UPDATE: This guide originally showed you how to configure Squid to authenticate with Pam. However as many people have been searching for ways to authenticate with Kerberos, I have updated this article to refect the necessary changes.
The upside is, you now have Single Sign On (SSO) as a bonus. Your users will not be prompted for authentication when accessing the proxy server.
So, before we start. This guide will walk you through setting up a Red Hat Enterprise Linux 6.3 server running Squid Cache to authenticate Active Directory 2008R2 users.
Before proceeding with this article, please make sure you have added your Linux server to the Active Directory domain.You can use the guide here to get up and running quickly.
Now that we have the prerequisite completed, lets crack on.
1. Install the necessary packages.
yum install -y squid
2. Set Squid to start on boot
chkconfig squid on
3. Edit /etc/squid/squid.conf and add the below lines to the top of the file.
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic credentialsttl 2 hours acl ad_auth proxy_auth REQUIRE
4. Edit /etc/squid/squid.conf again, to change the rules that allow access to Squid.
Find the section “INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS” and change the lines beneath to reflect the following.
#http_access allow localnet #http_access allow localhost http_access allow ad_auth # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128
5. Now we need to create a service principle keytab file from Active Directory. You will need to install msktutil from the EPEL repositories to do this.
[root@proxy01 /]# yum install -y msktutil [root@proxy01 /]# kinit administrator@EXAMPLE.COM Password for administrator@EXAMPLE.COM: [root@proxy01 /]# msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy02.example.com -k /etc/squid/squid.keytab --computer-name proxy02 --upn HTTP/proxy02.example.com --server dc01.example.com --enctypes 28 [root@proxy01 /]# chgrp squid /etc/squid/squid.keytab [root@proxy01 /]# chmod 740 /etc/squid/squid.keytab
6. Update your Squid startup script to load your new keytab file on service startup.
Edit /etc/init.d/squid and find the section that looks as follows
start() { probe parse=`$SQUID -k parse -f $SQUID_CONF 2>&1` RETVAL=$? .......
and add the two additional lines so it appears as follows
start() { KRB5_KTNAME=/etc/squid/squid.keytab export KRB5_KTNAME probe parse=`$SQUID -k parse -f $SQUID_CONF 2>&1` RETVAL=$? .......
Save and exit, then start/restart the service
[root@proxy01 /]# service squid restart Stopping squid: ................ [ OK ] Starting squid: . [ OK ] [root@proxy01 /]#
7. Open port 3128 on your local firewall
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT service iptables save
8. Configure your browser of choice to point to your Squid server. Please refer to your Browsers documentation on how to do this.
9. Watch the Squid logs whilst you attempt to browse the web
tail -f /var/log/squid/*
When you browse to a url, if all things work perfectly, you will proceed to the url. This means your authentication was successful.
10. Verify the output in your logs.
If you have authenticated successful in your browser, you will see something like the below in your logs. In this situation, I authenticated as the user “wuser1”.
==> /var/log/squid/access.log 1343654614.470 2902 10.0.2.200 TCP_MISS/200 15355 GET http://www.redhat.com/ wuser1@EXAMPLE.COM DIRECT/2.19.119.214 text/html
Great tutorial,
Is this tutorial applicable to a Windows 2003 domain?
Roland
Hi Roland
This process actually relies on my previous article of joining the base operating system to Active Directory. It is not Squid specific.
That being said, it has been a very very long time since I tried a join with a 2003 domain, however the process has always been the same if I recall correctly.
My previous article is here. https://www.dalemacartney.com/2012/07/06/how-to-quickly-and-easily-add-a-red-hat-enterprise-linux-6-system-to-microsoft-active-directory/
Hope this helps clear things up.
Dale
This procedure will ask for a login prompt to the users who r not on the domain.
Hi kastro
Yes this is correct. Single Sign On validates the authentication from the domain to which the users and the computers are associated to.
If any user accesses the proxy with a non-domain user account or computer, they will be prompted for a domain username and password.
Dale
Great! Thank you very much for sharing
Hi Dale,
I want to know the capacity to use a proxy squid with redhat 6.3 just for the authentication with active directory with windows 2008 r2 to be great. I will use only the proxy for that ans i need a good conf for the server redhat, how much RAM, Disk etc to be fine for sure.
Help will be apreciate 🙂 Sorry for my bad english level
Hi Dale,
Thanks allot for sharing this great article.
After following all the steps in this article (and the previous one) when I try to use IE 11 with this squid as proxy server it doesn’t work and I found this lines in cache.log:
2014/05/12 18:16:32 kid1| helperOpenServers: Starting 1/10 ‘negotiate_kerberos_auth’ processes
2014/05/12 18:16:32 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: “received type 1 NTLM token”; }}
2014/05/12 18:16:34 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: “received type 1 NTLM token”; }}
2014/05/12 18:17:37 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: “received type 1 NTLM token”; }}
I’m using squid 3.4.4 with Centos 6.5 x86_64. Instead of squid_kerb_auth this squid version has negotiate_kerberos_auth.
Can you help me on this?
Regards,
Agnelo
Hi, Great work !!
i have to assign win active directory groups access for certain websites…
so that i downt hav to go and do changes in squid.conf every time…
example : groupyahoo –> members of groupyahoo can access yahoo.com
Step 5. [root@proxy01 /]# msktutil -c -b “CN=COMPUTERS” -s HTTP/proxy02.example.com -k /etc/squid/squid.keytab –computer-name proxy02 –upn HTTP/proxy02.example.com –server dc01.example.com –enctypes 28
Which server are you indicating as proxy02.example.com
Hi,
I followed the 2 tutorials (joining linux to NT domain and this one), but when I configured the browser to point on the IP / port, it’s always requiring authentication and normal user is not authorized, only admin domain is accepted? Could you help please!
Hello Dale Macartney,
Thanks for your great writeup. I followed the same on CentOS 6.5 with Active Directory windows Server 2008 R2 Server but I am failing to browse using proxy. It brings error message
“authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned ‘BH received type 1 NTLM token'”
What could be the reason?
Thanks
Hi,
I have a question. In this line:
[root@proxy01 /]# msktutil -c -b “CN=COMPUTERS” -s HTTP/proxy02.example.com -k /etc/squid/squid.keytab –computer-name proxy02 –upn HTTP/proxy02.example.com –server dc01.example.com –enctypes 28
the proxy02.example.com is a second proxy server?
Dear Dale Macartney,
I got following error
==> /var/log/squid/access.log /var/log/squid/cache.log <==
2014/11/14 02:44:02| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:44:12| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:45:38| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:45:53| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:46:05| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:46:22| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:46:27| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:46:28| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:46:30| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
2014/11/14 02:46:33| authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned 'BH received type 1 NTLM token'
What is the problem. Could you please help me.
Thanks in advanced!
Amazing step by step, there is some dependencies that are not seen here, however with some basic research over internet I was capable of make it work, thanks for your help!
Great tutorial. I’m running into a couple issues on CentOS 7, as it uses systemd. Thus, there is no /etc/init.d/squid file, making step 6 a challenge. In addition, I do not have /usr/lib64/squid/squid_kerb_auth on my system (line 1 of Step 3). Not sure if I have to grab that from somewhere or if I missed a package along the line. If you have any suggestions, they would be appreciated. Thanks!
Hello Dale;
Thanks for the simple article.
followed the steps given but getting below error in cache.log
squid_kerb_auth: ERROR: gss_accept_sec_context () failed: Unspecified GSS failure. Minor code may provide more information.
authenticateNegotiateHandlereply: Error validating user via negotiate. Error returned ‘BH gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information.
your helpp will be much appriciate.
regards;
Nilesh Gavali.
Hello
I have a dominio.com, found in Windows 2012R2
and I want to mount a linux squid proxy, and that user groups authenticates domain with ACTIVE DIRECTORY
I want to explain to me, as I can use ACTIVE DIRECTORY users in the proxy linux?
——————————————————————————
Tengo un dominio en windows SERVER 2012R2 DATACENTER y deseo un proxy con linux (squid) y que los usuarios creados en el Active Directory (aparezcan, integrado, sincronicen) con el SQUID?
que los usuarios de windows sean los mismo que en linux?
********************************
I have a domain in Windows Server 2012R2 and desire DATACENTER with linux proxy (squid) and that users created in the Active Directory (appear, integrated, synchronized) with the SQUID?
Windows users are the same as in linux?