[squid-users] Arch + Squid 4.7 + Active Directory Auth

info at schroeffu.ch info at schroeffu.ch
Wed May 29 07:23:38 UTC 2019


Hi Hernan Saltiel,

I can tell you my working NTLM auth configuration for Squid 4.6 (will work for 4.7 too). My documentation is an ansible playbook created by myself for the need of our company, so I don't remember from where I got all the information for a working configuration. Whenever I have to re-install one of our 17+ proxies, I just run the playbook once on a provisioned server :#)

IMHO: Kerberos is better than NTLM, because Kerberos is a standard protocol while NTLM is Windows only. But my config below is for the moment also NTLM only. NTLM is easier to setup while KRB5 takes a little time to understand the keytab file generation things.
About the wrapper in Squid: The names of this wrapper_files may changed and they are sometimes on other places. In my case the NTLM wrapper for Squid4 is /usr/lib/squid/ext_ldap_group_acl.

About NTLM and [mydomain][user01]@[MYPC] failed due to [Reading winbind reply failed!]: You should test if NTLM auth with winbind is working on your server before run ntlm auth in squid, with: wbinfo -g or wbinfo -u on the command line which must give you as an answer the users or groups from your AD (winbind > smb.conf). There is also somewhere a wrapper-file to check wbinfo with squid wrapper too, but i dont remember which it is.

So below is a working configuration (for me) on Ubuntu 18.04 server with squid 4.6 compiled from debian testing source (with ssl bump). 

- name: Install AD WinBind Authentification Packages
 apt:
 state: present
 name:
 - samba
 - winbind
 notify: restart winbind smbd
 when: activedirectory_winbind_authentification == True
 - name: Upload smb.conf for WinBind
 template:
 src: smb.conf.j2
 dest: /etc/samba/smb.conf
 notify: restart winbind smbd
 when: activedirectory_winbind_authentification == True

################################################################
#/etc/samba/smb.conf
################################################################
#======================= Global Settings =======================

[global]
netbios name = proxy01xx
workgroup = DOM-COMPANY
realm = companydomain.DE
server string =
security = ADS
encrypt passwords = true
log level = 3
log file = /var/log/samba/%m
wins support = no
preferred master = no
domain master = no
local master = no
template shell = /bin/false
template homedir = /home/%D/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOM-COMPANY:backend = rid
idmap config DOM-COMPANY:schema_mode = rfc2307
idmap config DOM-COMPANY:range = 8000-80000
enhanced browsing = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600

password server = 192.168.xx.xx 172.16.x.x 172.16.x.x 172.16.x.x
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
################################################################
- name: Add "winbind" to /etc/nsswitch.conf at the end of passwd line
 replace:
 backup: yes
 dest: /etc/nsswitch.conf
 regexp: '^(group(?!.*bwinbindb).*)$'
 replace: '1 winbind'
 notify: restart winbind smbd
 when: activedirectory_winbind_authentification == True
 tags: nsswitch

################################################################
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
################################################################
- name: adding existing user "proxy" to group "winbindd_priv", via https://www.linuxquestions.org/questions/linux-server-73/prompts-password-for-squid-using-ntlm-673036/#post4977410
 user:
 name: proxy
 groups: winbindd_priv
 append: yes
 notify: restart squid
 when: activedirectory_winbind_authentification == True

################################################################
#/etc/group 
################################################################
#(...)
winbindd_priv:x:116:proxy
#(...)
#This is the only step I don't have yet in my ansible playbook automated, but its required once after installing winbind for sure:
#Winbind join the server into the domain: 
net ads join -U administrator
#test if winbind works:
wbinfo -g
wbinfo -u
- name: Upload squid.conf
 template:
 src: "{{ item }}.j2"
 dest: /etc/squid/{{ item }}
 owner: proxy
 group: proxy
 backup: yes
 with_items:
 - squid.conf
 notify: restart squid
 tags: squidconfonly
################################################################
#/etc/squid.conf 
#relevant content for NTLM auth
################################################################
######################################################### NTLM #########################################################
# NTLM authentication, caching not neccessary, because the connection will be authenticated against the token
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --use-cached-creds --offline-logon
auth_param ntlm realm Proxy-Anmeldung NTLM: Bitte DomaeneBenutzername und Windows-Kennwort eingeben.
auth_param ntlm children 50

#Allow fetch intermediate certs before required authentication (required when SSL Bump + proxy_auth REQUIRED)
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
cache deny all
http_access allow fetched_certificate

######################################################### Allow based on group membership #########################################################
# Authentication required, otherwise Login Pop-Up
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users

# Define external acl
external_acl_type ldap_group ipv4 ttl=3600 negative_ttl=1800 children-max=150 children-startup=10 %LOGIN /usr/lib/squid/ext_ldap_group_acl -K -S -R 
-b "DC=companydomain,DC=de" 
-D "CN=anLDAPuserwithREADaccess,OU=Sonstige,DC=companydomain,DC=de" 
-w PASSWORDHERE 
-f "(&(objectclass=user)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=companydomain,DC=de))" 
-h 192.168.xx.xx 172.16.xx.xx 172.16.xx.xx 172.16.xx.xx

## Get group "InternetAccess3" from AD/LDAP and use this group in squid.conf as "ldap_InternetAccess3"
acl ldap_InternetAccess3 external ldap_group InternetAccess3

acl FTP_ports port 21
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSH_ports port 22
acl Safe_ports port 21 #FTP
acl Safe_ports port 22 # SSH
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8443 # Plesk
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports !SSH_ports !FTP_ports

http_access allow ldap_InternetAccess3 !FTP_ports !SSH_ports !streaming !badfileending

http_access allow localhost manager
http_access deny manager
acl localdom dstdomain .ourcompany.de ourcompanydomain2.com
acl NOCACHE dstdomain ourcompany.de
no_cache allow NOCACHE
http_access allow localhost
http_access deny all
################################################################
Hope it helps. 
Good luck
Schroeffu
27. Mai 2019 16:16, "Hernan Saltiel" <hsaltiel at gmail.com (mailto:hsaltiel at gmail.com?to=%22Hernan%20Saltiel%22%20<hsaltiel at gmail.com>)> schrieb:
Hi all, 
I'm trying to install a brand new Squid 4.7 on an Arch GNU/Linux (Kernel 5.0.7), authorizing its users against Active Directory, based on a Windows 2008 R2 Domain. 
I configured samba4 on the Arch machine, and it looks working well. wbinfo commands get executed and with correct output. 
But when using the Squid, I get all the time messages like: 
2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Starting Squid Cache version 4.7 for x86_64-pc-linux-gnu...
2019/05/27 04:08:12 kid1| Service Name: squid
2019/05/27 04:08:12 kid1| Process ID 7584
2019/05/27 04:08:12 kid1| Process Roles: worker
2019/05/27 04:08:12 kid1| With 1024 file descriptors available
2019/05/27 04:08:12 kid1| Initializing IP Cache...
2019/05/27 04:08:12 kid1| DNS Socket created at [::], FD 7
2019/05/27 04:08:12 kid1| DNS Socket created at 0.0.0.0, FD 10
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding nameserver 192.168.32.5 from /etc/resolv.conf
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'negotiate_wrapper' processes
2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'negotiate_wrapper' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'ntlm_auth' processes
2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'ntlm_auth' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'basic_ldap_auth' processes
2019/05/27 04:08:12 kid1| helperOpenServers: No 'basic_ldap_auth' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/5 'ext_ldap_group_acl' processes
2019/05/27 04:08:12 kid1| helperOpenServers: No 'ext_ldap_group_acl' processes needed.
2019/05/27 04:08:12 kid1| Logfile: opening log /var/log/squid/access.log
2019/05/27 04:08:12 kid1| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log'
2019/05/27 04:08:12 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2019/05/27 04:08:12 kid1| Store logging disabled
2019/05/27 04:08:12 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2019/05/27 04:08:12 kid1| Target number of buckets: 1008
2019/05/27 04:08:12 kid1| Using 8192 Store buckets
2019/05/27 04:08:12 kid1| Max Mem size: 262144 KB
2019/05/27 04:08:12 kid1| Max Swap size: 0 KB
2019/05/27 04:08:12 kid1| Using Least Load store dir selection
2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Finished loading MIME types and icons.
2019/05/27 04:08:12 kid1| HTCP Disabled.
2019/05/27 04:08:12 kid1| Squid plugin modules loaded: 0
2019/05/27 04:08:12 kid1| Adaptation support is off.
2019/05/27 04:08:12 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
2019/05/27 04:08:13 kid1| storeLateRelease: released 0 objects
2019/05/27 04:08:22 kid1| Starting new negotiateauthenticator helpers...
2019/05/27 04:08:22 kid1| helperOpenServers: Starting 1/10 'negotiate_wrapper' processes
negotiate_kerberos_auth.cc(489): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
negotiate_kerberos_auth.cc(548): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/krb5.keytab
negotiate_kerberos_auth.cc(572): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_7586
directory_create_or_exist_strict: invalid ownership on directory /var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context.
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Global]"
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got NTLMSSP neg_flags=0xe2088297
Got user=[user01] domain=[mydomain] workstation=[MYPC] len1=24 len2=304
Login for user [mydomain][user01]@[MYPC] failed due to [Reading winbind reply failed!]
GENSEC login failed: NT_STATUS_UNSUCCESSFUL
2019/05/27 04:08:22 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }} 
Some questions I have: 
1) About the message: 
directory_create_or_exist_strict: invalid ownership on directory /var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context. 
Checking the permissions, it has 755, so I really do not understand why it´s showing this. Don't know if there is some ownership rule or something like this... 
2) About the message: 
Login for user [mydomain][user01]@[MYPC] failed due to [Reading winbind reply failed!] 
I tried debugging Samba, but see no message indicating something here. Any help would be really appreciated. 
3) Is there any example configuration for Squid 4 + Samba 4 + Active Directory? Sorry for this, but I see tons of information about Active Directory for Samba 4 and Squid3, but not much about the configuration I'm trying to have. 
I see several differences, for instance: 
1) Use of "negotiate_wrapper". 
2) Several aspects of files located on /var/lib/squid, where I do not see the equivalence between them and the ones listed for Squid3, and visible on tons of documentation. 
3) Some docs say NTLM is deprecated, some are still showing ntlm_auth on config files. This is why I really need to see if there is any example for this config... 
Thanks a lot in advance for your time and attention, and best regards. 
--HeCSa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190529/596ffb04/attachment-0001.html>


More information about the squid-users mailing list