[squid-users] Squid 3.0 and Active Directory

Hi everyone,

I’m writing to you because I have a problem with squid 3.0.STABLE13. I have
installed squid on a Linux Centos 5.2 and I have Active Directory configured
on a Windows 2003Server. I would like allow the access to internet to the
users who are member of the “InternetAccess” group and deny the access for
others.
In order to achieve this I have configured Kerberos, samba, pam and winbind
then I joined my squid server on the domain. In the squid configuration I
have chosen to use the NTLM authentication.

I have 3 users for my test:

Admin (who is member of InternetAccess)
User1 (who is a domain account but not member of InternetAccess)
User2 (who is a local account of my pc-client)

The authentication work well because admin can go on internet after he is
logon on windows. When user2 try to go on internet a authentication is
required with an authentication window.
The problem appear with user1 who is supposed to don’t have an access to
internet, but after logon on windows he can go through.

This is my configuration :

======================================================================================
Squid.conf
======================================================================================

# proxy_port
http_port 3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apachee
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#Connexion
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic realm Squid Proxy

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
--require-membership-of="mydomainname+InternetAccess"
auth_param basic children 5
auth_param basic realm Squid Proxy

#ACL
acl password proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl xptest src 10.100.30.0/255.255.255.0
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#Allow or deny rules. The order is important
#http_access allow manager localhost

http_access allow password
http_access allow xptest
http_access deny localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost

coredump_dir /var/spool/squid

======================================================================================
krb5.conf
=======================================================================================

 [root_at_bblw093 etc]# vim /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MY_DOMAIN_NAME
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MY_DOMAIN_NAME = {
  kdc = MY_DOMAIN_SERVER_IP:88
  admin_server = MY_DOMAIN_SERVER_IP_ADDRESS:749
  default_domain = MY_DOMAIN_NAME
  kdc = MY_DOMAIN_SERVER_IP_ADDRESS }

[domain_realm]
 . MY_DOMAIN_NAME = MY_DOMAIN_NAME
MY_DOMAIN_NAME = MY_DOMAIN_NAME

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

======================================================================================
smb.conf
======================================================================================
 [global]

security = ads
#netbios name = CENTOS
realm = MY_DOMAIN_NAME
password server = MY_DOMAIN_SERVER
workgroup = MY_NETBIOS_DOMAIN_NAME
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
domain master = no

nsswitch.conf
======================================================================================
passwd: compat winbind files
shadow: compat winbind files
group: compat winbind files

passwd: compat winbind files
shadow: compat winbind files
group: compat winbind files
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus

======================================================================================
etc/pam.d/system-auth
======================================================================================

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth sufficient /lib/security/$ISA/pam_smb_auth.so use_first_pass
nolocal
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account sufficient /lib/security/$ISA/pam_krb5.so
account sufficient /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
======================================================================================

I don’t know where is the mistake, could you help me please?

Regards,

-- 
View this message in context: http://www.nabble.com/Squid-3.0-and-Active-Directory-tp22180799p22180799.html
Sent from the Squid - Users mailing list archive at Nabble.com.