This should use basicmsntmultidomainauth instead. Pretty sure it also is missing bunch of perl dependencies. When you take a package written for Squid 3.3.x and use it for Squid 3.5.x, things break.
Learning has never been so easy!
Squid is complicated. No sugarcoating here. It took us weeks to research and test it. It is very customizeable. And once its installed and en route, its truely a thing of beauty.
In this how-to, I assume you have a fresh install of debian with apache2 present and a default user called 'proxy'. This how-to comes as is, and if it saves someone a few grey hair, then mission accomplished!
27 Steps total
Step 1: Installing dependancies for squid
sudo apt-get install samba krb5-user libpam-krb5 ntpdate winbind
Step 2: Syncronise date between debian and AD
sudo ntpdate name_of_your_AD
Step 3: Configure Keberos by editing /etc/krb.conf
[libdefaults]
default_realm = YOUR.DOMAIN
ticket_lifetime = 24h
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
YOUR.DOMAIN= {
kdc = AD.your.domain:88
admin_server = AD.your.domain:749
default_domain = YOUR.DOMAIN
}
[domain_realm]
.your.domain = YOUR.DOMAIN
Your.domain = YOUR.DOMAIN
default_realm = YOUR.DOMAIN
ticket_lifetime = 24h
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
YOUR.DOMAIN= {
kdc = AD.your.domain:88
admin_server = AD.your.domain:749
default_domain = YOUR.DOMAIN
}
[domain_realm]
.your.domain = YOUR.DOMAIN
Your.domain = YOUR.DOMAIN
Step 4: Test Kerberos by generating a ticket
SQUID:~# sudo kinit administrateur
Password for [email protected]:
If all went well you should get a response like this:
SQUID:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
01/18/11 17:49:33 01/19/11 03:49:36 krbtgt/[email protected]
renew until 01/19/11 17:49:33
Password for [email protected]:
If all went well you should get a response like this:
SQUID:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
01/18/11 17:49:33 01/19/11 03:49:36 krbtgt/[email protected]
renew until 01/19/11 17:49:33
Step 5: Configure samba by editing /etc/samba/smb.conf
[global]
netbios name = SQUID
security = ADS
realm = YOUR.DOMAIN
password server = AD.YOUR.DOMAIN
workgroup = yourdomainname
encrypt passwords = yes
idmap uid = 10000-40000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
# stop the client from becoming domain master
domain master = no
local master = no
preferred master = no
os level = 17
domain logons = no
client ntlmv2 auth = yes
netbios name = SQUID
security = ADS
realm = YOUR.DOMAIN
password server = AD.YOUR.DOMAIN
workgroup = yourdomainname
encrypt passwords = yes
idmap uid = 10000-40000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
# stop the client from becoming domain master
domain master = no
local master = no
preferred master = no
os level = 17
domain logons = no
client ntlmv2 auth = yes
Step 6: Restart samba and winbind
/etc/init.d/samba restart
/etc/init.d/winbind restart
/etc/init.d/winbind restart
Step 7: Join your domain
sudo net ads join -S YOURAD.YOUR.DOMAIN -U administrator
At this point, I ran into an error saying that the dns can't be updated. Dont break your head searching, its a problem of rights on the /var/run/samba/winbindd_priviledge file.
VI into /etc/init.d/winbind and change line 33 to
chgrp proxy $PIDDIR/winbindd_privileged/ || return 1
and add a line afterwards
chown root $PIDDIR/winbindd_privileged/ || return 1
Next, restart winbind and all should be set.
Step 8: Install Squid3
apt-get install squid3
Step 9: Delete and recreate /etc/squid3/squid.conf with the following lines:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm YOURAD.YOUR.DOMAIN
#auth_param basic credentialsttl 2 hours
####Access Controll lists definitions###################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl DHCP src 192.168.2.0/24 #your ip adresses
acl password proxy_auth REQUIRED
#acl YOUR_DOMAIN_NAME srcdomain your.domain
##############Authorization list#################
#http_access allow YOUR_DOMAIN_NAME
#http_access deny !YOUR_DOMAIN_NAME
http_access allow password
http_access allow lan-proxy
http_access allow lan-test
http_access allow DHCP
#http_access allow password YOUR_DOMAIN_NAME
#http_access allow !YOUR_DOMAIN_NAME
#http_access allow DHCP
#http_access deny !password
http_access allow manager
http_access allow manager localhost
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access deny all
############# Proxy Port ################
http_port 8080
####### DONT cache the following URL’s###
hierarchy_stoplist cgi-bin ?
############ Where to find the log files #########
access_log /var/log/squid3/access.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
log_mime_hdrs on
append_domain .your.domain
########### Cache directory ####################
coredump_dir /var/spool/squid3
#cache_dir ufs /var/spool/squid 200 16 256
cache_effective_user proxy
cache_effective_group proxy
cache_mgr you@your_email
store_avg_object_size 5 GB
cachemgr_passwd cachemgr all
cache_mem 2048 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 16384 KB
###### Dont cache these pages ############
acl DYNAMIC_CONTENT urlpath_regex cgi-bin .cgi .pl .php3 .asp .php
no_cache deny DYNAMIC_CONTENT
########## Use SquidGuard as a redirection programme ###
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
url_rewrite_children 5
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
auth_param ntlm children 30
auth_param ntlm keep_alive on
#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm YOURAD.YOUR.DOMAIN
#auth_param basic credentialsttl 2 hours
####Access Controll lists definitions###################
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl DHCP src 192.168.2.0/24 #your ip adresses
acl password proxy_auth REQUIRED
#acl YOUR_DOMAIN_NAME srcdomain your.domain
##############Authorization list#################
#http_access allow YOUR_DOMAIN_NAME
#http_access deny !YOUR_DOMAIN_NAME
http_access allow password
http_access allow lan-proxy
http_access allow lan-test
http_access allow DHCP
#http_access allow password YOUR_DOMAIN_NAME
#http_access allow !YOUR_DOMAIN_NAME
#http_access allow DHCP
#http_access deny !password
http_access allow manager
http_access allow manager localhost
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access deny all
############# Proxy Port ################
http_port 8080
####### DONT cache the following URL’s###
hierarchy_stoplist cgi-bin ?
############ Where to find the log files #########
access_log /var/log/squid3/access.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
log_mime_hdrs on
append_domain .your.domain
########### Cache directory ####################
coredump_dir /var/spool/squid3
#cache_dir ufs /var/spool/squid 200 16 256
cache_effective_user proxy
cache_effective_group proxy
cache_mgr you@your_email
store_avg_object_size 5 GB
cachemgr_passwd cachemgr all
cache_mem 2048 MB
maximum_object_size_in_memory 128 KB
maximum_object_size 16384 KB
###### Dont cache these pages ############
acl DYNAMIC_CONTENT urlpath_regex cgi-bin .cgi .pl .php3 .asp .php
no_cache deny DYNAMIC_CONTENT
########## Use SquidGuard as a redirection programme ###
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
url_rewrite_children 5
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
Step 10: Change rights attributes
chown -R proxy:root /var/log/squid
chown -R proxy:root /var/run/samba/winbindd_privileged
/etc/init.d/squid3 restart
chown -R proxy:root /var/run/samba/winbindd_privileged
/etc/init.d/squid3 restart
Step 11: Test if Squid authenticates using NTLM
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
Next, type a user’s name on the domaine followed by their password;
User Password
You will get a reply “ok” if all is well, if not ‘err’.
Next, type a user’s name on the domaine followed by their password;
User Password
You will get a reply “ok” if all is well, if not ‘err’.
Step 12: Modify /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Step 13: Modify the following files :
/etc/pam.d/common-account ;
account sufficient pam_winbind.so
account sufficient pam_unix.so
account sufficient pam_unix.so
/etc/pam.d/common-auth:
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required pam_deny.so
/etc/pam.d/common-session :
session_required pam_unix.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
/etc/pam.d/common-password
password required pam_unix.so nullok obscure md5
Step 14: Modify line 33 of /etc/init.d/winbind
chgrp proxy $PIDDIR/winbindd_privileged/ || return 1
Step 15: Create /home/squid/kerb.sh and add the following;
#! /bin/sh
echo 'domainepassword' | kinit administrator
echo 'domainepassword' | kinit administrator
Step 16: Give reading rights for this file;
chmod +x kerb.sh
Step 17: Add the following lines in crontab with the « crontab –e » command;
1 0 * * * /usr/sbin/ntpdate YOUR_AD
@reboot /usr/sbin/ntpdate YOUR_AD
0 7 * * * /home/squid/kerb.sh
@reboot /home/squid/kerb.sh
@reboot /usr/sbin/ntpdate YOUR_AD
0 7 * * * /home/squid/kerb.sh
@reboot /home/squid/kerb.sh
Step 18: Now we come to squidGuard and the Berkley Db. First, lets install some dependancies
apt-get install bison flex gcc make ldap-utils libldap2-dev
Step 19: Download and install Berkley DB and SquidGuard
wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz
wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz
wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz
tar zxvf db-xxxxxxx.tar.gz
cd db-xxxxxxx
cd build_unix
../dist/configure
make
make install
cd db-xxxxxxx
cd build_unix
../dist/configure
make
make install
tar -xvf squidGuard-1.4.tar.gz
cd squidGuard-1.4
./configure --with-squiduser=proxy --with-ldap=yes --with-db=/usr/local/BerkeleyDB.4.6/
make
make install
cd squidGuard-1.4
./configure --with-squiduser=proxy --with-ldap=yes --with-db=/usr/local/BerkeleyDB.4.6/
make
make install
Step 20: Create a script to keep the blacklists up to date “vim /home/squid/script/blacklist.sh”
#! /bin/sh
cd /usr/local/squidGuard/db
if wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gzd
then
rm -rf blacklists
tar -xvf blacklists.tar.gz
rm -rf blacklists.tar.gz
else
echo 'URL non-accessible'
exit
fi
cd /usr/local/squidGuard/db
if wget ftp://ftp.univ-tlse1.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gzd
then
rm -rf blacklists
tar -xvf blacklists.tar.gz
rm -rf blacklists.tar.gz
else
echo 'URL non-accessible'
exit
fi
The ftp specified here is the Univarsity of Toulouse, France. They keep these lists up to date. If however there is an institution closer to you, feel free to modify it.
Step 21: Add this script in your crontab
0 0 1,15 * * /home/squid/script/blacklists.sh
Step 22: Now we need a script that redirects users to a page that explains why they have been blocked.
#sudo -s
#cd /usr/src/
#wget http://pixxlisation.net/public/images/informatique/SQUID_SQUIDGUARD/squidguard-simple.zip
#unzip squidguard-simple.zip
#mv squidGuard-simple.cgi /usr/lib/cgi-bin/
#cd /usr/lib/cgi-bin/
#chown www-data:www-data squidGuard-simple.cgi
#chmod +x squidGuard-simple.cgi
#cd /usr/src/
#wget http://pixxlisation.net/public/images/informatique/SQUID_SQUIDGUARD/squidguard-simple.zip
#unzip squidguard-simple.zip
#mv squidGuard-simple.cgi /usr/lib/cgi-bin/
#cd /usr/lib/cgi-bin/
#chown www-data:www-data squidGuard-simple.cgi
#chmod +x squidGuard-simple.cgi
Step 23: Edit the script to suit your needs ( add your company’s logo for example )
Copy your logo to /var/www/logo.jpg
Change line 84 of squidGuard-simple.cgi to:
print '
print '
Step 24: move and modify your squidGuard.conf to /usr/local/squidGuard/squidGuard.conf
This file is to each his own. Just make sure you have ldap settings correcty configured;
#Configuration pour l'authentification LDAP
ldapbinddn cn=administrator, ou=Tec, ou=Informatique, ou=MER - Merignac, ou=Utilisateurs, dc=your, dc=domain
ldapbindpass password
#Configuration pour l'authentification LDAP
ldapbinddn cn=administrator, ou=Tec, ou=Informatique, ou=MER - Merignac, ou=Utilisateurs, dc=your, dc=domain
ldapbindpass password
Also, when adding a group use this ldap syntax to get your group info on AD;
ldapusersearch ldap://ip_of_AD:3268/dc=exemple,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Groupname%2cOU=Location1%2cOU=Location%2cOU=Users%2cDC=exemple%2cDC=com))
DO NOT USE SPACES!! Use %20 to represent a space.
DO NOT USE SPACES!! Use %20 to represent a space.
Step 25: Now we want to install webmin and Sarg to create reports based on log files. Firstly Add the following lines to /etc/apt/sources.list ;
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
Step 26: Now do the following
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get update
apt-get install webmin
apt-get install sarg
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get update
apt-get install webmin
apt-get install sarg
Step 27: Now you can connect on https://ip_of_squid:10000
Under “servers” click on Squid Report Generator. Next go to 'Report options'.You can view internet usage by user for example, depending on laws and company policy. Configure those as is usefull to you. Next, go to 'Log Source and Report Destination', and make sure the path to your access.log is /var/log/squid3/access.log
Its possible that I muddled some steps up. So if 'it doesnt work', its more than likely because of that. Another way to see wheather Kerberos is connecting with AD is to type 'wbinfo -g'. This will show all your groupes in AD. Good luck to all of you ;-)
A few troubleshooting tips;
If ever you see 'could not obtain winbind separator!' after you ran '/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic', it's probally due to a previledge problem on the /var/log/squid3/cache.log file. So run 'chmod 777 -R /var/run/samba/winbindd_privileged' to rectify this issue.
Published: Feb 17, 2011 · Last Updated: Feb 09, 2012
References
- Most helpfull tuto I found, though its in french..
15 Comments
- AnaheimMattCollins Feb 17, 2011 at 09:30amThanks, that's a brilliant how-to!
- CayenneTihomir Vlahovski Feb 17, 2011 at 02:18pmI can say only one big WOW!!!!!
Tomorrow I will give it a try.Thanks - MaceBryan Doe Feb 17, 2011 at 03:34pmNice work! I'll have to try this with my Squid machine sometime.
- JalapenoChunky Monkey Feb 25, 2011 at 03:05amThank you gents. If you have tried it and got stuck, dont worry. Re-read this tuto as I have made some modifications. I reinstalled my squid and came across some issues that werent mentioned and modified this how-to accordingly.
- PimientoKenny432 Apr 6, 2011 at 04:53amhey thx for your tutorial, i've made a translation and some modifications in french, you can find it here :
https://kennyvoice.no-ip.org/mediawiki/index.php/Tuto:SquidActiveDirectory - Anaheimjdeslaur Apr 6, 2011 at 03:57pmFYI if you are getting BH NT_STATUS_ACCESS_DENIED or
Login for user xxx]@[ITSA-XP] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctlychange line 35 of /etc/init.d/winbind to chown root:proxy $PIDDIR/winbindd_privileged/ || return 1 - JalapenoChunky Monkey Apr 11, 2011 at 02:35am@ Kenny432Merci! J'ai vu ton tuto et franchement, tres bien joué monsieur!! Par contre, je pense que t'as oublié le partie bdd Berkley, car si on vas configurer notre Squidguard et le bdd n'est pas la..Sinon, nickel!!
- JalapenoFRUX Aug 10, 2012 at 02:21amFor use with Windows 2008 R2 put in /etc/krb5.conf :
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 - AnaheimSteve Wray Oct 13, 2012 at 10:40amI haven't been able to make this work with a transparent proxy. Apparently browsers won't allow this. See: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy see 'Why can't I use authentication together with interception proxying?'I have to ask; what is the point in doing this without a transparent proxy? All a user has to do is not use the proxy. I guess you could push the proxy through GPO but there are surely ways around this (I'm guessing that people can use stand-alone browsers which don't respect the proxy set by GPO in Internet Settings).All I can think of is this: egress filter outgoing web traffic on the firewall. Allow only outgoing web traffic from the proxy.
- Thai Pepperjustinjacob Nov 13, 2013 at 12:03pmi think must initialize the squidguard using commandsquidGuard -C all -P -b
- Pimientochetan-simplewall Jan 20, 2014 at 11:10amThanks for nice written post step by step awesome job !!!
- PimientoJamesloker Jan 29, 2014 at 03:38pmHi,
Having an issue with :
FATAL: Bungled squid.conf line 38: http_access allow lan-proxy
Squid Cache (Version 3.1.20): Terminated abnormally.
CPU Usage: 0.016 seconds = 0.012 user + 0.004 sys
Maximum Resident Size: 15024 KB
Page faults with physical i/o: 0
failed! - PoblanoNick3869 Feb 24, 2014 at 03:39pmHi, I've just set this up and the install seemed to go ok, however, when I put the proxy details into a web browser, it comes back with 'could not connect to proxy server' I tried to telnet onto the proxy server (by IP & netbios name) on port 3128 and it can't open a connection. It seems like the port isn't opening, I've tried changing the port and that doesn't work either... any idea's??
- Pimientobrunobarbosa3 Jul 9, 2014 at 03:50pmHI,
I had the same error that the Jamesloker
Someone managed to solve?
THX - Pimientomiesteralwin Jun 25, 2015 at 07:35amHello,Thanks for this tutorial.. Saved me some time configuring my squid + squidguard server.The day I completed the project, proxy server is logging everything and blocking restricted sites. The next day, it suddenly stops. I tried to check if something was changed and there was none.Here is the error:
2015/06/25 15:29:02 kid1| Starting new helpers
2015/06/25 15:29:02 kid1| helperOpenServers: Starting 1/50 'squidGuard.conf' processes
2015/06/25 15:29:02 kid1| ERROR: URL rewrite helper returned invalid result code. Wrong helper? {result=Unknown}
2015/06/25 15:29:02 kid1| ipcCreate: /usr/lib/squidguard/squidGuard.conf: (13) Permission denied
2015/06/25 15:29:02 kid1| WARNING: redirector #Hlpr0 exited
2015/06/25 15:29:02 kid1| Too few redirector processes are running (need 1/50)Permission denied? Tried chown proxy:root -r for /usr/lib/squidguard -- no go.
Another interesting error is: ERROR: URL rewrite helper returned invalid result code. Wrong helper? {result=Unknown}I have no idea where that error comes from and what have caused it. Can someone shed some light on me? Thanks.