Squid proxy authentication – most painless way

authenticationkerberosntlmPROXYsquid

Ok, the title says it all, really.

The end goal is to implement proxy-authentication for end users. Users' systems are mostly (95%) windows-based, the proxy is a Debian Lenny running squid 2.7.

I've investigated possible ways to implement it, first using the ntlm_auth helper, that is shipped with squid2.7 in Lenny and it fails, – some users get authenticated just fine, some don't for some reason. I couldn't find a corellation, I've even inspected the actual smb packet flow with wireshark to no avail – it seems completely random. I've tried it on different physical machines / accounts so that's ruled out.

Then, two possible routes are available, it seems. Using winbind (with samba) and using ldap+kerberos.

I am personally against using samba, because, first it requires you to jump through certain hoops like joining the domain and so on, and second (and this is the cruncher) – I don't need all the functionality offered by samba, it is simply undesired to have all that functionality, like windows-like shares and so on, on that machine. If I have to resort to using samba, I would really like to use only a minimal possible subset of the features, – just enough to get samba's ntlm_auth (with winbind) to authenticate the users. Does anyone have any experience with this kind of setup?

I've read this question (not really a question :P) and I really liked what I've seen, – kerberos seems like a possible solution and the footprint is not that huge. The question is, is it possible to run this on a windows-2000-version domain? And how is the browser support?

Best Answer

I assume you are using an Active Directory server. We have done something similar and the easiest way was to use the ntlm_auth helper like this (part of my squid.conf):

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

You will have to install Samba and join your Windows domain. Your smb.conf will have to use these settings:

security = ADS
realm = your-dns-domain
password server = your-active-directory-server
winbind enum groups = yes
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes

I believe it was also necessary to alter the /etc/krb5.conf:

[libdefaults]
default_realm = your-dns-domain

[realms]
your-dns-domain = {
kdc = your-ad-server
}

Then you should be able to join your Windows domain:

net rpc join -S PDC -U Administrator

In the end you should have a setup that uses single-sign login from Windows. Both the Internet Explorer (in case you should seriously use it) as well as Firefox know how to send the authentication credentials.

For applications that don't know NTLM you may need to add a fallback to basic authentication, too. I haven't tested that, yet.

Links:

Related Topic