Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail

We need to install a couple of packages first:

yum install ntp* -y
vi /etc/ntp.conf

Find the lines start with server, such as server 0 and comment out, then add line: server  AD-SERVERNAME
Then, we synchronize right now:

service ntpd start
chkconfig ntpd on
Install squid and other required software

You can either use samba-winbind or sssd for Active directory authentication, in this case, I will use samba-winbind:

yum -y install krb5-workstation samba-common samba-winbind authconfig squid
chkconfig squid on
Connect to active directory

Suppose you domain name is mycompany.local,  domain admin username is frank, please note that MYCOMPANY.local and mycompany.local may be different domains due to the upper/lowercase.

With authconfig we can easily configure kerberos, Winbind, sssd, for more about authconfig (

Type command:

authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=$ADSERVER \
--krb5realm=$DOMAIN --smbservers=$ADSERVER --smbworkgroup=$WORKGROUP \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=$DomainAdmin --disablewins --disablecache --enablelocauthorize --updateall
service winbind restart
chkconfig winbind on
  • These configuration is mapping to the file /etc/krb5.conf , /etc/samba/smb.conf
     dns_lookup_realm = false
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     rdns = false
     default_realm = MYCOMPANY.local
     default_ccache_name = KEYRING:persistent:%{uid}
    # default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    # default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    # permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    MYCOMPANY.local = {
     kdc = DC.MYCOMPANY.local
  • /etc/samba/smb.conf
    workgroup = MCC
     password server =
     realm = MCC.EDU
     security = ads
     idmap config * : range = 16777216-33554431
     template shell = /bin/false
     kerberos method = secrets only
     winbind use default domain = true
     winbind offline logon = false
     hosts allow = 192.168.10.
  • /etc/nsswitch.conf file to configure system for looking at winbind:
    passwd: files winbind
    shadow: files winbind
    group: files winbind
  • /etc/pam.d/system-auth
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required
    auth required delay=2000000
    auth [default=1 ignore=ignore success=ok] uid >= 1000 quiet
    auth [default=1 ignore=ignore success=ok]
    auth sufficient nullok try_first_pass
    auth requisite uid >= 1000 quiet_success
    auth sufficient forward_pass
    auth sufficient use_first_pass
    auth required
    account required broken_shadow
    account sufficient
    account sufficient uid < 36777216 quiet
    account [default=bad success=ok user_unknown=ignore]
    account required

Give squid permissions to use winbind info:
usermod -G wbpriv squid

Now check your winbind connection using the following commands:

wbinfo -u
wbinfo -g

First one list all the users in AD, second one list all the groups in AD.

Install negotiate_wrapper


Firstly we need to install negotiate_wrapper. Download and then compile and install.

sudo yum install gcc -y
cd /usr/local/src/
wget ""
tar -xvzf negotiate_wrapper-1.0.1.tar.gz
cd negotiate_wrapper-1.0.1/
make install


Configure Squid

Enable firewall:

sudo firewall-cmd --add-service=squid --permanent

There are three kinds of authentication: Negotiate kerberos and ntlm authentication, pure ntlm authentication and Provide basic authentication via ldap for clients not authenticated via kerberos/ntlm:

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/local/bin/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/local/bin/squid_ldap_auth -R -b "dc=example,dc=local" -D [email protected] -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.example.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

The negotiated kerberos and ntlm authentication is the desired one, as it choose the action based on the logged on user, does not need to user to enter user name and password.

We want the following rules:

  • domain logged on user can browse all website except bad_urls,
  • non-domain logged on user only browse whitelist urls white bad_urls are also blocked:


acl localnet src 
acl localnet src fc00::/7       
acl localnet src fe80::/10      
##below here is modified for AD integeration##
acl whitelist dstdom_regex -i "/etc/squid/whitelist.txt"
acl bad_url dstdomain "/etc/squid/bad-sites.acl"

# Deny URL configured in bad_url.acl file
http_access deny bad_url
http_access allow whitelist

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MCC --kerberos /usr/lib64/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
# note the path of the negotiate_wrapper and negotiate_kerberos_auth may be in different location, do some research on them and then verify it.
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl our_networks src
acl ntlm proxy_auth REQUIRED
# Allow local AD authentication
http_access allow our_networks ntlm
authenticate_ip_ttl 1800 seconds
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
## Recommended minimum Access Permission configuration:## Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost

http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
http_access allow localnet
http_access allow localhost
# Allow local AD authentication
http_access allow our_networks ntlm
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128

http_port 8080 
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid
## Add any of your own refresh_pattern entries above these.#

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

In the /etc/squid create whitelist.txt and create entries:


Create /etc/squid/bad-sites.acl and create entries:


Squid in CENTOS 7 and its integration with Windows Server 2012R2 Active Directory[email protected]/thread/QI66ZLABJ3ZQBWNNVNZSLRSIF426JXMS/