[Samba] Informal HOWTO - transparent authentication and optional
outbound web filtering using Samba 3.0.13, Squid 2.5.STABLE7,
SmartFilter 4.01, RedHat 9.0 in a Win2003 AD domain
Greg Scott
GregScott at InfraSupport.com
Tue Apr 5 12:35:07 GMT 2005
Thanks to everyone for all the help getting this done. As promised,
here are the detailed notes I put together. These step by step
instructions should work starting with a raw RedHat Linux 9.0 system.
- Greg Scott
GregScott at InfraSupportEtc.com
These are step by step instructions for how to install and configure the
Squid
proxy server with transparent authentication for users in a Microsoft AD
domain,
optionally using SmartFilter from Secure Computing to support outbound
web filtering.
This was tested in two Windows 2003 AD domains, one with SmartFilter,
the other
without SmartFilter.
These instructions use the following versions of these packages:
RedHat Linux 9.0 with various kernels from kernel.org
MIT Kerberos 1.4 built from source
Samba 3.0.13 built from source
Squid 2.5.STABLE7 built from sourc
SmartFilter 4.01 from Secure Computing (optional)
Note that it may be easier to do all this starting with fc3 or fc4 as a
base. However,
as of this writing (April 5, 2005) SmartFilter only supports RH 9.0 and
does not yet
support any of the Fedora Core releases.
************************************************************************
*******************
First, install and test Squid without any authentication:
See the notes in Chapter 4 of the Smartfilter 4.01 Installation Guide
PDF file
for the recommended way to build Squid.
For Squid-specific documentation, see this URL:
http://squid-docs.sourceforge.net/latest/html/x354.html (This may be
obsolete)
cd /usr/local
mkdir squid
mkdir squid/src
Put a copy of squid-2.5.STABLE7.tar.gz into /usr/local/squid/src
cp squid-2.5.STABLE7.tar.bz2 /usr/local/squid/src
Now extract and build it.
cd /usr/local/squid/src
bunzip2 squid-2.5.STABLE7.tar.bz2
tar -xvf squid-2.5.STABLE7.tar
cd /usr/local/squid/src/squid-2.5.STABLE7
./configure --enable-async-io --prefix=/usr/local/squid
(Note that the --enable-async-io is not in the Smartfilter
documentation.)
(lots of output)
make all
make install
(lots more output and a few minutes)
Create a user and group called squid, make it the owner of all squid
stuff
/usr/sbin/useradd squid
cd /usr/local
chown -R squid squid
chgrp -R squid squid
Now edit the squid.conf file
********* From the Squid documentation but not Smartfilter
/usr/local/squid/etc/squid.conf common parameters:
http_port leave as default
cache_mgr email settings
cache_effective_user squid
cache_effective_group squid
ftp_user Leave alone for now
visible_hostname Set this to the IP hostname
Search for "INSERT YOUR OWN RULE" and put in an appropriate ACL entry
for the internal network, like this:
# Exampe rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
acl greg_network src 10.10.10.0/24 127.0.0.1/32
http_access allow greg_network
# And finally deny all other access to this proxy
http_access deny all
To Run Squid in a transparent mode, enable the following directives in
Squid.conf.
(See http://squid.visolve.com/white_papers/trans_caching.htm)
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
***************** Now from SmartFilter documentation
Make sure of these parameters:
cache_mem 8MB
cache_dir /usr/local/squid/cache 100 16 256
Change http_access deny all to http_access allow all. (May not need
this!)
Uncomment the cache_effective_user "username" statement and change
"username to "squid" to match the user/group created above.
Uncomment the "cache_effective_group" statement and use "squid" as the
group name.
************ More settings
Squid won't start unless you set this setting:
visible_hostname host.domain
Now run squid for the first time
/usr/local/squid/sbin/squid -z (To create swap directories)
/usr/local/squid/sbin/squid -N -d 1 (To run for the first time at the
terminal window.)
-N means No daemon mode
-d 1 means debug level 1
(Note that Squid 2.5.n uses sbin instead of bin for the squid
executable.)
Squid will be running in a terminal window.
Startup another terminal window and do this:
telnet localhost 3128
get http://www.infrasupportetc.com HTTP/1.0 (Press "Enter"
twice)
HTML should come back from that website.
If any errors come back, shut down Squid, like this:
/usr/local/squid/sbin/squid -k shutdown
Fix the errors and repeat. The problem is likely a parameter in
squid.conf.
Startup squid for production like this: /usr/local/squid/sbin/squid
Shutdown squid like this:
/usr/local/squid/sbin/squid -k shutdown
************************************************************************
****************
Now that Squid works, integrate the optional SmartFilter plugin for
outbound web filtering
Download the SmartFilter binary and save a copy in /home/gregs or
someplace convenient.
cd /usr/local/squid/src
cp /home/gregs/sf401_redhat_squid.bin ./
chmod 700 sf401_redhat_squid.bin
./sf401_redhat_squid.bin
See sf401install_guide.pdf for detailed installation instructions.
After running the install program, rebuild squid, like this:
cd /usr/local/squid/src/squid-2.5.STABLE7
./configure --enable-smartfilter
make clean
make all
make install
Also add the following lines to squid.conf:
smartfilter_state on
smartfilter_config /usr/local/squid/etc/config.txt
For LDAP support, see the SmartFilter Installation Guide. Add these
additional lines to squid.conf (Note, no line continuation characters):
smartfilter_userinfo_program /usr/local/squid/libexec/sf_userinfo -f
/usr/local/squid/etc/config.txt
smartfilter_userinfo_children 5
Now start squid like this:
/usr/local/squid/sbin/squid
Also, be sure to start the sfagent program, like this:
/usr/local/squid/etc/sfagent
You need this program running so the Admin Server can communicate with
it.
This is not documented in any of the SmartFilter documentation.
Put the reference to these programs in rc.local or other convenient
startup location.
Now install the SmartFilter admin server and console on a Windows
System. Register the
appropriate serial number on the Secure Computing website and set up
regular control list
downloads. See the SmartFilter Installation Guide for details.
************************************************************************
****************
Now the fun part. Time to integrate Samba and set up AD authentication
For Squid authentication with an Active Directory domain, we need Samba,
set
up with Kerberos.
Redhat Linux 9.0 ships with Kerberos version 5, revision 1.2.7-10.
Unfortunately,
we need at least rev 1.3 to work with Windows 2003. See this URL for a
discussion:
http://lists.samba.org/archive/samba/2004-July/090137.html
The fc3 RPM directory has krb5 rev 1.3 RPMs. Unfortunately, several
dozen
components in RedHat 9.0 depend on the 1.2.7 RPMs installed, especially
the Kerberos libraries. So the krb5 rev 1.3 RPMs are worthless in this
case.
We need to build a copy of Kerberos from source and put it in an
alternate
directory. Then we'll build a copy of Samba using this Kerberos build.
We get the latest and greatest Kerberos from MIT.
For the MIT Kerberos download, see:
http://web.mit.edu/kerberos/www/
FOr release notes, see:
http://web.mit.edu/kerberos/www/krb5-1.4/README-1.4.txt
FOr the Installation Guide see:
http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4/doc/krb5-install.html#
Building%20Kerberos%20V5
Download and save a copy of krb5-1.4-signed.tar from the MIT Kerberos
website.
Put a copy of the download into /usr/src
cp krb5-1.4-signed.tar /usr/src
Do this to unpack the download.
cd /usr/src
tar -xvf krb5-1.4-signed.tar
This extracts these two files:
krb5-1.4.tar.gz - the actual software
krb5-1.4.tar.gz.asc - a signature
Now do this to unpack the Kerberos software:
tar -xvzf krb5-1.4.tar.gz
Now build it. By default, Kerberos will install the package's files
rooted
at `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. (Pasted
from
the Installation Guide). We will need this later on when we build
Samba.
cd /usr/src/krb5-1.4
cd src
./configure
make
make install
Some notes:
Make sure /etc/hosts has the FQDN of this system in place, similar to
below:
[root at squidtest src]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 squidtest.infrasupportetc.com
localhost.localdomain localhost
10.10.10.2 squidtest.infrasupportetc.com
Test the build like this:
cd /usr/src/krb5-1.4/src
make check
Fix any problems it calls out and keep running until it finishes
cleanly.
************************************************************************
***************************
Now to build Samba from source to take advantage of the newest Kerberos
Download samba-3.0.13.tar.gz from here:
http://us4.samba.org/samba/
Put the saveset in the source directory:
cp samba-3.0.13.tar.gz /usr/src
Unpack it
cd /usr/src
tar -xvzf samba-3.0.13.tar.gz
Now build it with the Kerberos flavor installed earlier
cd /usr/src/samba-3.0.13/source
./configure --with-ads --with-krb5=/usr/local
make
make install
************************************************************************
**************************
Configure Samba to work with Kerberos
Set up smb.conf and krb5.conf.
(The paths are /usr/local/samba/lib/smb.conf and /etc/krb5.conf.)
(Extracted from the email Chris Cinnamo from Secure Computing sent.)
Edit /usr/local/samba/lib/smb.conf
----------------------------------
smb.conf
realm = <YOUR DOMAIN> ex. support.com
workgroup = <DOMAIN> ex. support
security = ADS
encrypt passwords = yes
password server = 192.168.100.12
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
[test]
comment = Samba functionality test directory
path = /home/ryan/
read only = no
browsable = yes
writable = yes
guest ok = yes
valid users = @SUPPORT\"Domain Users"
------------------------------------
/etc/krb5.conf should look like this:
(Note that Kerberos uses realms named the same as the AD domain name.
BUt --IMPORTANT-- the realm name must be in all UPPER CASE. So
infrasupportetc.com becomes INFRASUPPORTETC.COM)
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = INFRASUPPORTETC.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
INFRASUPPORTETC.COM = {
kdc = 10.10.10.100:88
admin_server = 10.10.10.100:749
default_domain = INFRASUPPORTETC.COM
}
[domain_realm]
.infrasupportetc.com = INFRASUPPORTETC.COM
infrasupportetc.com = INFRASUPPORTETC.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Add following entries in nssswitch.conf:
passwd: files winbind
group: files winbind
Samba uses a daemon called winbindd that handles the authentication
between Windows and Linux.
When a Windows system tries to look at a share on the Samba server, it
passes credentials.
The Samba server needs to know where to look to validate the
credentials. The above entries
tell the Samba server to first check the local passwd file and if not
there, then have Winbindd
look back in the Windows AD. It turns out, there is more to the story.
In order for the Samba
server to have a clue how to tell winbindd what to do, we need to put
some Samba libraries in
the right place. As of 4/3/2005, the documentation in the
Samba-HOWTO-Collection is wrong.
Use this script provided by Doug VanLeuven to set up the libraries:
#!/bin/sh
# Save this script in /home/gregs or someplace convenient.
# cd /usr/src/samba-3.0.13/source and run this script from there.
echo "Copying nsswitch modules to system library"
CWD=`pwd`
cd /lib
rm -f libnss_winbind.so libnss_winbind.so.1 libnss_winbind.so.2
rm -f libnss_wins.so libnss_wins.so.1 libnss_wins.so.2
cd /usr/lib
rm -f libnss_winbind.so libnss_wins.so
cd $CWD
cp -f nsswitch/libnss_winbind.so /lib
cp -f nsswitch/libnss_wins.so /lib
cd /lib
ln -sf libnss_winbind.so libnss_winbind.so.1
ln -sf libnss_winbind.so libnss_winbind.so.2
ln -sf libnss_wins.so libnss_wins.so.1
ln -sf libnss_wins.so libnss_wins.so.2
cd /usr/lib
ln -sf ../../lib/libnss_winbind.so libnss_winbind.so
ln -sf ../../lib/libnss_wins.so libnss_wins.so
/sbin/ldconfig
Here is Doug's explanation for this script:
> I made this script to update the library after each samba build. Run
it from the samba
> source directory. Should be more robust about the source dir, but I'm
the only one who
> uses it. Remove the libnss_wins.so lines if you don't use it.
Probably don't need
> the .1 links, but I was shotgunning in the beginning and never went
back. The version
> number X is 1 for glibc 2.0 and 2 for glibc 2.1. I have some old
stuff.
We need a place for log files. The smb.conf template points here:
mkdir /var/log/samba
(Also look in the already existing directory, /usr/local/samba/var for
logfiles.)
Since we are building from source, we need a script to fire up the
daemons, like this:
#!/bin/sh
/usr/local/samba/sbin/nmbd
/usr/local/samba/sbin/smbd
/usr/local/samba/sbin/winbindd
Save this script someplace convenient, perhaps /firewall-scripts.
Now join this system to the Win2003 domain. Here is an extract:
[root at infra-fw gregs]# /usr/local/samba/bin/net ads join -S 10.10.10.100
-U administrator
administrator's password:
Using short domain name -- INFRASUPPORTETC
Joined 'SQUIDTEST' to realm 'INFRASUPPORTETC.COM'
Here are a few useful commands for testing:
kinit username at DOMAIN.SUFFIX Use Kerberos to get a ticket (prompts
for password)
klist -e Lists cached kerberos tickets
/usr/local/samba/bin/wbinfo -t Check the trust relationship
/usr/local/samba/bin/wbinfo -g Enumerate groups in the AD domain
/usr/local/samba/bin/wbinfo -u Enumerate users in the AD domain
/usr/local/samba/bin/testparm Checks the syntax for smb.conf
/usr/local/samba/bin/testparm -sv Shows all the Samba parameters,
including default options.
The following examples will be useful later. Squid will use this Samba
program as an
authentication helper.
[root at squidtest etc]# /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
infrasupportetc\username badpassword
ERR
infrasupportetc\username goodpassword
OK
The following also returns output, but testing from the keyboard has no
value:
/usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
You can also test the authentication helper like this:
/usr/bin/ntlm_auth --username=[username]
[root at Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs
password:
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
[root at Stylmark-fw etc]#
[root at Stylmark-fw etc]#
[root at Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs
password:
NT_STATUS_OK: Success (0x0)
************************************************************************
***************************
Now rebuild Squid
(The following modified from the explanation from Secure Computing Tech
Support)
cd /usr/local/squid/src/squid-2.5.STABLE7
./configure \
--enable-smartfilter \
--enable-async-io \
--enable-linux-netfilter \
--enable-underscores \
--prefix=/usr/local/squid \
--enable-auth="ntlm,basic" \
--enable-external-acl-helpers="wbinfo_group" \
--enable-delay-pools \
--with-samba-sources=/usr/src/samba-3.0.13
Note that the wbinfo_group switch doesn't seem to be important. These
switches:
# --enable-external-acl-helpers="winbind_group" \
# --enable-ntlm-auth-helpers="winbind" \
# --enable-basic-auth-helpers="winbind" \
cause the "make all" command below to blow up.
For Samba 3.n, Squid will use the authentication helpers with Samba. No
need to build any Squid
authentication helpers. In fact, the squid FAQ says it won't work with
Samba 3.0 and tests with
the above configure switches prove that. See:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#winbind
Finish rebuilding squid like this:
make clean
make all
make install
Edit /usr/local/squid/etc/squid.conf and search for this string:
TAG: auth_param
Skip down through the explanatory comments and put in the following
changes in this order:
auth_param ntlm program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Note that the template squid.conf file has several references to
auth_param basic above the
auth_param ntlm lines. Comment these out, so that the above lines are
what are really in
squid.conf. I ran into nasty problems when I forgot to comment out some
auth_param basic
lines above the auth_param ntlm lines.
Here is an explanation from Henrik Nordstrom for why squid.conf needs
these lines in this order:
> You need both sections to support all browsers. Not all browsers
support NTLM.
>
> You need them in specific order (ntlm first) because MSIE is broken
and always selects the
> first advertised authentication scheme even if the standard clearly
says it should select
> the strongest authentication scheme.
Now search for:
TAG: http_access
Find "INSERT YOUR OWN RULE(S) HERE" and put in this acl entry
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
Comment out any acls providing access to anyone in the local network.
The above ACL forces
people to authenticate.
Be sure this section ends with a line that looks like this:
http_access deny all
Save your edits.
Change group ownership for the Samba winbindd files:
chgrp squid /usr/local/samba/var/locks/winbindd_privileged -R
change file ownership on squid files:
cd /usr/local/squid
chown squid.squid * -R
Create cache dirs and then start squid:
su squid
/usr/local/squid/sbin/squid -z
killall -name squid -9
/usr/local/squid/sbin/squid
-----------------------------------
from a pc logged into AD you should now be able to point IE to your
squid proxy
and NOT be prompted for username and password
-----------------------------------
More information about the samba
mailing list