enable-ntlm-auth-helpers="winbind" \
# --enable-basic-auth-helpers="winbind" \

cause the "make all" command below to blow up.

For Samba 3.n, Squid will use the authentication helpers with Samba. No
need to build any Squid
authentication helpers. In fact, the squid FAQ says it won't work with
Samba 3.0 and tests with
the above configure switches prove that. See:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#winbind

Finish rebuilding squid like this:

make clean
make all
make install

Edit /usr/local/squid/etc/squid.conf and search for this string:

        TAG: auth_param

Skip down through the explanatory comments and put in the following
changes in this order:

auth_param ntlm program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Note that the template squid.conf file has several references to
auth_param basic above the
auth_param ntlm lines. Comment these out, so that the above lines are
what are really in
squid.conf. I ran into nasty problems when I forgot to comment out some
auth_param basic
lines above the auth_param ntlm lines.

Here is an explanation from Henrik Nordstrom for why squid.conf needs
these lines in this order:

> You need both sections to support all browsers. Not all browsers
support NTLM.
>
> You need them in specific order (ntlm first) because MSIE is broken
and always selects the
> first advertised authentication scheme even if the standard clearly
says it should select
> the strongest authentication scheme.

Now search for:
        TAG: http_access

Find "INSERT YOUR OWN RULE(S) HERE" and put in this acl entry

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

Comment out any acls providing access to anyone in the local network.
The above ACL forces
people to authenticate.

Be sure this section ends with a line that looks like this:

        http_access deny all

Save your edits.

Change group ownership for the Samba winbindd files:
chgrp squid /usr/local/samba/var/locks/winbindd_privileged -R

change file ownership on squid files:
cd /usr/local/squid
chown squid.squid * -R

Create cache dirs and then start squid:
su squid

/usr/local/squid/sbin/squid -z

killall -name squid -9

/usr/local/squid/sbin/squid

-----------------------------------

from a pc logged into AD you should now be able to point IE to your
squid proxy
and NOT be prompted for username and password

-----------------------------------
Received on Tue Apr 05 2005 - 06:35:12 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT