Some old windows servers require authentication through the old NTLM protocol, luckily with the help from squid, samba and winbind we can do this under Linux.
Some URLs a much of this information was gathered from are:
In order to authenticate through winbind we will be using that and samba to connect to a windows domain, so you will need to have a domain and the details for it or all this will be for naught. I’ll use some fake credentials for this post.
Let’s install all the required packages:
yum install squid krb5-workstation samba-common ntp samba-winbind authconfig
NTP (Network Time Protocol)
Kerberos and windbind can be a little thingy about date and time, so its a good idea to use NTP for your network, I’ll assume your domain controller (DC) will be also your NTP server in which case lets set it up.
Comment out any lines that begin with server and create only one that points to your Active Directory PDC.
# vim /etc/ntp.conf
Now add it to the default runlevels and start it.
chkconfig ntpd on
Samba, Winbind and Kerberos
We will the use the authconfig package/command we installed earlier to configure Samba, Winbind and perform the join in one step, this makes things _SO_ much
NOTE: If you don’t have DNS set up then you will need to add the DC to your hosts file, and it is important to use the name the DC machine knows itself as in AD.
authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=pdc.test.lan \
--krb5realm=TEST.LAN --smbservers=pdc.test.lan --smbworkgroup=TESTLAN \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=TEST.LAN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=administrator --disablewins --disablecache --enablelocauthorize --updateall
NOTE: Replace pdc.test.lan with that of your FQDN of your DC server, TESTLAN with your domain, TEST.LAN with the full name of the domain/realm, and make sure you set ‘–winbindjoin’ with a domain admin.
If that succeeds lets test it:
# wbinfo -u
# wbinfo -g
If you are able to enumerate your Active Directory Groups and Users, everything is working.
Next lets test that we can authenticate with winbind:
# wbinfo -a
# wbinfo -a testuser
Enter testuser's password:
plaintext password authentication succeeded
Enter testuser's password:
challenge/response password authentication succeeded
Great, we have been added to the domain, so now we can setup squid for NTLM authentication.
Squid comes with its own ntlm authentication binary (/usr/lib64/squid/ntlm_smb_lm_auth) which uses winbind, but as of Samba 3.x, samba bundle their own which is the recommended binary to use (according to the squid and samba projects). So the binary we use comes from the samba-winbind package we installed earlier:
Add the following configuration elements to the squid.conf to enable NTLM authentication:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl ntlm proxy_auth REQUIRED
http_access allow ntlm
NOTE: The above is allowing anyone access as long as they authenticate themselves via NTLM, you could use further acl’s to restrict this more.
The ntlm_auth binary has other switches that might be of use, such as restricting users by group membership:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE+ADGROUP
Before we are complete there is one more thing we need to do, for squid to be allowed to use winbind, the squid user (which was created when the squid package was installed) needs to be a member of a wbpriv group:
gpasswd -a squid wbpriv
NTLM authentication WILL FAIL if you have “cache_effective_group squid” set, if you do then remove it! As this overrides the effective group and squid then isn’t seen as part of the ‘wbpriv’ group which breaks authentication!!!
Add squid to the runlevels and start it:
# chkconfig squid on
# /etc/init.d/squid start
Make sure you open the port in iptables, if squid is listening on 3128 then:
# iptables -I INPUT 1 -p tcp --dport 3128 -j ACCEPT
# /etc/init.d/iptables save
NOTE: The ‘/etc/init.d/iptables save’ command saves the current running configuration so the new rule will be applied on reboot.