Leveraging Active Directory With Squid Proxy

Many of us work in mixed environments of Windows, Linux, Mac OS, etc... In these cases, our limiting factor is usually what the Microsoft products can handle. One such problem I recently had was filtering Internet content for my Windows users. What I wanted was to be able to provide full Internet access to most of my users, but filter traffic for those who are members of a certain group. The optimal solution for me was to run a single instance of Squid, but allow it to determine which users get full access, and which users get limited access. Read on to find out how this can be accomplished in just about an hour.

The first step in accomplishing this is to have a Linux box with a clean installation of the Squid caching proxy server on it. Most of the information in this article will be somewhat specific to Ubuntu, but you should be able to easily apply these settings to any other Linux distribution.

Once you have a working Linux system, you will need to configure it to integrate with your Windows Active Directory authentication system. This is accomplished using any modern version of Samba with winbind. In your smb.conf file, ensure that you have the following settings:

workgroup = MYDOMAIN
netbios name = SERVERNAME
password server =
security = ads
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes

Next, configure your Kerberos installation to match your Active Directory settings. Edit the /etc/krb5.conf file to look like the following:

default_realm = mydomain.com

krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
fcc-mit-ticketflags = true

kdc = domaincontroller.mydomain.com
kdc = domaincontroller.mydomain.com
admin_server = mydomain.com
default_domain = mydomain.com

.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

krb4_convert = true
krb4_get_tickets = false

Once you have these settings in place, we will need to authenticate and join the domain. You can acheive this will the following set of commands:

root@linux:~# kinit Administrator@MYDOMAIN.COM
Password for Administrator@MYDOMAIN.COM:
root@linux:~# net ads join -U Administrstor
Password for Administrator:

If there is an error, there are 3 likely causes:
1. The time on the Linux system does not match the time on the domain controllers. Kerberos only works when the clocks of every system are within a few minutes of each other.
2. The fully qualified domain name of the Linux system does not match DNS for the domain.
3. There is already an existing computer account with the same name in Active Directory. This can be annoying, because deleting the computer from AD is not instantly effective, and you may have to wait up to an hour for AD to synchronize this change.

After successfully joining the domain, restart the samba and winbind daemons.

Next, test that winbind is actually working:

root@linux:~# wbinfo -u

This should output a list of all domain user accounts. If it does not, refer to the troubleshooting information for Samba HERE.

Now that we know that winbind is working, we can configure Squid to use the winbind authentication information for all user's in the domain. The initial step in this is to create a script which will perform the lookups.


Popular Posts