Integrate Squid with AD

We need to install a couple of packages first:

yum install ntp* -y

vi /etc/ntp.conf

Find the lines start with server, such as server 0 centos.pool.ntp.org and comment out, then add line: server AD-SERVERNAME
Then, we synchronize right now:

ntpdate AD-SERVERNAME 
service ntpd start
chkconfig ntpd on

Install squid and other required software

You can either use samba-winbind or sssd for Active directory authentication, in this case, I will use samba-winbind:

yum -y install krb5-workstation samba-common samba-winbind authconfig squid
chkconfig squid on

Connect to active directory

Suppose you domain name is mycompany.local, domain admin username is frank, please note that MYCOMPANY.local and mycompany.local may be different domains due to the upper/lowercase.

With authconfig we can easily configure kerberos, Winbind, sssd, for more about authconfig (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-install.html).

Type command:

ADSERVER=DC.MYCOMPANY.local
DOMAIN=MYCOMPANY.local
WORKGROUP=MYCOMPANY
DomainAdmin=frank
authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=$ADSERVER \
--krb5realm=$DOMAIN --smbservers=$ADSERVER --smbworkgroup=$WORKGROUP \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=$DomainAdmin --disablewins --disablecache --enablelocauthorize --updateall
service winbind restart
chkconfig winbind on

These configuration is mapping to the file /etc/krb5.conf , /etc/samba/smb.conf

/etc/krb5.conf
[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = MYCOMPANY.local
 default_ccache_name = KEYRING:persistent:%{uid}
# default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
MYCOMPANY.local = {
 kdc = DC.MYCOMPANY.local
 }

/etc/samba/smb.conf
workgroup = MCC
 password server = MCC_DC.MCC.edu
 realm = MCC.EDU
 security = ads
 idmap config * : range = 16777216-33554431
 template shell = /bin/false
 kerberos method = secrets only
 winbind use default domain = true
 winbind offline logon = false
 hosts allow = 192.168.10.

/etc/nsswitch.conf file to configure system for looking at winbind:

passwd: files winbind
shadow: files winbind
group: files winbind

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 36777216 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

Give squid permissions to use winbind info:
usermod -G wbpriv squid

Now check your winbind connection using the following commands:

wbinfo -u
wbinfo -g

First one list all the users in AD, second one list all the groups in AD.

Install negotiate_wrapper

Firstly we need to install negotiate_wrapper. Download and then compile and install.

sudo yum install gcc -y
cd /usr/local/src/
wget "http://downloads.sourceforge.net/project/squidkerbauth/negotiate_wrapper/negotiate_wrapper-1.0.1/negotiate_wrapper-1.0.1.tar.gz"
tar -xvzf negotiate_wrapper-1.0.1.tar.gz
cd negotiate_wrapper-1.0.1/
./configure
make
make install

Configure Squid

Enable firewall:

sudo firewall-cmd --add-service=squid --permanent

There are three kinds of authentication: Negotiate kerberos and ntlm authentication, pure ntlm authentication and Provide basic authentication via ldap for clients not authenticated via kerberos/ntlm：

### negotiate kerberos and ntlm authentication
auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE --kerberos /usr/local/bin/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off

### pure ntlm authentication
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=EXAMPLE
auth_param ntlm children 10
auth_param ntlm keep_alive off

### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm
auth_param basic program /usr/local/bin/squid_ldap_auth -R -b "dc=example,dc=local" -D [email protected] -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h dc1.example.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute

The negotiated kerberos and ntlm authentication is the desired one, as it choose the action based on the logged on user, does not need to user to enter user name and password.

We want the following rules:

domain logged on user can browse all website except bad_urls,
non-domain logged on user only browse whitelist urls white bad_urls are also blocked:


acl localnet src 192.168.0.0/16 
acl localnet src fc00::/7       
acl localnet src fe80::/10      
##below here is modified for AD integeration##
acl whitelist dstdom_regex -i "/etc/squid/whitelist.txt"
acl bad_url dstdomain "/etc/squid/bad-sites.acl"

# Deny URL configured in bad_url.acl file
http_access deny bad_url
http_access allow whitelist

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MCC --kerberos /usr/lib64/squid/negotiate_kerberos_auth -d -s GSS_C_NO_NAME
# note the path of the negotiate_wrapper and negotiate_kerberos_auth may be in different location, do some research on them and then verify it.
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl our_networks src 192.168.0.0/16
acl ntlm proxy_auth REQUIRED
# Allow local AD authentication
http_access allow our_networks ntlm
authenticate_ip_ttl 1800 seconds
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
## Recommended minimum Access Permission configuration:## Deny requests to certain unsafe ports

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost

http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
http_access allow localnet
http_access allow localhost
# Allow local AD authentication
http_access allow our_networks ntlm
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128

http_port 8080 
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid
## Add any of your own refresh_pattern entries above these.#

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

In the /etc/squid create whitelist.txt and create entries:

\.microsoft\.com
\.google\.com

Create /etc/squid/bad-sites.acl and create entries:

spankbang.com
bangbrosteenporn.com
www.bangbrosteenporn.com
porn8.com

Refrence:

https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/

Squid in CENTOS 7 and its integration with Windows Server 2012R2 Active Directory

https://lists.fedorahosted.org/archives/list/[email protected]/thread/QI66ZLABJ3ZQBWNNVNZSLRSIF426JXMS/

https://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory#Basic