Wiki

User Tools

Site Tools

Trace:
ubuntu:squid:authenticate_using_active_directory

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
ubuntu:squid:authenticate_using_active_directory [2019/12/10 00:59] – created peterubuntu:squid:authenticate_using_active_directory [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Ubuntu - Squid - Authenticate using Active Directory ====== ====== Ubuntu - Squid - Authenticate using Active Directory ======
  
-Introduction+===== Introduction =====
  
-This wiki page covers setup of a Squid proxy which will seamlessly integrate with Active Directory using Kerberos, NTLM and basic authentication for clients not authenticated via Kerberos or NTLM.+Setup of a Squid proxy which will seamlessly integrate with Active Directory using Kerberos, NTLM and basic authentication for clients not authenticated via Kerberos or NTLM.
  
-    /!\ This configuration example appears to have been written for an Ubuntu installation and incompletely munged for someones idea of general useFile paths and account user/group names will depend on your operatig system+If you are running Debian or would like more verbose instructions including access groups this [[http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy|link]] may be of interest.
  
-If you are running Debian or would like more verbose instructions including access groups this link may be of interest.+----
  
-Example Environment+===== Example Environment =====
  
 the following examples are utilised, you should update any configuration examples with your clients domain, hostnames, IP's etc. where necessary. the following examples are utilised, you should update any configuration examples with your clients domain, hostnames, IP's etc. where necessary.
Line 29: Line 29:
         HOSTNAME = dc2.example.local          HOSTNAME = dc2.example.local 
  
-Prerequisites+---- 
 + 
 +===== Prerequisites =====
  
 Client Windows Computers need to have Enable Integrated Windows Authentication ticked in Internet Options ⇒ Advanced settings. Client Windows Computers need to have Enable Integrated Windows Authentication ticked in Internet Options ⇒ Advanced settings.
  
-DNS Configuration+----
  
-On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works. Check that the proxy is using the Windows DNS Server for name resolution and update /etc/resolv.conf accordingly.+===== DNS Configuration ===== 
 + 
 +On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works.  Check that the proxy is using the Windows DNS Server for name resolution and update /etc/resolv.conf accordingly.
  
 Edit the file according to your network. Edit the file according to your network.
  
 +<file bash /etc/resolv.conf>
 domain example.local domain example.local
 search example.local search example.local
 nameserver 192.168.0.1 nameserver 192.168.0.1
 nameserver 192.168.0.2 nameserver 192.168.0.2
 +</file>
  
 Ping a internal and external hostname to ensure DNS is operating. Ping a internal and external hostname to ensure DNS is operating.
  
 +<code bash>
 ping dc1.example.local -c 4 && ping google.com -c 4 ping dc1.example.local -c 4 && ping google.com -c 4
 +</code>
  
 Check you can reverse lookup the Windows Server and the local proxy ip from the Windows DNS. Check you can reverse lookup the Windows Server and the local proxy ip from the Windows DNS.
  
 +<code bash>
 dig -x 192.168.0.1 dig -x 192.168.0.1
  
 dig -x 192.168.0.10 dig -x 192.168.0.10
 +</code>
  
 The ANSWER SECTION should contain the the DNS name of dc1.example.local and squidproxy.example.local. The ANSWER SECTION should contain the the DNS name of dc1.example.local and squidproxy.example.local.
Line 58: Line 68:
 Important: If either lookup fails do not proceed until fixed or authentication may fail. Important: If either lookup fails do not proceed until fixed or authentication may fail.
  
-NTP Configuration+---- 
 + 
 +===== NTP Configuration ===== 
 + 
 +Time needs to be synchronized with Windows Domain Controllers for authentication, configure the proxy to obtain time from them and test to ensure they are working as expected.
  
-Time needs to be syncronised with Windows Domain Controllers for authentication, configure the proxy to obtain time from them and test to ensure they are working as expected.+----
  
-Install and Configure Kerberos+===== Install and Configure Kerberos =====
  
 Install Kerberos packages - on Debian these are krb5-user libkrb53 Install Kerberos packages - on Debian these are krb5-user libkrb53
Line 68: Line 82:
 Edit the file /etc/krb5.conf replacing the variables with the your domain and servers. Edit the file /etc/krb5.conf replacing the variables with the your domain and servers.
  
 +<WRAP warning>
 Important: If you only have 1 Domain Controller remove the additional kdc entry from the [realms] section, or add any additional DC's. Important: If you only have 1 Domain Controller remove the additional kdc entry from the [realms] section, or add any additional DC's.
 +</WRAP>
  
 Depending on your Domain Controller's OS Version uncomment the relevant Windows 200X section and comment out the opposing section. Depending on your Domain Controller's OS Version uncomment the relevant Windows 200X section and comment out the opposing section.
  
 +<file bash /etc/krb5.conf>
 [libdefaults] [libdefaults]
     default_realm = EXAMPLE.LOCAL     default_realm = EXAMPLE.LOCAL
Line 100: Line 117:
     .example.local = EXAMPLE.LOCAL     .example.local = EXAMPLE.LOCAL
     example.local = EXAMPLE.LOCAL     example.local = EXAMPLE.LOCAL
 +</file>
  
 +<WRAP important>
 Important notice: One should use "Windows 2008 with AES" if available. This is not just important for security reasons, but you might also experience problems when using the DNS name of the squid server instead of the IP address. Important notice: One should use "Windows 2008 with AES" if available. This is not just important for security reasons, but you might also experience problems when using the DNS name of the squid server instead of the IP address.
 +</WRAP>
  
 Example error messages regarding this issue may look like this: Example error messages regarding this issue may look like this:
  
 +<code>
 ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information.' ERROR: Negotiate Authentication validating user. Error returned 'BH gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information.'
 +</code>
  
-Install Squid 3+---- 
 + 
 +===== Install Squid 3 =====
  
 We install squid 3 now as we need the squid3 directories available. Squid configuration takes places after authentication is configured. On Debian install the squid3 ldap-utils packages. We install squid 3 now as we need the squid3 directories available. Squid configuration takes places after authentication is configured. On Debian install the squid3 ldap-utils packages.
  
-Authentication+---- 
 + 
 +===== Authentication =====
  
 The Proxy uses 4 methods to authenticate clients, Negotiate/Kerberos, Negotiate/NTLM, NTLM and basic authentication. Markus Moellers negotiate_wrapper is used for the 2 Negotiate methods. The Proxy uses 4 methods to authenticate clients, Negotiate/Kerberos, Negotiate/NTLM, NTLM and basic authentication. Markus Moellers negotiate_wrapper is used for the 2 Negotiate methods.
  
-Kerberos+---- 
 + 
 +==== Kerberos ====
  
 Kerberos utilises msktutil an Active Directory keytab manager (I presume the name is abbreviated for "Microsoft Keytab Utility"). We need to install some packages that msktutil requires. On Debian install libsasl2-modules-gssapi-mit libsasl2-modules Kerberos utilises msktutil an Active Directory keytab manager (I presume the name is abbreviated for "Microsoft Keytab Utility"). We need to install some packages that msktutil requires. On Debian install libsasl2-modules-gssapi-mit libsasl2-modules
Line 123: Line 151:
 Initiate a kerberos session to the server with administrator permissions to add objects to AD, update the username where necessary. msktutil will use it to create our kerberos computer object in Active directory. Initiate a kerberos session to the server with administrator permissions to add objects to AD, update the username where necessary. msktutil will use it to create our kerberos computer object in Active directory.
  
 +<code bash>
 kinit administrator kinit administrator
 +</code>
  
 It should return without errors. You can see if you succesfully obtained a ticket with: It should return without errors. You can see if you succesfully obtained a ticket with:
  
 +<code bash>
 klist klist
 +</code>
  
 Now we configure the proxy's kerberos computer account and service principle by running msktutil (remember to update the values with yours). Now we configure the proxy's kerberos computer account and service principle by running msktutil (remember to update the values with yours).
Line 139: Line 171:
 Execute the msktutil command as follows: Execute the msktutil command as follows:
  
 +<code bash>
 msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.example.local -k /etc/squid3/PROXY.keytab \ msktutil -c -b "CN=COMPUTERS" -s HTTP/squidproxy.example.local -k /etc/squid3/PROXY.keytab \
 --computer-name SQUIDPROXY-K --upn HTTP/squidproxy.example.local --server dc1.example.local --verbose --computer-name SQUIDPROXY-K --upn HTTP/squidproxy.example.local --server dc1.example.local --verbose
 +</code>
  
 Important: If you are using a Server 2008 domain then add --enctypes 28 at the end of the command Important: If you are using a Server 2008 domain then add --enctypes 28 at the end of the command
Line 148: Line 182:
 Set the permissions on the keytab so squid can read it. Set the permissions on the keytab so squid can read it.
  
 +<code bash>
 chgrp proxy /etc/squid3/PROXY.keytab chgrp proxy /etc/squid3/PROXY.keytab
 chmod g+r /etc/squid3/PROXY.keytab chmod g+r /etc/squid3/PROXY.keytab
 +</code>
  
 Destroy the administrator credentials used to create the account. Destroy the administrator credentials used to create the account.
  
 +<code bash>
 kdestroy kdestroy
 +</code>
  
 On the Windows Server reset the Computer Account in AD by right clicking on the SQUIDPROXY-K Computer object and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly. This is not completely necessary but is useful to ensure msktutil works as expected. Then run the following: On the Windows Server reset the Computer Account in AD by right clicking on the SQUIDPROXY-K Computer object and select "Reset Account", then run msktutil as follows to ensure the keytab is updated as expected and that the keytab is being sourced by msktutil from /etc/krb5.conf correctly. This is not completely necessary but is useful to ensure msktutil works as expected. Then run the following:
  
 +<code bash>
 msktutil --auto-update --verbose --computer-name squidproxy-k msktutil --auto-update --verbose --computer-name squidproxy-k
 +</code>
  
 Note: Even though the account was added in capital letters, the --auto-update in msktutil requires the --computer-name to be lower case. Note: Even though the account was added in capital letters, the --auto-update in msktutil requires the --computer-name to be lower case.
Line 165: Line 205:
 Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically 30 days). Pipe it through logger so I can see any errors in syslog if necessary. As stated msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it. Add the following to cron so it can automatically updates the computer account in active directory when it expires (typically 30 days). Pipe it through logger so I can see any errors in syslog if necessary. As stated msktutil uses the default /etc/krb5.conf file for its paramaters so be aware of that if you decide to make any changes in it.
  
 +<code bash>
 00 4  *         msktutil --auto-update --verbose --computer-name squidproxy-k | logger -t msktutil 00 4  *         msktutil --auto-update --verbose --computer-name squidproxy-k | logger -t msktutil
 +</code>
  
 Edit squid3's init script to export the KRB5_KTNAME variable so squid knows where to find the kerberos keytab. Edit squid3's init script to export the KRB5_KTNAME variable so squid knows where to find the kerberos keytab.
Line 173: Line 215:
 Add the following configuration to /etc/default/squid3 Add the following configuration to /etc/default/squid3
  
 +<code bash>
 KRB5_KTNAME=/etc/squid3/PROXY.keytab KRB5_KTNAME=/etc/squid3/PROXY.keytab
 export KRB5_KTNAME export KRB5_KTNAME
 +</code>
  
-NTLM+---- 
 + 
 +===== NTLM =====
  
 Install Samba and Winbind. On Debian install samba winbind samba-common-bin Install Samba and Winbind. On Debian install samba winbind samba-common-bin
Line 182: Line 228:
 Stop the samba and winbind daemons and edit /etc/samba/smb.conf Stop the samba and winbind daemons and edit /etc/samba/smb.conf
  
 +<file bash /etc/samba.smb.conf>
 workgroup = EXAMPLE workgroup = EXAMPLE
 security = ads security = ads
Line 191: Line 238:
 winbind enum users = yes winbind enum users = yes
 winbind enum groups = yes winbind enum groups = yes
 +</file>
  
 Now join the proxy to the domain. Now join the proxy to the domain.
Line 291: Line 339:
  
 https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
 +
 +http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy
  
ubuntu/squid/authenticate_using_active_directory.1575939543.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki