Configure squid integration domain Identity Authentication

Finally, I have time to test squid's domain identity authentication. I have been using iptables for proxy access control through IP addresses, which method is determined based on the specific internal needs of each company.

First, clarify the requirements and configure squid to enable domain user authentication. If possible, use integrated windows identity authentication so that domain users can use it without entering a password after logging on to the computer, the client is transparent, and the account password is displayed only when the user does not log on using the domain user.

First, let the dog search around and roughly determine the direction. Use Samba and krb5 for account authentication and use squid to call it.

1. This article uses centos5.6 system, first install the required software

yum install squid samba ntp

NTP installation is used for synchronization time. If the squid time differs too much from the domain controller time, errors will occur in the following configuration.

Synchronization Time Command

ntpdate clock.redhat.com

2. Modify the hosts file and set the computer name and computer name. In this example, the domain is test. Local.

vi /etc/hosts 127.0.0.1 squid squid.test.local localhost

3. Modify the DNS and use the DNS of the domain controller.

vi /etc/resolv.conf nameserver 192.168.1.100

4. Modify/etc/krb5.conf and modify the domain information. Note that all domain names must be capitalized.

[Logging] default = file:/var/log/krb5libs. log KDC = file:/var/log/krb5kdc. log admin_server = file:/var/log/kadmind. log [libdefaults] default_realm = test. local # change to your own domain name dns_lookup_realm = false dns_lookup_kdc = true # here you need to change the original false to true ticket_lifetime = 24 h forwardable = Yes [realms] test. local = {# change to your own domain name KDC = 192.168.1.100: 88 # change to the IP address of the domain controller admin_server = 192.168.1.100: 749 # change to the IP address of the domain controller default_domain = test. local # change to your own domain name} [domain_realm]. test. local = test. local # change to your own domain name test. local = test. local # change to your own domain name [appdefaults] PAM = {DEBUG = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false}

After modification, you can use the following name for verification. If you enter the correct password, no error is returned (that is, no information is displayed). If you enter an incorrect password, an error is returned.

net ads join -U [email protected]

Note: The test. Local here must also be in uppercase; otherwise, an error will be reported.

5. Modify the samba configuration file.

workgroup = TEST server string = squid security = ads realm = TEST.LOCAL password server = 192.168.1.100 winbind use default domain = yes encrypt passwords = yes idmap gid = 10000 - 20000 idmap uid = 10000 - 20000 os level = 20 dns proxy = no

6. Add a domain

net ads join -U [email protected]

Then enter the password to check whether the domain is successfully added.
Wbinfo-T # test domain connection wbinfo-u # list all users wbinfo-G # list all groups tlm_auth -- username = administrator # test ntlm_auth to verify the password

7. Configure NSS, find the following two lines in/etc/nsswitch. conf, and add winbind to the end.

passwd: files winbind group: files winbind

8. Modify the squid configuration file. To perform group verification, you also need to add a group named Internet on the domain controller and add corresponding personnel.

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=TEST.LOCAL\\internet auth_param ntlm children 5 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of=TEST.LOCAL\\internet auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 hours acl NTLMUsers proxy_auth REQUIRED http_access allow all NTLMUsers

There are two test. Local Replace with your own. If you want to replace the group, replace the Internet with your own group.

Remember to look at the configuration in the rule. If you have a deny before, the configuration will not take effect. You need to put http_access deny all at the end.
In addition, to ensure that the clean squid configuration file is correct, add the following lines:
cache_mgr [email protected] visible_hostname squid.test.local

Then, restart the squid service and set the services squid, SMB, and winbind to run automatically.

Configure squid integration domain Identity Authentication