Topic: How-to Squid + SARG + Dansguardian + NTLM Authentication.

[vassili]

Hello, I have used SME Server for some time now but never contributed anything so here goes:

How to make Squid use NTLM authentication to authorise users on the proxy by pulling user names from the WIN2000 - 2003 - 2008 Domain Controller

First Stage
Make SME Server a Domain Member.  To set the SME Server as a Domain Member please follow the excellent how-to at http://wiki.contribs.org/Advanced_Samba

After following the how-to please confirm that the SME Server was able to pull usernames by issuing the

Code: [Select]

wbinfo -u command and groups by issuing the

Code: [Select]

wbinfo -g .  If it works than you are good to go to next stage

Second Stage
Install Dansguardian and SARG  by following the how-tos located at http://wiki.contribs.org/Dansguardian and http://wiki.contribs.org/Sarg. Set sarg to use dansguardian logs and Dansguardian to save logs in squid format. Do not disable the transparent proxy.  Do not enable any authentication methods for squid yet.

Third Stage
Custom templates
Make the directory for housing the custom templates for squid.conf

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf/
Go to

Code: [Select]

/etc/e-smith/templates/etc/squid/squid.conf/ and copy the files

Code: [Select]

20ACL05ProxyAuth and

Code: [Select]

39http_access00pwdprotect to

Code: [Select]

/etc/e-smith/templates-custom/etc/squid/squid.conf/In 20ACL05ProxyAuth modify the line

Code: [Select]

if (defined $squid{RequireAuth} && $squid{RequireAuth} =~ /(ncsa|pam)/); to

Code: [Select]

if (defined $squid{RequireAuth} && $squid{RequireAuth} =~ /(ncsa|pam|ntlm)/);In 39http_access00pwdprotect modify the line

Code: [Select]

if (defined $squid{RequireAuth} && $squid{RequireAuth} =~ /(ncsa|pam)/); to

Code: [Select]

if (defined $squid{RequireAuth} && $squid{RequireAuth} =~ /(ncsa|pam|ntlm)/);Create a file named

Code: [Select]

15AuthProgramNTLMand paste the following code

Code: [Select]

{
return "" unless ( ($squid{RequireAuth} || "no") eq "ntlm");

$OUT .= "
auth_param ntlm program /usr/bin/ntlm_auth YOURDOMAIN/YOURDC --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth YOURDOMAIN/YOURDC --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm SME_Server_Proxy
auth_param basic credentialsttl 2 hours
";}
Do not forget to modify YOURDOMAIN/YOURDC to your domain and to your domain controller

Execute the following commands

Code: [Select]

config setprop squid RequireAuth ntlm
expand-template /etc/squid/squid.conf
sv t /service/squid

Edit the file

Code: [Select]

/etc/dansguardian/dansguardian.conf and uncomment the following line

Code: [Select]

authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'
Issue a

Code: [Select]

signal-event post-upgrade; signal-event reboot
Set your browser manually or via group policy to the ip of your proxy server as transparent proxy will not work and will always show an access denied message. Also do not disable the transparent proxy as it will enable users to effectively bypass the proxy

Test the setup.  As we can see new Sarg logs now shows domain users instead of hostnames.

Suggestions are welcome and thank you for your attention.  I hope that there are no typos in the how to.
Credits go to the Sme Server developers for their excellent effort (Hi Charlie) and to gzartman because without AdvancedSamba contrib this would not be possible

[David Harper]

Thanks for the howto, and welcome to the forums.

If you like you can request wiki access from your forum profile, and then add this document to the wiki.

[vassili]

Thanks for the info, I will definitely do that after some work on my wiki editing skills.

Regards

Vassili

[stephen noble]

please open a bug on smeserver-dansguardian and post a patch