[prev in list] [next in list] [prev in thread] [next in thread]

List: squid-users
Subject: [squid-users] squid and AD configuration guidelines
From: "Paul Mattingly" <Paul.Mattingly () concordelogistics ! com>
Date: 2006-02-27 12:03:45
Message-ID: 78B07F5DC9E7524E92B98C936EF801C401466FD4 () southallex01 ! ad ! conc
ordelogistics ! com
[Download message RAW]
Hi
I have spent the last few months getting Squid to work seamlessly in a Windows 2
003 \
AD environment. Being an MCSE I had very little *NIX knowledge but I had to try
Squid \
out as ISA was not an option.
I would like to share my configuration with others so hopefully I can provide th
e \
same help I received. I make no guarantees, this is not a complete how-to, it's
just \
what I did to get things running in my particular environment with the software
\
versions specified. There is much improvement to be made and a great deal for me
to \
learn, but this is working just fine at the moment.
Please please try this in a test environment first. I was dumb enough not to do
so \
and ended up killing a production DC when trying to join the squid machine to th
e \
domain. An error in smb.conf over-wrote the DC's computer account in AD! Oops. I
just \
treated the situation as if the DC had an unrecoverable hardware failure. Follow
ing \
an MS article, I removed the DC from AD by hand and rebuilt it under a new name.
I \
felt this was the only way to be sure, and everything is back to normal now! Won
't be \
forgetting that in a hurry; what doesn't kill you (or the network) can only make
you \
stronger! :-P
So here we go : - )

Hardware
‾‾‾‾‾‾‾‾
HP Netserver LC 2000 U3
Pentium III/1000Mhz
512MB RAM
1x18GB SCSI drive
2x36GB SCSI drive
I created two RADI0 volumes, one with one disk and one with two disks. This favo
urs \
performance over fault-tolerance.
Software
‾‾‾‾‾‾‾‾
FreeBSD 6.0-RELEASE http://www.freebsd.org/
Squid 2.5 STABLE12 http://www.squid-cache.org/
Samba 3.0.21a http://www.samba.org/
Windows 2003 SP1 Active Directory environment

Operating System setup

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
FreeBSD was loaded with standard partitions (/ /var /usr and swaps) on the first
\
disk. I created one large partition mounted /disk1 for the cache on the second d
isk. \
The OpenLDAP libraries from the ports collection are required to communicate wit
h AD. \
You can use sysinstall during installation or later to install this. Configure,
\
Packages, Select Media, Net, openldap-client-2.2.27. Next came the user and grou
p \
accounts to run squid under. These were called proc_squid and grp_squid and crea
ted \
in the normal way as per the handbook. To allow use of the cache manager, Apache
1.3 \
was installed from /usr/ports/www/apache13/

Samba
‾‾‾‾‾
Samba is required to facilitate transparent NTLM authentication. Only winbind en
ds up \
running so it seems overkill to install the whole package. Follow the installati
on \
instructions and make sure to add
--with-winbind --with-ads
when you run the configure script. If you get errors that relate to LDAP not bei
ng \
installed you can specify where the libs are like this. I imagine this will vary
\
between OSs, this is what FreeBSD required.
--libdir=/usr/local/lib/
--includedir=/usr/local/include/
You can use the smb.conf at the bottom of this page as a guideline for your own
to \
get Samba running. An excellent FAQ is located at \
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html which describes testing procedure
s. \
The only program I used from Samba was ntlm-auth which in turn relies on winbind
d to \
function. This will authenticate the user transparently and pass the details of
the \
account to Squid via the external helpers setup. Rather more info than you need
(!) \
can be found here http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/win
bind.h \
tml
There is also an excellent guide regarding Samba and squid here.
http://pserver.samba.org/samba/docs/man/Samba-Guide/DomApps.html
The squid machine has to be joined to the AD domain, and you can do this with th
e \
following command
/usr/local/samba/bin/net ads join -U administrator%password
While you are in AD U+C checking the account is OK, you might as well create the
\
account which the LDAP program will use to authenticate. Just a regular user acc
ount \
with no access will do just fine. Use the credentials when constructing the \
squid_ldap_group command line as detailed below.
There is a section in one of the FAQs about using a cron job to cycle the comput
er \
account password every so often. It's not obvious whether this is required or no
t, I \
certainly haven't had to do it yet. However, if the authentication should break
down \
unexpectedly, it's one of the first things I will look at!
I encountered various different errors here and a summary follows
BH NT_STATUS_ACCESS_DENIED
[2005/12/14 14:12:09, 0] utils/ntlm_auth.c:winbind_pw_check(439)
Login for user [DOMAIN]\[USER]@[SQUIDTEST] failed due to [winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions
on
/var/db/samba/winbindd_privileged are set correctly.]
The permissions on /var/db/samba/winbindd_privileged is not set correctl
y
The directory I had to check was /usr/local/samba/var/locks/winbindd_privileged/
User: root or cache_effective_user
Group: cache_effective_group
Permissions: o=rwx, g=rx, o=
Then everything was OK.
squidhp# ./ntlm_auth --helper-protocol=squid-2.5-ntlmssp
squid\administrator password
[2006/02/01 10:23:18, 1] utils/ntlm_auth.c:manage_squid_ntlmssp_request(
578)
BH
Above is an example of testing the ntlm_auth program. I never got this to work \
properly by hand, but squid seems happy with it! It's an error that doesn't need
\
fixing.
You will be ready to proceed if you are at the following position
winbindd running (use winbinnd -D to invoke)
wbinfo -t returns 'secret is good' or 'checking the trust secret via RPC calls \
succeeded' wbinfo -g return a list of your groups something like
DOMAIN\domain guests
DOMAIN\domain users
DOMAIN\group policy creator owners
etc....
wbinfo -u does the same as above for users

Squid
‾‾‾‾‾
Squid is now ready to be loaded. You must use
--enable-auth="basic,ntlm"
--with-external-acl-helpers="ldap_group"
There was a major problem with getting the ldap group program to compile properl
y. It \
couldn't find the ldap libraries even though I tried to specify them in the Make
file \
file. I ended up copying all the files related to ldap so there was a copy in bo
th \
/usr/include/ and /usr/local/include. This was pretty messy but I did not have \
another option at the time. The error message
cannot find -lldap
also came up a few times. This was sorted by editing this file
../squid-2.5.STABLE12/helpers/external_acl/ldap_group/Makefile
The variable LDFLAGS must read
LDFLAGS = -g -L/usr/local/lib
Squid should compile with no errors and a squid_ldap_group executable should be
\
created in the external helpers ldap_group directory
It's a good idea to test squid_ldap_group by hand at this point. The manual page
s and \
help switch are useful. Here is the command line extracted from squid.conf
/squid-2.5.STABLE12/helpers/external_acl/ldap_group/squid_ldap_group -b \
"ou=example_OU,dc=example,dc=domain,dc=com" -f \
"(&(cn=%a)(member=%v)(objectClass=group))" -F "(|(samAccountName=%s)(cn=%s))" -h
\
DC_hostname.example.domain.com -D username -w password -v3 -S
Entering a username and then a group separated by a space will return either OK
or \
ERR depending on their membership. It appears that the program is more than just
a \
membership lookup routine. Through testing, I discovered that each filter must \
evaluate to true for OK to be returned. So you can customize them to whatever \
criteria you like. The example above checks for a group with the user present in
it \
and the fact that the user exists. It also checks the base OU specified and the
whole \
tree beneath it.
All that was left was to take ownership of the appropriate directories, create t
he \
cache folders (I created /disk1/squid/var/cache/ ) and start winbindd and squid.
I used chmod and chown with -R to recursively set ownership and permissions for
the \
cache directories and the other two squid folders. This may be overkill.
/usr/local/squid/sbin/squid -z will initialise the cache folders
/usr/local/squid/sbin/squid -NCd1 is good for the first time you start as it wi
ll \
send debugging messages straight to the console. Just run ../squid on it's own w
hen \
you are happy for squid to run in the background.
Samba documentation says you need smbd and nmbd but I found that it worked witho
ut \
either of them. I read a few documents that mentioned NSSWITCH and KRB5 configur
ation \
files but I never created or modified either of these.
If you see multiple ntlm_auth and squid_ldap_group processes this is normal. 5 \
processes are spawned by default to ensure all requests are handled efficiently.
My \
server is very very quiet at the moment (0.8% CPU usage on average, 23 users) so
I \
have reduced this to 3 processes for the moment. This is specified in squid.conf
\
under auth_param ntlm children n. I feel that squid performance is crucial and h
ope \
to investigate this area further.

Squid ACLS
‾‾‾‾‾‾‾‾‾‾
My setup includes three groups of users. Those with no restriction whatsoever, t
hose \
whose must pass a blacklist and those who must pass a whitelist. You can see how
this \
was implemented from the squid.conf below. The cunning thing about this syntax i
s \
that if a user is accidentally joined to more than one of the internet groups in
AD, \
the most restrictive group will apply. There is also system wide blocking for ad
s and \
unapproved subnets. Note the line 'acl auth_users proxy_auth REQUIRED' which ens
ures \
that any user connecting must undergo authentication. I have left out Basic as t
he \
only clients that will be connecting are IE and Firefox. Firefox 1.5 appears to
\
support NTLM now, which is contrary to some articles I have read. There were no
\
pop-ups and it worked transparently just as IE does.

Custom Error Messages

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
I have also created some custom error message which makes troubleshooting a lot
\
easier. Different pages will come up for different errors so the user can immedi
ately \
relay the problem they are having. This FAQ will help.
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.24
See below for my ad blocking message. I was trying to replace ads with the minim
um of \
information. Squid will add a footer at the bottom of the page (see the FAQ) but
the \
%s displays just the squid version which reduces the info a fair bit.

Cache Manager
‾‾‾‾‾‾‾‾‾‾‾‾‾
See below for the additional lines in httpd.conf which hosts cachemgr.cgi. This
was a \
very quick install but I managed to limit the number of httpd servers and add a
\
password. squid.conf holds the password under 'cachemgr_passwd password all' and
you \
can edit MinSpareServers and StartServers within httpd.conf. I have these both s
et at \
1 because I can't foresee a tremendous amount of traffic heading that way.

smb.conf
‾‾‾‾‾‾‾‾
[global]
security = ads
password server = DC_hostname.example.domain.com
realm = EXAMPLE.DOMAIN.COM #must be in CAPS
workgroup = DOMAIN_NETBIOS_NAME
encrypt passwords = yes
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/log.%m
winbind separator = \\

squid.conf
‾‾‾‾‾‾‾‾‾‾
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /disk1/squid/var/cache 20000 16 256
debug_options ALL,1 33,2
auth_param ntlm program /usr/local/samba/bin/ntlm_auth \
--helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 3
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl subnet src "/usr/local/squid/etc/subnet.txt"
deny_info ERR_SUBNET subnet
acl ads url_regex "/usr/local/squid/etc/adurls.txt"
deny_info ERR_ADBLOCK ads
acl ads2 url_regex "/usr/local/squid/etc/adurls2.txt"
deny_info ERR_ADBLOCK ads2
acl badwords url_regex "/usr/local/squid/etc/badwords.txt"
acl company_site_dom dstdomain "/usr/local/squid/etc/companydomains.txt"
acl company_site_url url_regex "/usr/local/squid/etc/companyurls.txt"
external_acl_type ldap_group ttl=0 children=3 %LOGIN \
../squid-2.5.STABLE12/helpers/external_acl/ldap_group/squid_ldap_group -b \
"ou=example_OU,dc=example,dc=domain,dc=com" -f \
"(&(cn=%a)(member=%v)(objectClass=group))" -F "(|(samAccountName=%s)(cn=%s))" -h
\
DC_hostname.example.domain.com -D username -w password -v3 -S
acl full external ldap_group full_internet_access
acl restricted external ldap_group restricted_internet_access
acl company external ldap_group company_approved_internet_access
acl auth_users proxy_auth REQUIRED
http_access deny ads
http_access deny ads2
http_access deny !subnet
http_access allow company company_site_url
http_access allow company company_site_dom
http_access deny company !company_site_url
http_access deny company !company_site_dom
http_access allow restricted !badwords
http_access deny restricted badwords
http_access allow full
http_access deny !auth_users
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr helpdesk@company.com
cache_effective_user proc_squid
cache_effective_group grp_squid
visible_hostname Squid
cachemgr_passwd password all
coredump_dir /disk1/squid/var/cache

httpd.conf
‾‾‾‾‾‾‾‾‾‾
ScriptAlias /squid/cgi-bin/ /usr/local/squid/libexec/
<Location /squid/cgi-bin/cachemgr.cgi>
order allow,deny
allow from workstation squid_IP
</Location>

Custom error message

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" \
"http://www.w3.org/TR/html4/loose.dtd"> <HTML><HEAD><META HTTP-EQUIV="Content-Ty
pe" \
CONTENT="text/html; charset=iso-8859-1"> <TITLE>ERROR: The requested URL could n
ot be \
retrieved</TITLE> <STYLE \
type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif
}PRE{f \
ont-family:sans-serif}--></STYLE> </HEAD><BODY>
Ad blocked by %s

I am very impressed with Squid, it's a worthy rival to it's competitors. Hopeful
ly \
this guide is of some help to you and I welcome any comments and suggestions. As
I \
said before, this is no guaranteed guide, it's just what worked in my environmen
t.

Paul

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Donate | Add a list | Sponsors: 10East, KoreLogic, Te
rra-International, Chakpak.com