Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: vassili on April 05, 2009, 03:39:35 AM
-
Hello, I have used SME Server for some time now but never contributed anything so here goes: :lol:
How to make Squid use NTLM authentication to authorise users on the proxy by pulling user names from the WIN2000 - 2003 - 2008 Domain Controller
First Stage
Make SME Server a Domain Member. To set the SME Server as a Domain Member please follow the excellent how-to at http://wiki.contribs.org/Advanced_Samba (http://wiki.contribs.org/Advanced_Samba)
After following the how-to please confirm that the SME Server was able to pull usernames by issuing the wbinfo -u command and groups by issuing the wbinfo -g . If it works than you are good to go to next stage
Second Stage
Install Dansguardian and SARG by following the how-tos located at http://wiki.contribs.org/Dansguardian (http://wiki.contribs.org/Dansguardian) and http://wiki.contribs.org/Sarg. (http://wiki.contribs.org/Sarg.) Set sarg to use dansguardian logs and Dansguardian to save logs in squid format. Do not disable the transparent proxy. Do not enable any authentication methods for squid yet.
Third Stage
Custom templates
Make the directory for housing the custom templates for squid.conf
mkdir -p /etc/e-smith/templates-custom/etc/squid/squid.conf/
Go to /etc/e-smith/templates/etc/squid/squid.conf/ and copy the files 20ACL05ProxyAuth and 39http_access00pwdprotect to /etc/e-smith/templates-custom/etc/squid/squid.conf/In 20ACL05ProxyAuth modify the line if (defined $squid{RequireAuth} && $squid{RequireAuth} =~ /(ncsa|pam)/); to if (defined $squid{RequireAuth} && $squid{RequireAuth} =~ /(ncsa|pam|ntlm)/);In 39http_access00pwdprotect modify the line
if (defined $squid{RequireAuth} && $squid{RequireAuth} =~ /(ncsa|pam)/); to if (defined $squid{RequireAuth} && $squid{RequireAuth} =~ /(ncsa|pam|ntlm)/);Create a file named 15AuthProgramNTLMand paste the following code
{
return "" unless ( ($squid{RequireAuth} || "no") eq "ntlm");
$OUT .= "
auth_param ntlm program /usr/bin/ntlm_auth YOURDOMAIN/YOURDC --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth YOURDOMAIN/YOURDC --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm SME_Server_Proxy
auth_param basic credentialsttl 2 hours
";}
Do not forget to modify YOURDOMAIN/YOURDC to your domain and to your domain controller
Execute the following commands config setprop squid RequireAuth ntlm
expand-template /etc/squid/squid.conf
sv t /service/squid
Edit the file /etc/dansguardian/dansguardian.conf and uncomment the following line authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'
Issue a signal-event post-upgrade; signal-event reboot
Set your browser manually or via group policy to the ip of your proxy server as transparent proxy will not work and will always show an access denied message. Also do not disable the transparent proxy as it will enable users to effectively bypass the proxy
Test the setup. As we can see new Sarg logs now shows domain users instead of hostnames.
Suggestions are welcome and thank you for your attention. I hope that there are no typos in the how to.
Credits go to the Sme Server developers for their excellent effort (Hi Charlie) and to gzartman because without AdvancedSamba contrib this would not be possible
-
Thanks for the howto, and welcome to the forums.
If you like you can request wiki access from your forum profile, and then add this document to the wiki.
-
Thanks for the info, I will definitely do that after some work on my wiki editing skills.
Regards
Vassili
-
please open a bug on smeserver-dansguardian and post a patch