|
NTLM
is a silent authentication method used by Microsoft Windows, so once
squid has been configured and a machine running windows NT/2K/XP with
Internet Explorer 5+ is used to access the squid proxy server, the
client information (username) is taken from behind the scenes, if
someone outside of the domain trys to access the proxy server they need
to enter a username mydomain\username.
Name: Squid
HomePage: http://www.squid-cache.org/
Function: proxy caching server for web clients
I'm trying to make my squid proxy server authenticate against my
windows 2003 domain controller so people internet use can be monitored
via squid. For this example my domain will be. 'windows.server.int' & my domain controller machine name will be mc1
1. Stop both winbind and samba services
/etc/init.d/smb stop
/etc/init.d/winbind stop
2. Edit Kerberos files to have the right configuration
/etc/krb5.conf krb5.conf:
[libdefaults]
default_realm = WINDOWS.SERVER.INT
[realms]
WINDOWS.SERVER.INT = {
kdc = mc1.windows.server.int
default_domain = WINDOWS.SERVER.INT
kpasswd_server = mc1.windows.server.int
admin_server = mc1.windows.server.int
}
[domain_realm]
.windows.server.int = WINDOWS.SERVER.INT |
3. Edit Samba files to have the right configuration
/etc/samba/smb.conf
smb.conf:
workgroup = server
security = ads
realm = WINDOWS.SERVER.INT
encrypt passwords = yes
username map = /etc/samba/smbusers
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
|
4. Now it's time to join the domain
net ads join -U administrator -S mc1
5. Now it's time to start both winbind and samba services
/etc/init.d/smb start
/etc/init.d/winbind start
6. Now hopefully all that went well, to test it out lets try this comand
/usr/bin/wbinfo -g
this should display all the groups in your active directory structure.
7. Now it's time to configure squid, edit the squid.conf and add the following lines in the right area's
/etc/squid/squid.conf
squid.conf:
# (in the ntlm auth area)
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
# (in the ntlm basic area)
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
# (in the acl's area)
acl ntlm proxy_auth REQUIRED
# (in the http_access area)
http_access allow ntlm
|
8. Next remove all other http_access commands
9. Restart the squid server
/etc/init.d/squid restart
and your ready to go, try it out by logging on locally and opening IE/FireFox/Opera and then log into the domain and open IE/FireFox/Opera
BookMarking:
cell1
|
|
cell3 |
|
cell4
|
|
Trouble Shooting:
Go to the wiki page
Go to the 'Contact Us ' Forum
Go to the how-to's Support Forum
External Links:
http://squid.sourceforge.net/ntlm/ http://www.cyberciti.biz/faq/squid-ntlm-authentication-configuration-howto/ |
