Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

Transcription

1 Configuring Squid Proxy, Active Directory Authentication and SurfProtect ICAP Access

2 Contents Introduction 3 To Configure 4 Squid Server... 4 Windows Domain Controller... 4 Configuration 4 DNS... 4 NTP... 5 SQUID Install... 5 Kerberos Install and Configure... 5 Install... 5 Configure... 5 Test... 6 Samba Winbind... 6 Install... 6 Configure... 6 More Config with net ads command... 7 Set Permissions... 8 Cron Computer Account Password Update... 8 Basic Authentication Configuration... 8 Install negotiate_wrapper... 9 SQUID Configuration Authentication Config ICAP Config User Machines Chrome Firefox Browser Safari (Apple Devices) Checking the Squid Log And Finally References: ~ 1 ~

3 Who Date Change Version Mark Dearlove 19 Jul 2012 Initial Draft 1.0 ~ 2 ~

4 Introduction The primary motivation for writing this document was to show how Squid can be setup to pass Active Directory (AD) user names to SurfProtect so that customers can have more granular control over web activity in their network. The whole process of getting AD information to SurfProtect expects the customer to use our SurfProtect ICAP service. This needs to be configured within an ICAP capable client like the NETASQ U70 appliance or in this scenario Squid proxy. More information about the U70 UTM can be found here - One disadvantage that should be noted is that Squid can only pass AD usernames and NOT AD user groups associated with the person requesting the webpage. User groups would be a more natural level to apply a SurfProtect profile. Although this is not a major problem, you may find that you have to tackle the best approach to authentication of users one login that one group of users can use or individual usernames for all users? SurfProtect can apply a blanket profile to users whose names are not recognised or listed against a particular profile. Then all that is left to deal with are the exceptions to the standard profile rule where you would actually add specific usernames to a profile for their personal requirements. Please note that my experience of setting this up was taken from several documents on the internet in which I found some of the steps listed worked and others didn t, so what you have here is the parts that did work. There are links to the websites I used at the end of the document. The information provided here is as-is with no support or guarantee of suitability. ~ 3 ~

5 To Configure For this magic to work we will need to configure: DNS NTP Kerberos Squid Samba Winbind OPTIONAL (SurfProtect ICAP Service details in Squid) User computer proxy settings Squid Server Before we start installing various packages onto our server, I used Ubuntu LTS (Precise Pangolin), which can be obtained from Windows Domain Controller Our installation has Windows 2008 R2 Standard Edition Configuration DNS On the Windows DNS server add a new A record entry for the proxy server's hostname and ensure a corresponding PTR (reverse DNS) entry is also created and works. Check that the proxy is using the Windows DNS Server for name resolution: 1. vi /etc/resolvconf/resolv.conf.d/head add domain your.ad.domain.name.here 2. vi /etc/resolvconf/resolv.conf.d/base add search your.ad.domain.name.here nameserver IP for your DNS server 3. resolvconf u 4. cat /etc/resolv.conf to ensure that the items have been added. Ping an internal and external hostname to ensure DNS is operating. ping wdc.your.ad.domain -c 4 && ping google.com -c 4 Check you can reverse lookup the Windows Server and the local proxy ip from the Windows DNS. dig -x IP OF YOUR SQUID SERVER dig -x IP OF YOUR WINDOWS PRIMARY DOMAIN CONTROLLER The ANSWER SECTION should contain the DNS name of wdc.your.ad.domain and of wdc.your.ad.domain Important: If either lookup fails do not proceed until fixed or authentication may fail. ~ 4 ~

6 NTP Time needs to be synchronised with Windows Domain Controllers for authentication, configure the proxy to obtain time from them and test to ensure they are working as expected. vi /etc/ntp.conf.d/head add server IP TO YOUR WDC iburst server ntp1.your.ad.domain iburst iburst option will allow faster time sync ( i.e seconds instead of 5-9 minutes) in our case this difference comes in handy. After saving the file issue the following command to check the config and restart the service: chkconfig ntp on service ntp start Check the status of the time sync with the following commands: ntptrace, ntpdc (listpeers, monlist, sysinfo,ctlstats) SQUID Install We will only install squid3 at this point and configure it later. Install with: apt-get install squid3 ldap-utils Kerberos Install and Configure Install apt-get install krb5-user libkrb53 libsasl2-modules-gssapi-mit libsasl2-modules Configure vi /etc/krb5.conf Add/update the file so the lines below are present [libdefaults] default_realm = YOUR.AD.DOMAIN.IN.CAPITALS dns_lookup_kdc = no dns_lookup_realm = no ticket_lifetime = 24h ; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 [realms] YOUR.AD.DOMAIN.IN.CAPITALS = { } kdc = dc1.your.ad.domain.here admin_server = dc1.your.ad.domain.here default_domain = your.ad.domain.here ~ 5 ~

7 [domain_realm].your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS your.ad.domain.here = YOUR.AD.DOMAIN.IN.CAPITALS Test Using the command below you can test If the link to the domain controller is working: Kinit some_domain_user Replace some_domain_user with a valid login name from your AD Domain When prompted enter the Windows password for the chosen account. If all is well no response will be shown. Example Error when password is wrong kinit: Preauthentication failed while getting initial credentials To confirm that the authentication has worked type: klist The result of this command if all is well will look something like: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: some_account_name@your.ad.domain.here Valid starting Expires Service principal 19/07/12 16:03:57 20/07/12 02:04:05 krbtgt/your.ad.domain.here@your.ad.domain.here renew until 20/07/12 16:03:57 Samba Winbind Install apt-get install samba winbind samba-common-bin Configure Stop both services with: service smbd stop service winbindstop Edit the Samba Config file: vi /etc/samba/smb.conf Alter the sections in the file to include: workgroup = YOUR.AD.DOMAIN SHORT NAME HERE security = ads realm = YOUR.AD.DOMAIN.HERE.IN.CAPITAL password server = DOMAIN CONTROLLER IP workgroup = SHORT AD DOMAIN NAME netbios name = SQUIDPROXY-K winbind enum groups = yes ~ 6 ~

8 winbind enum users = yes winbind use default domain = yes Note in the example above we have called the Squid Proxy server SQUIDPROXY-K for the short name used in Active Directory More Config with net ads command The net ads command allows us to interact with Active Directory. We will now use a command to join our machine to the domain Issue the following commands to join Active Directory and to Validate net ads join -U Administrator net rpc join -U Administrator If you look on your Domain controller you should have a Computer Account in your Active Directory Users and Computers admin screen. Test Active directory Join net ads testjoin -U Administrator Validate Kerberos Server Keytab net ads keytab list -U Administrator Check trusted domains net rpc trustdom list -U Administrator List Active Directory Users net ads user -U Administrator List Active Directory Groups net ads group -U Administrator chkconfig winbind on service winbind start Check authentication ~ 7 ~

9 wbinfo -a winbind%password Check AD domain wbinfo -D domain Check Trust Secrets via RPC wbinfo t Check user information translation wbinfo -i some_ad_username List AD Users wbinfo u List AD Groups wbinfo -g Please note that in one set of instructions on the internet there was the use of a program called msktutil which was a pain from the outset no package to install AND when a package was found for this version of distribution the command always failed to talk to the Active Directory server. I think the net ads commands achieved the same result. Set Permissions Set Permissions so the proxy user account can read /var/run/samba/winbindd_privileged. gpasswd -a proxy winbindd_priv Cron Computer Account Password Update Add a cron job to /etc/cron.d folder called squidpassword which contains: 05 4 * * * net ads changetrustpw -d 1 logger -t changetrustpw Basic Authentication Configuration In order to use basic authentication by way of LDAP we need to create an account with which to access Active Directory. In Active Directory create a user called "Squid Proxy" with the logon name squid@your.ad.domain.here. Ensure the following is true when creating the account. User must change password at next logon Unticked User cannot change password Ticked Password never expires Ticked Account is disabled Unticked Create a password file used by squid for ldap access and secure the file permissions (substitute the word "YOURCHOSENACCOUNTPASSWORD" below with your password you set when creating the account in Active Directory above). echo ' YOURCHOSENACCOUNTPASSWORD ' > /etc/squid3/ldappass.txt ~ 8 ~

10 chmod o-r /etc/squid3/ldappass.txt chgrp proxy /etc/squid3/ldappass.txt Install negotiate_wrapper Install negotiate_wrapper. Install the necessary build tools on Debian install : apt-get install build-essential linux-headers-$(uname -r) Then compile and install using: cd /usr/local/src/ wget " /negotiate_wrapper tar.gz" tar -xvzf negotiate_wrapper tar.gz cd negotiate_wrapper-1.0.1/./configure make make install ~ 9 ~

11 SQUID Configuration All that remains is to configure squid to use the authentication mechanism, apply the appropriate ACL s to control access to the web and configure the ICAP integration (OPTIONAL) Authentication Config vi /etc/squid.conf auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp -- domain=your_short_ad_domain_name --kerberos /usr/lib/sq$ auth_param negotiate children 10 auth_param negotiate keep_alive ooff ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=your_short_ad_domain_name auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=your,dc=full,dc=ad,dc=domain,dc=components" -D squid@your_ad_domain_here -W /etc/squid3/ldappass.txt -f samaccountname=%s -h $ auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ### acl for proxy auth and ldap authorizations acl auth proxy_auth REQUIRED ### enforce authentication http_access deny!auth http_access allow auth http_access deny all ~ 10 ~

12 ICAP Config icap_service service_req reqmod_precache bypass=0 routing=0 icap://icap.exa-networks.co.uk:1344/surfprotect/request/client,default adaptation_access service_req allow all adapted_http_access allow all icap_client_username_header x-authenticated-user icap_client_username_encode on icap_enable on icap_send_client_ip on icap_send_client_username on icap_service_failure_limit -1 icap_service_revival_delay 30 icap_persistent_connections off Now restart squid using: service squid3 restart ~ 11 ~

13 User Machines The Internet Options (Windows PC s) on the user machines will need to reflect the IP address of your squid server DNS name and the service port. Also note that Internet Explorer requires this additional option Enable integrated Windows Authentication Chrome Chrome uses the system selected proxy so no changes needed. ~ 12 ~

14 Firefox Browser Safari (Apple Devices) This browser uses the system defined Web Proxy settings for the current connection you are using on the Mac. Notice also that I have added my Active Directory credentials in so I won t be prompted later. When using ipad or iphone devices similar configuration will be needed to tell the device which proxy to use. ~ 13 ~

15 Checking the Squid Log You can take a look in the /var/squid3/access.log or similar name to check that the authenticated user is mentioned in the request lines. So for example: TCP_MISS/ GET mark_dearlove DIRECT/ image/gif And Finally When using NTLM authentication it is normal to see two simultaneous TCP_DENIED/407 errors. This is due to the nature of the challenge/response mechanism of NTLM authentication. In the event that no username appear in the squid access log, or password dialogue boxes appear, then check the squid.conf file to ensure that the ACL s are setup properly. Also ensure that winbind is functioning, as depicted above. If changes are made to the squid.conf file then squid needs to be restarted in order for those modifications to take affect. If everything is working as planned then ensure that Squid and SAMBA start automatically upon reboot by issuing the following: update-rc.d squid3 defaults update-rc.d smbd defaults References: I referred to several webpages to try to untangle how to achieve my aim, some helped some confused me more but I will mention them here as you may get something extra out of them for your scenario ~ 14 ~