tom’s blog

Tested on: openSUSE 10.2, Squid 2.6 <-> Windows Server 2003
Goal: User authentication should be possible without “extra login” on the squid proxy.



Here we go …

• First of all, disable nscd (name service cache daemon)!
• Install winbind, samba client and kerberos tools

In this test enviroment, the Domain is “D1COMP”; the realm “D1COMP.LAN”

• Edit /etc/krb5.conf


[libdefaults]
default_realm = D1COMP.LAN
clockskew = 300
[realms]
D1COMP.LAN = {
kdc = 172.31.7.27 ## One of your Domain Controllers
default_domain = d1comp.lan
admin_server = 172.31.7.27
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
.d1comp.lan = D1COMP.LAN

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
}

• obtain Kerberos ticket


# kinit Administrator@D1COMP.LAN
Password for Administrator@D1COMP.LAN:
#


• check Kerberos ticket


# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@D1COMP.LAN
--------
Valid starting Expires Service principal
12/12/07 16:16:01 12/13/07 02:16:45 krbtgt/D1COMP.LAN@D1COMP.LAN
renew until 12/13/07 16:16:01
--------
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


• Adjust /etc/samba/smb.conf


[global]
workgroup = D1COMP
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = D1COMP.LAN
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes


• Join the Active Directory


# net join -S d1comp -UAdministrator%Password
Using short domain name -- D1COMP
Joined 'SERVER' to realm 'D1COMP.LAN'

# /etc/init.d/winbind start
Starting Samba WINBIND daemon ... done


• Basic Check:


# wbinfo -t
checking the trust secret via RPC calls succeeded

# wbinfo -g
D1COMP\domain guests
D1COMP\domain users
D1COMP\...


• Check support of ntlm authentication:


# wbinfo -a d1comp\\user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

ntlm_auth requires access to the privileged winbind pipe in order to function properly.

• Enable this by changing group of the winbind_privileged directory to the group you run Squid as (cache_effective_group setting in squid.conf).


chgrp squid /var/lib/samba/winbindd_privileged

• Edit squid.conf to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:


auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
##
# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds
##
## acl entries to require authentication:
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers


This howto is no guarantee to get it work, but kind of reminder for me : /
Special thanks to Adrian Chadd and the wiki @ squid-cache.org!