How to make squid working with a NT Domain Authentication, using Users and Groups auth. Table of Content: 1. The purpose of the document 2. What we need 3. Configuration 4. TroubleShooting. 1. PURPOSE OF THE DOCUMENT Sometimes we need to make unix and windows services to cooperate together ;-( Ok, when it happens to me I always say "what a shame!" or "what guilty I`ve made!" or simply I became blasphemer... :-) So, in an Corporate Company scenario, we need to authenticato user with only few methods, called "single sign on", or we risk to make services unusable by lusers... or worst lusers that groan to our help desks ;) 2. WHAT WE NEED We need first of all a WORKING SQUID INSTALLATION (real??? :-P ), and a lot of coffeine. Naturally, this document help to configurate squid, so please don`t hammer me with squid problem non NT-auth related. Samba installed (I suggest latest version). 3. CONFIGURATION Ah ok, let`s start. we can use three versions of NT domain autheinticaros: 1) msnt_auth 2) ntlm_auth 3) smb_auth Now the problem is that squid 2.5 branch is becoming stable (PRE7 when I`m writing this document) and I don`t now what effectively is appening in the code (introduction of winbindd auth etc. etc.), this document work with 2.4STABLE6. --- MSNT_AUTH --- Is able to authenticate only users of many domain, powerful and speed improved. this authenticator needs few thing explained in these simply steps: 1) create $SQUIDPREFIX/etc/msntauth.conf with this content: #### CUT server PDC BDC DOMAINNAME server PDC2 BDC2 OTHERDOMAINNAME denyusers $SQUIDPREFIX/squid/etc/denyusers allowusers $SQUIDPREFIX/squid/etc/allowusers #### CUT - EOF Naturally substitute $SQUIDPREFIX with the directory (ex. /usr/local/squid) and PDC and BDC with the wins name of the Primary Domain Controller and BAckup domain controller, DOMAINNAME with the name of the domain (real? :-D ) You must put entries in your /etc/hosts: ##### CUT 127.0.0.1 localhost 192.168.5.13 norad.domain norad 192.168.5.1 PDC PDC.DOMAIN.IT 192.168.0.1 BDC BDC.DOMAIN.IT #### CUT 2) create $SQUIDPREFIX/squid/etc/denyusers and $SQUIDPREFIX/squid/etc/allowusers file with this content: put usernames of users that you want to allow or deny in the files... 3) put correct configuration in squid.conf: authenticate_program /home/squid/libexec/squid/msnt_auth authenticate_children 5 authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds Note that some of these rows already are default squid configuration. 4) Put correct configuration file permission. 5) Test correct configuration: type: $SQUIDPREFIX/libexec/squid/msnt_auth - after that put correct user and pwd: user password is the auth goes good we receive an OK, ERR if it fails, running over for good auth: $SQUIDPREFIX/libexec/squid/msnt_auth username password OK running over for bad auth: $SQUIDPREFIX/libexec/squid/msnt_auth username password ERR 6) write a correct ACLs in squid.conf such as: acl federico proxy_auth username http_access allow federico 6) start squid and oper your browser :-) (tested with all IE version also IE6 14June2002 patchlevel) --- MSNT_AUTH --- Not yet explained here. --- SMB_AUTH --- This authentication is the most powerful. It is able to authenticate Users and Group of an NT domain. It has some bad profiles... such as: 1) It use an .sh wrapper for authentication 2) It use nmblookup (samba) program to ask for auth. Use it, only if you need to authenticate group, or you need to do a PDC centralized configuration (after we explain why). so, let`s start: 1) Install samba and squid :-) 2) Configure samba to make the proxy "see" domains and domains controllers you need. 3) Configure our NT PDC and BDC : + create a file called "proxyauth" in the NETLOGON share of the controllers. + put the word "allow" into that file + using the Domain Controller assign read permission to the file for users and group you need. + if you want to access multiple domain, put file and permission in all the domain controllers. 4) Configure Squid : + put these lines into squid.conf authenticate_program /home/squid/libexec/squid/smb_auth -W DOMAINAME authenticate_children 5 authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds Note that some of these rows already are default squid configuration. 5) edit $SQUIDPREFIX/libexec/squid/smb_auth.sh for correct configuration, such as SAMBAPREFIX variable 6) Test Configuration: launc: $SQUIDPREFIX/libexec/squid/smb_auth -W DOMAINAME -d put user name and password it will appear: user password Domain name: DOMAINAME Pass-through authentication: no Query address options: Domain controller IP address: IP.ADD.RRE.SS Domain controller NETBIOS name: PDC Contents of //PDC/NETLOGON/proxyauth: allow OK NAturally if it fail we receive an ERR instead of OK :-) 7) Write correct ACLs in squid.conf such as: acl federico proxy_auth REQUIRED http_access allow federico 8) Start SQUID!!!!! With this configuration we are able to authenticato also groups instead of only users (important if we have a lot of users) and we can configure user permission directly from the NT Domain Controllers, instead of inseting a lot of acls into squid.conf. This is done modifing the famous "proxyauth" file putting read access to users or groups. 4. TROUBLESHOOTING for troubleshooting please read the squid FAQ FIRST! Control squid log files. control configuration! REcontrol configuration! read auth programs README into the squid source directory go to the auth mainainers page: + http://www.hacom.nl/~richard/software/smb_auth.html + http://members.tripod.com/stellarx for msnt_auth User strac GOOD LUCK!!!! None Copyright, Lombardo Federico 2002 ego_pfe@inwind.it