https://www.dalemacartney.com/2012/07/06/squid-proxy-integration-with-active-directory-the-quick-and-simple-way/
UPDATE: This guide originally showed you how to configure Squid to authenticate with Pam. However as many people have been searching for ways to authenticate with Kerberos, I have updated this article to refect the necessary changes.
The upside is, you now have Single Sign On (SSO) as a bonus. Your users will not be prompted for authentication when accessing the proxy server.
So, before we start. This guide will walk you through setting up a Red Hat Enterprise Linux 6.3 server running Squid Cache to authenticate Active Directory 2008R2 users.
Before proceeding with this article, please make sure you have added your Linux server to the Active Directory domain.You can use the guide here to get up and running quickly.
Now that we have the prerequisite completed, lets crack on.
1. Install the necessary packages.
yum install -y squid2. Set Squid to start on boot
chkconfig squid on3. Edit /etc/squid/squid.conf and add the below lines to the top of the file.
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic credentialsttl 2 hours acl ad_auth proxy_auth REQUIRE4. Edit /etc/squid/squid.conf again, to change the rules that allow access to Squid.
Find the section “INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS” and change the lines beneath to reflect the following.
#http_access allow localnet #http_access allow localhost http_access allow ad_auth # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 31285. Now we need to create a service principle keytab file from Active Directory. You will need to install msktutil from the EPEL repositories to do this.
[root@proxy01 /]# yum install -y msktutil [root@proxy01 /]# kinit administrator@EXAMPLE.COM Password for administrator@EXAMPLE.COM: [root@proxy01 /]# msktutil -c -b "CN=COMPUTERS" -s HTTP/proxy02.example.com -k /etc/squid/squid.keytab --computer-name proxy02 --upn HTTP/proxy02.example.com --server dc01.example.com --enctypes 28 [root@proxy01 /]# chgrp squid /etc/squid/squid.keytab [root@proxy01 /]# chmod 740 /etc/squid/squid.keytab
6. Update your Squid startup script to load your new keytab file on service startup.
Edit /etc/init.d/squid and find the section that looks as follows
start() {
probe
parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
RETVAL=$?
.......
and add the two additional lines so it appears as followsstart() {
KRB5_KTNAME=/etc/squid/squid.keytab
export KRB5_KTNAME
probe
parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
RETVAL=$?
.......
Save and exit, then start/restart the service[root@proxy01 /]# service squid restart Stopping squid: ................ [ OK ] Starting squid: . [ OK ] [root@proxy01 /]#7. Open port 3128 on your local firewall
iptables -I INPUT -p tcp --dport 3128 -j ACCEPT service iptables save8. Configure your browser of choice to point to your Squid server. Please refer to your Browsers documentation on how to do this.
9. Watch the Squid logs whilst you attempt to browse the web
tail -f /var/log/squid/*When you browse to a url, if all things work perfectly, you will proceed to the url. This means your authentication was successful.
10. Verify the output in your logs.
If you have authenticated successful in your browser, you will see something like the below in your logs. In this situation, I authenticated as the user “wuser1″.
==> /var/log/squid/access.log 1343654614.470 2902 10.0.2.200 TCP_MISS/200 15355 GET http://www.redhat.com/ wuser1@EXAMPLE.COM DIRECT/2.19.119.214 text/html
