Thanks to everyone for all the help getting this done. As promised, here are the detailed notes I put together. These step by step instructions should work starting with a raw RedHat Linux 9.0 system. - Greg Scott GregScott@xxxxxxxxxxxxxxxxxxx These are step by step instructions for how to install and configure the Squid proxy server with transparent authentication for users in a Microsoft AD domain, optionally using SmartFilter from Secure Computing to support outbound web filtering. This was tested in two Windows 2003 AD domains, one with SmartFilter, the other without SmartFilter. These instructions use the following versions of these packages: RedHat Linux 9.0 with various kernels from kernel.org MIT Kerberos 1.4 built from source Samba 3.0.13 built from source Squid 2.5.STABLE7 built from sourc SmartFilter 4.01 from Secure Computing (optional) Note that it may be easier to do all this starting with fc3 or fc4 as a base. However, as of this writing (April 5, 2005) SmartFilter only supports RH 9.0 and does not yet support any of the Fedora Core releases. ************************************************************************ ******************* First, install and test Squid without any authentication: See the notes in Chapter 4 of the Smartfilter 4.01 Installation Guide PDF file for the recommended way to build Squid. For Squid-specific documentation, see this URL: http://squid-docs.sourceforge.net/latest/html/x354.html (This may be obsolete) cd /usr/local mkdir squid mkdir squid/src Put a copy of squid-2.5.STABLE7.tar.gz into /usr/local/squid/src cp squid-2.5.STABLE7.tar.bz2 /usr/local/squid/src Now extract and build it. cd /usr/local/squid/src bunzip2 squid-2.5.STABLE7.tar.bz2 tar -xvf squid-2.5.STABLE7.tar cd /usr/local/squid/src/squid-2.5.STABLE7 ./configure --enable-async-io --prefix=/usr/local/squid (Note that the --enable-async-io is not in the Smartfilter documentation.) (lots of output) make all make install (lots more output and a few minutes) Create a user and group called squid, make it the owner of all squid stuff /usr/sbin/useradd squid cd /usr/local chown -R squid squid chgrp -R squid squid Now edit the squid.conf file ********* From the Squid documentation but not Smartfilter /usr/local/squid/etc/squid.conf common parameters: http_port leave as default cache_mgr email settings cache_effective_user squid cache_effective_group squid ftp_user Leave alone for now visible_hostname Set this to the IP hostname Search for "INSERT YOUR OWN RULE" and put in an appropriate ACL entry for the internal network, like this: # Exampe rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 #http_access allow our_networks acl greg_network src 10.10.10.0/24 127.0.0.1/32 http_access allow greg_network # And finally deny all other access to this proxy http_access deny all To Run Squid in a transparent mode, enable the following directives in Squid.conf. (See http://squid.visolve.com/white_papers/trans_caching.htm) httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on ***************** Now from SmartFilter documentation Make sure of these parameters: cache_mem 8MB cache_dir /usr/local/squid/cache 100 16 256 Change http_access deny all to http_access allow all. (May not need this!) Uncomment the cache_effective_user "username" statement and change "username to "squid" to match the user/group created above. Uncomment the "cache_effective_group" statement and use "squid" as the group name. ************ More settings Squid won't start unless you set this setting: visible_hostname host.domain Now run squid for the first time /usr/local/squid/sbin/squid -z (To create swap directories) /usr/local/squid/sbin/squid -N -d 1 (To run for the first time at the terminal window.) -N means No daemon mode -d 1 means debug level 1 (Note that Squid 2.5.n uses sbin instead of bin for the squid executable.) Squid will be running in a terminal window. Startup another terminal window and do this: telnet localhost 3128 get http://www.infrasupportetc.com HTTP/1.0 (Press "Enter" twice) HTML should come back from that website. If any errors come back, shut down Squid, like this: /usr/local/squid/sbin/squid -k shutdown Fix the errors and repeat. The problem is likely a parameter in squid.conf. Startup squid for production like this: /usr/local/squid/sbin/squid Shutdown squid like this: /usr/local/squid/sbin/squid -k shutdown ************************************************************************ **************** Now that Squid works, integrate the optional SmartFilter plugin for outbound web filtering Download the SmartFilter binary and save a copy in /home/gregs or someplace convenient. cd /usr/local/squid/src cp /home/gregs/sf401_redhat_squid.bin ./ chmod 700 sf401_redhat_squid.bin ./sf401_redhat_squid.bin See sf401install_guide.pdf for detailed installation instructions. After running the install program, rebuild squid, like this: cd /usr/local/squid/src/squid-2.5.STABLE7 ./configure --enable-smartfilter make clean make all make install Also add the following lines to squid.conf: smartfilter_state on smartfilter_config /usr/local/squid/etc/config.txt For LDAP support, see the SmartFilter Installation Guide. Add these additional lines to squid.conf (Note, no line continuation characters): smartfilter_userinfo_program /usr/local/squid/libexec/sf_userinfo -f /usr/local/squid/etc/config.txt smartfilter_userinfo_children 5 Now start squid like this: /usr/local/squid/sbin/squid Also, be sure to start the sfagent program, like this: /usr/local/squid/etc/sfagent You need this program running so the Admin Server can communicate with it. This is not documented in any of the SmartFilter documentation. Put the reference to these programs in rc.local or other convenient startup location. Now install the SmartFilter admin server and console on a Windows System. Register the appropriate serial number on the Secure Computing website and set up regular control list downloads. See the SmartFilter Installation Guide for details. ************************************************************************ **************** Now the fun part. Time to integrate Samba and set up AD authentication For Squid authentication with an Active Directory domain, we need Samba, set up with Kerberos. Redhat Linux 9.0 ships with Kerberos version 5, revision 1.2.7-10. Unfortunately, we need at least rev 1.3 to work with Windows 2003. See this URL for a discussion: http://lists.samba.org/archive/samba/2004-July/090137.html The fc3 RPM directory has krb5 rev 1.3 RPMs. Unfortunately, several dozen components in RedHat 9.0 depend on the 1.2.7 RPMs installed, especially the Kerberos libraries. So the krb5 rev 1.3 RPMs are worthless in this case. We need to build a copy of Kerberos from source and put it in an alternate directory. Then we'll build a copy of Samba using this Kerberos build. We get the latest and greatest Kerberos from MIT. For the MIT Kerberos download, see: http://web.mit.edu/kerberos/www/ FOr release notes, see: http://web.mit.edu/kerberos/www/krb5-1.4/README-1.4.txt FOr the Installation Guide see: http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4/doc/krb5-install.html# Building%20Kerberos%20V5 Download and save a copy of krb5-1.4-signed.tar from the MIT Kerberos website. Put a copy of the download into /usr/src cp krb5-1.4-signed.tar /usr/src Do this to unpack the download. cd /usr/src tar -xvf krb5-1.4-signed.tar This extracts these two files: krb5-1.4.tar.gz - the actual software krb5-1.4.tar.gz.asc - a signature Now do this to unpack the Kerberos software: tar -xvzf krb5-1.4.tar.gz Now build it. By default, Kerberos will install the package's files rooted at `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. (Pasted from the Installation Guide). We will need this later on when we build Samba. cd /usr/src/krb5-1.4 cd src ./configure make make install Some notes: Make sure /etc/hosts has the FQDN of this system in place, similar to below: [root@squidtest src]# more /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 squidtest.infrasupportetc.com localhost.localdomain localhost 10.10.10.2 squidtest.infrasupportetc.com Test the build like this: cd /usr/src/krb5-1.4/src make check Fix any problems it calls out and keep running until it finishes cleanly. ************************************************************************ *************************** Now to build Samba from source to take advantage of the newest Kerberos Download samba-3.0.13.tar.gz from here: http://us4.samba.org/samba/ Put the saveset in the source directory: cp samba-3.0.13.tar.gz /usr/src Unpack it cd /usr/src tar -xvzf samba-3.0.13.tar.gz Now build it with the Kerberos flavor installed earlier cd /usr/src/samba-3.0.13/source ./configure --with-ads --with-krb5=/usr/local make make install ************************************************************************ ************************** Configure Samba to work with Kerberos Set up smb.conf and krb5.conf. (The paths are /usr/local/samba/lib/smb.conf and /etc/krb5.conf.) (Extracted from the email Chris Cinnamo from Secure Computing sent.) Edit /usr/local/samba/lib/smb.conf ---------------------------------- smb.conf realm = <YOUR DOMAIN> ex. support.com workgroup = <DOMAIN> ex. support security = ADS encrypt passwords = yes password server = 192.168.100.12 # idmap uid and idmap gid are aliases for # winbind uid and winbid gid, respectively idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes [test] comment = Samba functionality test directory path = /home/ryan/ read only = no browsable = yes writable = yes guest ok = yes valid users = @SUPPORT\"Domain Users" ------------------------------------ /etc/krb5.conf should look like this: (Note that Kerberos uses realms named the same as the AD domain name. BUt --IMPORTANT-- the realm name must be in all UPPER CASE. So infrasupportetc.com becomes INFRASUPPORTETC.COM) [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = INFRASUPPORTETC.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] INFRASUPPORTETC.COM = { kdc = 10.10.10.100:88 admin_server = 10.10.10.100:749 default_domain = INFRASUPPORTETC.COM } [domain_realm] .infrasupportetc.com = INFRASUPPORTETC.COM infrasupportetc.com = INFRASUPPORTETC.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Add following entries in nssswitch.conf: passwd: files winbind group: files winbind Samba uses a daemon called winbindd that handles the authentication between Windows and Linux. When a Windows system tries to look at a share on the Samba server, it passes credentials. The Samba server needs to know where to look to validate the credentials. The above entries tell the Samba server to first check the local passwd file and if not there, then have Winbindd look back in the Windows AD. It turns out, there is more to the story. In order for the Samba server to have a clue how to tell winbindd what to do, we need to put some Samba libraries in the right place. As of 4/3/2005, the documentation in the Samba-HOWTO-Collection is wrong. Use this script provided by Doug VanLeuven to set up the libraries: #!/bin/sh # Save this script in /home/gregs or someplace convenient. # cd /usr/src/samba-3.0.13/source and run this script from there. echo "Copying nsswitch modules to system library" CWD=`pwd` cd /lib rm -f libnss_winbind.so libnss_winbind.so.1 libnss_winbind.so.2 rm -f libnss_wins.so libnss_wins.so.1 libnss_wins.so.2 cd /usr/lib rm -f libnss_winbind.so libnss_wins.so cd $CWD cp -f nsswitch/libnss_winbind.so /lib cp -f nsswitch/libnss_wins.so /lib cd /lib ln -sf libnss_winbind.so libnss_winbind.so.1 ln -sf libnss_winbind.so libnss_winbind.so.2 ln -sf libnss_wins.so libnss_wins.so.1 ln -sf libnss_wins.so libnss_wins.so.2 cd /usr/lib ln -sf ../../lib/libnss_winbind.so libnss_winbind.so ln -sf ../../lib/libnss_wins.so libnss_wins.so /sbin/ldconfig Here is Doug's explanation for this script: > I made this script to update the library after each samba build. Run it from the samba > source directory. Should be more robust about the source dir, but I'm the only one who > uses it. Remove the libnss_wins.so lines if you don't use it. Probably don't need > the .1 links, but I was shotgunning in the beginning and never went back. The version > number X is 1 for glibc 2.0 and 2 for glibc 2.1. I have some old stuff. We need a place for log files. The smb.conf template points here: mkdir /var/log/samba (Also look in the already existing directory, /usr/local/samba/var for logfiles.) Since we are building from source, we need a script to fire up the daemons, like this: #!/bin/sh /usr/local/samba/sbin/nmbd /usr/local/samba/sbin/smbd /usr/local/samba/sbin/winbindd Save this script someplace convenient, perhaps /firewall-scripts. Now join this system to the Win2003 domain. Here is an extract: [root@infra-fw gregs]# /usr/local/samba/bin/net ads join -S 10.10.10.100 -U administrator administrator's password: Using short domain name -- INFRASUPPORTETC Joined 'SQUIDTEST' to realm 'INFRASUPPORTETC.COM' Here are a few useful commands for testing: kinit username@xxxxxxxxxxxxx Use Kerberos to get a ticket (prompts for password) klist -e Lists cached kerberos tickets /usr/local/samba/bin/wbinfo -t Check the trust relationship /usr/local/samba/bin/wbinfo -g Enumerate groups in the AD domain /usr/local/samba/bin/wbinfo -u Enumerate users in the AD domain /usr/local/samba/bin/testparm Checks the syntax for smb.conf /usr/local/samba/bin/testparm -sv Shows all the Samba parameters, including default options. The following examples will be useful later. Squid will use this Samba program as an authentication helper. [root@squidtest etc]# /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic infrasupportetc\username badpassword ERR infrasupportetc\username goodpassword OK The following also returns output, but testing from the keyboard has no value: /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp You can also test the authentication helper like this: /usr/bin/ntlm_auth --username=[username] [root@Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs password: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) [root@Stylmark-fw etc]# [root@Stylmark-fw etc]# [root@Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs password: NT_STATUS_OK: Success (0x0) ************************************************************************ *************************** Now rebuild Squid (The following modified from the explanation from Secure Computing Tech Support) cd /usr/local/squid/src/squid-2.5.STABLE7 ./configure \ --enable-smartfilter \ --enable-async-io \ --enable-linux-netfilter \ --enable-underscores \ --prefix=/usr/local/squid \ --enable-auth="ntlm,basic" \ --enable-external-acl-helpers="wbinfo_group" \ --enable-delay-pools \ --with-samba-sources=/usr/src/samba-3.0.13 Note that the wbinfo_group switch doesn't seem to be important. These switches: # --enable-external-acl-helpers="winbind_group" \ # --enable-ntlm-auth-helpers="winbind" \ # --enable-basic-auth-helpers="winbind" \ cause the "make all" command below to blow up. For Samba 3.n, Squid will use the authentication helpers with Samba. No need to build any Squid authentication helpers. In fact, the squid FAQ says it won't work with Samba 3.0 and tests with the above configure switches prove that. See: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#winbind Finish rebuilding squid like this: make clean make all make install Edit /usr/local/squid/etc/squid.conf and search for this string: TAG: auth_param Skip down through the explanatory comments and put in the following changes in this order: auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Note that the template squid.conf file has several references to auth_param basic above the auth_param ntlm lines. Comment these out, so that the above lines are what are really in squid.conf. I ran into nasty problems when I forgot to comment out some auth_param basic lines above the auth_param ntlm lines. Here is an explanation from Henrik Nordstrom for why squid.conf needs these lines in this order: > You need both sections to support all browsers. Not all browsers support NTLM. > > You need them in specific order (ntlm first) because MSIE is broken and always selects the > first advertised authentication scheme even if the standard clearly says it should select > the strongest authentication scheme. Now search for: TAG: http_access Find "INSERT YOUR OWN RULE(S) HERE" and put in this acl entry acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers Comment out any acls providing access to anyone in the local network. The above ACL forces people to authenticate. Be sure this section ends with a line that looks like this: http_access deny all Save your edits. Change group ownership for the Samba winbindd files: chgrp squid /usr/local/samba/var/locks/winbindd_privileged -R change file ownership on squid files: cd /usr/local/squid chown squid.squid * -R Create cache dirs and then start squid: su squid /usr/local/squid/sbin/squid -z killall -name squid -9 /usr/local/squid/sbin/squid ----------------------------------- from a pc logged into AD you should now be able to point IE to your squid proxy and NOT be prompted for username and password -----------------------------------