+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Internet Related/Filtering/Firewall Thread, Squid and authentication with server 2008 R2 in Technical; Afternoon all. Pretty simple question really. Do any of you have Squid set up, to authenticate your users with Active ...
  1. #1
    ind1ekid's Avatar
    Join Date
    Jul 2008
    Location
    Nottinghamshire
    Posts
    82
    Thank Post
    6
    Thanked 16 Times in 13 Posts
    Rep Power
    16

    Squid and authentication with server 2008 R2

    Afternoon all.

    Pretty simple question really.
    Do any of you have Squid set up, to authenticate your users with Active Directory off a 2008/2008R2 Domain controller? Either with NTLM or Kerberos methods.

    Testing with wbinfo -K username%password works fine, the 2k8r2 dc auths ok, but with NTLM ie, wbinfo -a username%password, it returns errors from the 2k8r2 dc. My problem is ive never successfully set up Kerberos authentication on a linux box.

    ConfigExamples/Authenticate/Kerberos - Squid Web Proxy Wiki - Squid guide to doing... what I think I want to achieve?

    Any input would be appreciated.
    Thanks

  2. #2
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25
    This is the guide I used - it authenticates users from AD for internet filtering. It is for Debian Etch, but I did it on Ubuntu 10.04 in March with hardly any issues.

    Good luck!!

  3. #3
    joe90bass's Avatar
    Join Date
    Oct 2007
    Location
    S Wales
    Posts
    1,355
    Thank Post
    329
    Thanked 107 Times in 96 Posts
    Rep Power
    51
    Currently going through this pain myself. We authenticate against 2008 and 2008R2 servers. I have used likewise-open on Ubuntu 10.04. It passes the tests okay and show up in ADUC. Currently trying to get Internet access workiing through Squid > Dansguardian and ISA 2006(which is not on our domain and requries authentication)

    Nowt like a challenge

  4. #4
    ind1ekid's Avatar
    Join Date
    Jul 2008
    Location
    Nottinghamshire
    Posts
    82
    Thank Post
    6
    Thanked 16 Times in 13 Posts
    Rep Power
    16
    Thanks guys. I've got no issues setting squid up for NTLM, just that it doesn't seem to work with 2008r2 like it does with 2003r2.The issues arise with winbind/samba when you point them at the 2008r2 DC - in that NTLM authentication doesn't work. I've read all sorts about it being Samba's issue, and that it is fixed with 3.3>, but samba is a pain in the *(*& to configure and install from source (at least its proving to be on ubuntu 8.04, ill be trying others shortly).

    So.. does anyone have kerberos method set up with Squid?

  5. #5
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25
    Hmm, sorry we haven't made it to 2008 yet, can't help you.

    The only issue I had that threw out errors at that point was a permissions issue on Winbind - might be worth checking that /var/run/samba/winbind_privileged has been changed to the "proxy" group and that the group has execute access to it.

  6. #6
    ind1ekid's Avatar
    Join Date
    Jul 2008
    Location
    Nottinghamshire
    Posts
    82
    Thank Post
    6
    Thanked 16 Times in 13 Posts
    Rep Power
    16
    Think I may have solved this one :: Introducing the Restriction of NTLM Authentication. Basically override the default setting that denys NTLM authentication with the 2008r2 dc. Seems to work now.

  7. #7


    Join Date
    Oct 2006
    Posts
    3,414
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Quote Originally Posted by ind1ekid View Post
    Think I may have solved this one :: Introducing the Restriction of NTLM Authentication. Basically override the default setting that denys NTLM authentication with the 2008r2 dc. Seems to work now.
    Im still having trouble getting NTLM working. Ive added the proxy hostname to the "allowed" list in GP but it hasnt made a difference, maybe ive put it in the worng place. Any chance of you telling us what you did to get it working?

    Cheers

  8. #8
    ind1ekid's Avatar
    Join Date
    Jul 2008
    Location
    Nottinghamshire
    Posts
    82
    Thank Post
    6
    Thanked 16 Times in 13 Posts
    Rep Power
    16
    Quote Originally Posted by j17sparky View Post
    Im still having trouble getting NTLM working. Ive added the proxy hostname to the "allowed" list in GP but it hasnt made a difference, maybe ive put it in the worng place. Any chance of you telling us what you did to get it working?

    Cheers
    What OS and Samba versions you running? winbind logs will no doubt tell the tale if you want to post them I can have a look for you.

    **
    And sorry I totally forgot to update this thread.

    The problem all along was that the version of samba/winbind wouldn't talk to Server 2008 R2 - i was wrong to blame M$ for this one. I was using ubuntu at the time I started this thread, and I failed in trying to compile and install the latest version of samba. So I tried debian 5.04, to no avail when I ran into problems again compiling samba.

    I ended up using Enterprise Samba in the end on debian. Which worked a treat. But I've since switched to CentOS last week because its better supported on XenServer (which I didnt really want to do because Debian installs squid 2.7 by default which allows for include files.. which 2.7< doesnt ). So now im using 64bit CentOS 5.4 and the latest versions of Enterprise Samba for RHEL5. I must have installed and reinstalled linux servers 10 times in the last few weeks to crack this one but im pretty happy with it all now.

    I can confirm that:

    Debian 5 + Enterprise Samba (3.5) + Squid 2.7 will authenticate to AD no probs.
    CentOS 5.4 + Enterprise Samba (3.5) + Squid 2.6 will also work.
    Last edited by ind1ekid; 20th August 2010 at 10:27 AM.

  9. Thanks to ind1ekid from:

    j17sparky (20th August 2010)

  10. #9
    Cools's Avatar
    Join Date
    Jan 2009
    Location
    Bedfordshire
    Posts
    498
    Thank Post
    24
    Thanked 62 Times in 57 Posts
    Rep Power
    26
    from my wiki...


    Install on to Turnkey linux Core - fast install and foot print

    TurnKey Linux Virtual Appliance Library | Virtual Appliances for Virtual Machines, Cloud Computing and Bare Metal

    Installing and Configuring Kerberos, Samba, and Winbind on Ubuntu Server 5

    Right Lets Go!

    Step 1: Install the Required Packages

    Note: Enter Y when asked if you want to install the additional packages

    apt-get install -y squid krb5-user winbind samba ntpdate ntp dansguardian squid sarg dansguardian clamav clamd clamav-fresh
    Set time zone type: tzselect
    and set time for your area

    or

    dpkg-reconfigure tzdata

    Step : Edit the squid /etc/squid/squid.conf

    ## NTLM
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 10
    auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Domain Proxy Server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off
    authenticate_cache_garbage_interval 10 seconds

    # Credentials past their TTL are removed from memory
    authenticate_ttl 0 seconds
    acl passwd proxy_auth REQUIRED
    http_access allow passwd

    acl all src 0.0.0.0/0.0.0.0
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255 10.0.0.0/8 #You might want to narrow down to own IP Range
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 # https
    acl SSL_ports port 563 # snews
    acl SSL_ports port 873 # rsync
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_access deny all
    icp_access allow all
    http_port 3128
    hierarchy_stoplist cgi-bin ?
    access_log /var/log/squid/access.log squid
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl apache rep_header Server ^Apache
    broken_vary_encoding allow apache
    extension_methods REPORT MERGE MKACTIVITY CHECKOUT
    hosts_file /etc/hosts
    coredump_dir /var/spool/squid
    visible_hostname proxy

    cache_peer USPIP parent 80 7 no-query #Change USPIP to the ip/domain name of the up stream proxy server your using or comment out

    Step 2: Edit the /etc/krb5.conf File

    [logging]

    default = FILE:/var/log/krb5.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log

    [libdefaults]
    default_realm = EDWARDPEAKE.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true
    kdc_req_checksum_type = 2
    checksum_type = 2
    ccache_type = 1

    [realms]
    EDWARDPEAKE.LOCAL = {
    kdc = darkstar.edwardpeake.local
    admin_server = darkstar.edwardpeake.local
    default_domain = EDWARDPEAKE.LOCAL
    }

    [domain_realm]
    .edwardpeake.local = EDWARDPEAKE.LOCAL
    edwardpeake.local = EDWARDPEAKE.LOCAL


    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }


    Step 3: Edit /etc/samba/smb/conf

    Notes: Change the NETBIOS name parameter to be correct for the server. Make a backup copy of the original file!!!

    1) Make the edits. The configuration shown is the bare minimum and doesn't share anything.

    [global]
    workgroup = EDWARDPEAKE
    netbios name = PROXY_SERVER
    realm = EDWARDPEAKE.LOCAL
    server string = Linux Samba Server
    security = ads
    encrypt passwords = yes
    password server = *
    log file = /var/log/samba/%m.log
    max log size = 0
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    preferred master = False
    local master = No
    domain master = False
    dns proxy = No
    #wins server = 10.100.0.1
    #winbind separator = +
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    idmap uid = 10000-20000
    idmap gid = 10000-20000

    2) Test the configuration with the testparm command

    Step 4: Edit /etc/nsswitch.conf to look like the example below

    passwd: compat winbind
    group: compat winbind
    shadow: compat

    hosts: files dns
    networks: files

    protocols: db files
    services: db files
    ethers: db files
    rpc: db files

    netgroup: nis
    Step 5: Modify the PAM settings

    1) /etc/pam.d/common-account should contain only the following lines

    account sufficient pam_winbind.so
    account required pam_unix.so
    2) /etc/pam.d/common-auth should contain only the following lines

    auth sufficient pam_winbind.so
    auth required pam_unix.so nullok_secure use_first_pass
    #auth requisite pam_unix.so nullok_secure
    auth optional pam_smbpass.so migrate missingok
    3) Modify the /etc/pam.d/common-password file, so the max parameter is set to 50, similar to the one shown below

    password required pam_unix.so nullok obscure min=4 max=50 md5
    4) Make sure the /etc/pam.d/common-session file contains the following line

    session required pam_mkhomedir.so umask=0022 skel=/etc/skel
    session required pam_unix.so
    Step 6: Make a directory to hold domain user home directories

    Note: Use the value you put in the WORKGROUP tag of the /etc/samba/smb.conf file

    mkdir /home/EDWARDPEAKE.LOCAL
    Step 7: Configure hosts and hostname

    Change add the ip address and name to hosts file /etc/hosts

    127.0.1.1 Proxy.edwardpeake.local Proxy
    and change the hostname to /etc/hostname

    proxy.edwardpeake.local
    Step 8 : Initialize Kerberos

    kinit Administrator@EDWARDPEAKE.LOCAL
    Enter your Administrator Password Next check to be sure you got a ticket from the domain controller

    klist
    Step 9: Restart Samba-related Services (Or reboot the server)

    Note: The order is important

    /etc/init.d/samba restart && /etc/init.d/winbind restart
    Step 10: Join the system to the

    net ads join -U Administrator@EDWARDPEAKE.LOCAL
    Step 11 : Test NTLM Auth

    /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    then type

    EDWARDPEAKE.LOCAL+username password

    it should replay with OK

    and that's it all Done!


    if you install swag for squid. you can see the amount of data downloaded, most common sites, the students most visited, over all most visited site.
    Last edited by Cools; 20th August 2010 at 04:03 PM.

  11. #10
    ind1ekid's Avatar
    Join Date
    Jul 2008
    Location
    Nottinghamshire
    Posts
    82
    Thank Post
    6
    Thanked 16 Times in 13 Posts
    Rep Power
    16
    Which version of samba does your method install onto turnkey? The problems with R2 are that most versions of samba aren't compatible with r2 for ntlm auth. Ubuntu/CentOS/Debian all install an incompatible version through their package managers, which is why I opted for using enterprise samba packages.

  12. #11
    Cools's Avatar
    Join Date
    Jan 2009
    Location
    Bedfordshire
    Posts
    498
    Thank Post
    24
    Thanked 62 Times in 57 Posts
    Rep Power
    26
    Sorry been busy with new website..

    it uses what ever apt installs .. i have ubuntu 10.4 running happerly with this set up ..

    i will have to try with 2008 r2 and test..

    you maight have to change some local sec pol settings to get r2 to speak to samba ntlm.

  13. #12
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,477
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    53
    HI

    Please can someone help?

    I am building a new dansguardian box with squid on a ubuntu 10 box and am trying to get NTLM to work. Please does anyone have any instructions that work. I have got the squid and danguardian to work great with identd and it works a treat but now I have tried joining it to the domain and attempting to get the Ntlm to wokr I have broken the box twice.

    Please can someone point me in the correct directions. This is the worst bit about linux. Half the how to files on the net are great but then at the bottom when you have followed the instructions you get people telling you how it does not work.

    Thanks for all your help.

    Richard

  14. #13
    ind1ekid's Avatar
    Join Date
    Jul 2008
    Location
    Nottinghamshire
    Posts
    82
    Thank Post
    6
    Thanked 16 Times in 13 Posts
    Rep Power
    16
    You need to get Winbind and samba installed and working, join the server to the domain then look at squid config. Which is usually pretty straight forward in ubuntu, if you follow what cools suggested above you should on the right path, if you run into specific problems, post your troubles and someone may be able to help.

  15. #14
    Tyiell's Avatar
    Join Date
    Apr 2009
    Location
    Like everyone in IT - I'm omnipresent...
    Posts
    373
    Thank Post
    147
    Thanked 67 Times in 44 Posts
    Rep Power
    25
    Quote Originally Posted by ricki View Post
    HI

    Please can someone help?
    I have my notes typed up for doing this exact thing: if you still need help, pm me an email address and I'll happily forward them on...

  16. #15
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,477
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    53
    HI

    I have managed to get the machine on the domain and the scipt off the danguardian site to set up the staff and domain admin in the filtergroups and its cronned and that works great.

    But I cannot get the ntlm bit in squid to work. Everytime I put it in it breaks it.

    If you have any suggestions I would be greatfull.

    Thanks

    Richard



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Moodle / Server 2008 / IIS7 / MS SQL Server 2008 Express
    By Kamran7860 in forum Virtual Learning Platforms
    Replies: 3
    Last Post: 23rd November 2010, 07:03 AM
  2. NPS/Radius authentication with wireless clients using 2008 R2
    By ranj in forum Windows Server 2008 R2
    Replies: 7
    Last Post: 26th April 2010, 12:49 PM
  3. Server 2008 R2 RC & Ms Hyper-V Server 2008 R2 Beta
    By Kamran7860 in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 12th May 2009, 07:04 PM
  4. Replies: 1
    Last Post: 5th May 2009, 03:17 PM
  5. Squid authentication
    By localzuk in forum *nix
    Replies: 21
    Last Post: 14th February 2007, 09:08 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •