From LedHed's Wiki
Jump to: navigation, search

Squid can authenticate against a Kerberos KDC using the SQUID_KERB_AUTH helper.
This is particularly useful for Single Sign On authentication against Windows Active Directory.


Windows

Active Directory Account

Create a user account (which will act like a machine/service account) from Active Directory Users and Computers. This account can be created in any OU. The username for this account must match the hostname of the squid proxy server (which we will be setting in the next step). Windows has a few reserved hostnames, "proxy" is one of them. So while using a hostname like proxy.domain.lan seems logical, windows will complain, so its best to avoid it. The "User Login name" should reflect the FQDN of the squid server. In this example we'll use "web-proxy.domain.lan". The pre-Windows 2000 User logon name is limited to 20 characters, so drop the domain.lan parts and use just "web-proxy" for that username.


DNS & Hostname

On the Windows DNS server create a HOST(A) record that points to the squid server. As mentioned above the AD Username must match the squid servers FQDN.


Creating the KeyTabs

Now we need to map the AD user account to a Kerberos service principal. This is done from the command line using ktpass.exe .
KTPASS Usage:

ktpass -princ SERVICE/FQDN@NT-DNS-REALM-NAME -mapuser <UPN> -pass <PASSWORD> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\krb5.keytab

Example:

ktpass -princ HTTP/[email protected] -mapuser [email protected] -pass Str0ngP@ssw0rd -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\krb5.keytab

Note: The '-crypto' and '-ptype' vary depending on what version of Windows Server you're running.
Windows 2008 - 2008 R2:

-crypto RC4-HMAC-NT
-ptype KRB5_NT_PRINCIPAL


Windows 2003 SP1 - 2003 R2:

-crypto RC4-HMAC-NT
-ptype KRB5_NT_SRV_HST


Windows 2003:

-crypto DES-CBC-MD5
-ptype KRB5_NT_PRINCIPAL


Windows 2000:

-crypto DES-CBC-MD5


Once the .keytab is created it needs to be transferred to the squid server. WinSCP works well for this, but a thumb drive or CD would also work.

FreeBSD

Setting the Hostname

You'll also need to set the hostname of the squid server to match the DNS record you just created.
On FreeBSD you set the hostname in /etc/rc.conf by setting:

hostname="web-proxy.domain.lan"

You'll also need to change /etc/hosts to match

192.168.99.254           web-proxy.domain.lan  web-proxy


DNS

You'll also need to add the windows DNS server to /etc/resolv.conf

domain      domain.lan
nameserver  192.168.99.1


Setting up Kerberos

You need to configure kerberos to talk to your Windowds AD Domain Controller. This is done by editing /etc/krb5.conf

[libdefaults]
        default_realm = DOMAIN.LAN
        dns_lookup_realm = true
        dns_lookup_kdc = true
        clockskew = 300

[realms]
        DOMAIN.LAN = {
        kdc = DC.DOMAIN.LAN
        default_domain = DOAMIN.LAN
        kpasswd_server = DC.DOMAIN.LAN
        }

[domain_realm]
        .DOMAIN.LAN = DOAMIN.LAN

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

Where DC.DOMAIN.LAN is the FQDN of a Windows Domain Controller.

KeyTab

SQUID_KERB_AUTH looks to /etc/krb5.keytab by default for kerberos keys.
If you only have 1 .keytab then move the transferred file (krb5.keytab) to the /etc directory.
Otherwise you'll need to use ktutil to merge it with your other keytabs.


Testing

Once you've got Kerberos setup and the KeyTab moved to the right place you can begin testing. This can be done with the 'kinit' command.

kinit administrator

This should prompt you for the Windows Administrator password. If entered successfully then you will be returned to the command prompt (other wise you will get an error)
Now check the kerberos tickets.

klist

This should return the kerberos ticket for the Windows Administrator account. If a ticket was created then we can move on to testing the keytab and service principal we created on the Windows server.

kinit -k -t /etc/krb5.keytab HTTP/web-proxy.domain.lan

If everything is working as it should then you should be returned to the command prompt without error.
What the .keytab does is allows the squid server to make queries to the windows server without a human being entering a password. You can now check the ticket with 'klist' again.


Squid

Authentication

Add the follow lines to /usr/local/squid/squid.conf

auth_param negotiate program /usr/local/libexec/squid/squid_kerb_auth -d -s HTTP/web-proxy.domain.lan
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl AUTHENTICATED proxy_auth REQUIRED

http_access allow AUTHENTICATED

Save and reload the squid service:

service squid reload


Testing

The easiest way to test is to snoop /var/log/squid/access.log for usernames. The cache.log will also show the usefull info for troubleshooting purposes.


Web Browser Proxy Settings

When you configure your proxy settings in the web browser, you need to use the FQDN of the squid server. IP Addresses will not work.! Address:

web-proxy.domain.lan

Port:

3128

(3128 is squids default listen port, 8080 is another common port. This can be checked against squid.conf).



References

I couldn't have done this without help from the following sites.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

http://www.grolmsnet.de/kerbtut/
http://msdn.microsoft.com/en-us/library/ms995329
http://technet.microsoft.com/en-us/library/bb742433.aspx

http://serverfault.com/questions/66556/getting-squid-to-authenticate-with-kerberos-and-windows-2008-2003-7-xp
http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/