Tested on: openSUSE 10.2, Squid 2.6 <-> Windows Server 2003
Goal: User authentication should be possible without “extra login” on the squid proxy.
Here we go …
- First of all, disable nscd (name service cache daemon)!
- Install winbind, samba client and kerberos tools
In this test enviroment, the Domain is “D1COMP”; the realm “D1COMP.LAN”
- Edit /etc/krb5.conf
[libdefaults]
default_realm = D1COMP.LAN
clockskew = 300
[realms]
D1COMP.LAN = {
kdc = 172.31.7.27 ## One of your Domain Controllers
default_domain = d1comp.lan
admin_server = 172.31.7.27
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.d1comp.lan = D1COMP.LAN
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 1
}
- obtain Kerberos ticket
# kinit Administrator@D1COMP.LAN
Password for Administrator@D1COMP.LAN:
#
- check Kerberos ticket
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@D1COMP.LAN
--------
Valid starting Expires Service principal
12/12/07 16:16:01 12/13/07 02:16:45 krbtgt/D1COMP.LAN@D1COMP.LAN
renew until 12/13/07 16:16:01
--------
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
- Adjust /etc/samba/smb.conf
[global]
workgroup = D1COMP
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = D1COMP.LAN
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
winbind refresh tickets = yes
- Join the Active Directory
# net join -S d1comp -UAdministrator%Password
Using short domain name -- D1COMP
Joined 'SERVER' to realm 'D1COMP.LAN'
# /etc/init.d/winbind start
Starting Samba WINBIND daemon ... done
- Basic Check:
# wbinfo -t
checking the trust secret via RPC calls succeeded
# wbinfo -g
D1COMP\domain guests
D1COMP\domain users
D1COMP\...
- Check support of ntlm authentication:
# wbinfo -a d1comp\\user%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
ntlm_auth requires access to the privileged winbind pipe in order to function properly.
- Enable this by changing group of the winbind_privileged directory to the group you run Squid as (cache_effective_group setting in squid.conf).
chgrp squid /var/lib/samba/winbindd_privileged
- Edit squid.conf to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Domain Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
##
# Credentials past their TTL are removed from memory
authenticate_ttl 0 seconds
##
## acl entries to require authentication:
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
This howto is no guarantee to get it work, but kind of reminder for me : /
Special thanks to Adrian Chadd and the wiki @ squid-cache.org!
Surely you’d rather be using /usr/lib/squid/ntlm_auth rather than /usr/bin/ntlm_auth?
I used openSUSE 10.2 in this test enviroment and installed squid & co. out of the box ( -> I did _not_ install anything from source).
There, I didn’t have ntlm_auth @ /usr/lib/squid/ but at /usr/bin/ …
Thanks for the advise, anyway -> What distribution do you use?
Debian Etch, and thanks for the guide, cleary sorted my problems out!
Well I seem to have both lib/squid/ntlm_auth and usr/bin/ntlm-auth, either should work correctly?
I configure krb5.conf, smb.conf, squiud.conf, join AD, wbinfo -t and -a are OK but is not possible to start squid: error in cache.log: WARNING: basicauthenticator exited
Too few basicauthenticator processes are running
FATAL: The basicauthenticator helpers are crashing too rapidly
when I tried to run /usr/bin/ntlm_auth nothing happens, no OK, no errors (I think this is ntlm_auth from samba)
environment: SAMBA 3.0.10, squid-2.6.STABLE16
Strange.. Which OS?
When I run /usr/bin/ntlm_auth -V i.e. it shows
Version 3.0.23d-..
Nicol – that can happen if it can’t execute the authenticator. Check for the correct path and spelling of the binary and check the permissions.
I’d also like to add that single sign-on does not work with Vista out of the box. You might want to read this page as well:
http://www.mail-archive.com/squid-users@squid-cache.org/msg58454.html