Use squid on ubuntu server 11.10 joined to a domain in order to force NTLM authentication (review ubuntu 11.10)

This installation was made on an ubuntu server 11.10 and is partially based on my previous tutorial.


Install squid:
sudo apt-get install squid

You can already test the installation by configuring your web browser to use your server on port 3128 as the proxy server. You should receive an error web page generated by squid or the requested web page.

In order to request your domain controler, you have to install the following packages:
sudo apt-get install samba krb5-user libpam-krb5 winbind

During the installation, you should be prompted for a default kerberos realm.
Enter your domain name in capital letters : YOURDOMAIN.COM

You can test that all is running fine by typing the following command:
sudo kinit Administrator
You will be prompted for the administrator password.
If all is correctly configured, the command should return no result.

You can also check the credential cache with:
sudo klist

Edit /etc/samba/smb.conf and add or modify the following items:
[global]
workgroup = YOURDOMAIN
realm = YOURDOMAIN.COM
security = ads
winbind use default domain = yes
# only add the next line if your server's name is longer
# than 18 characters and truncate the name to 18 chars
netbios name = mysquidserver
[...]
Please note that workgroup option is not ended with the Top Level Domain (.COM or whatever)

Restart samba and winbind services:
sudo service smbd restart
sudo service winbind restart

Try to join the domain with the following command:
sudo net ads join -U Administrator
sudo net join -U Administrator

You should get a similar result:
Using short domain name -- YOURDOMAIN
Joined 'mysquidserver' to realm 'yourdomain.com'
If you get a warning message about the DNS, you can simply ignore it ;)

You can now test the configuration with the following command that gives you the list of users:
wbinfo -u

In case of any problem, restart samba and winbind before googleing.


Now that your server is joined to your AD domain, we can configure squid.

First, test the ntlm authentication:
sudo /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
Directly after, enter a valid domain user and the corresponding password separated by a space:
username password
The answer should be:
OK
Hit CTRL+D to exit.

Edit the file /etc/squid/squid.conf.
Add or edit the following:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm YOURDOMAIN.COM
auth_param basic credentialsttl 2 hours
acl ntlm proxy_auth REQUIRED
http_access allow ntlm
append_domain .yourdomain.com
cache_effective_group winbindd_priv


Restart squid : sudo service squid restart

Enjoy !

#1 #2 #3 #4 #5 #5

Comments

Post a Comment

Popular posts from this blog

Resolve "Cannot download packages whilst offline" issue in Deja-Dup backup software

If you got the error message "Cannot download packages whilst offline" but your internet connection is active, this is probably because you've managed the network configuration yourself and the network manager is reporting an offline status even if it's not correct. To fix this issue, simply edit the file /etc/NetworkManager/NetworkManager.conf and change the following configuration to be inline with: [ifupdown] managed=true Then restart the Network Manager : sudo service NetworkManager restart #1
Read more

ubuntu 20.04 / netplan / change mac address and static ip

I wasn't able to set together a virtual mac address and a static IP using netplan: either the mac address didn't change, or IP was not set. I finally got the trick using a fake nic definition that matches the new virtual mac address I've set.    network:   renderer: networkd   ethernets:     ens160:       match:         macaddress: 00:0c:29:5a:69:00       macaddress: 00:50:56:0c:de:a6     ens160_2:       match:         macaddress: 00:50:56:0c:de:a6        addresses: [ 139.99.5.72/32 ]       nameservers:         addresses: [ 8.8.8.8 ]       routes:       - to: 0.0.0.0/0         via: 139.99.5.254         on-link: true     ens192:       addresses: [192.168.103.14/24]       #dhcp4: true   version: 2
Read more

wireshark ssh remote connect on linux server

Image
First, install the optional component from Tools  section of Wireshark installer Then, select config gear of the SSH remote capture  from the welcome screen Configure the following information:           Server ip/hostname and port     Remote user name and private rsa key in OpenSSH format (use puttygen > conversions > export openssh key)  (user and password should work too) You shouldn't have to change anything in Capture tab If you get an error linked to Kex algos: Error by extcap pipe:  ** (sshdump.exe:8216): WARNING **: Error creating connection. ** (sshdump.exe:8216): WARNING **: Connection error: kex error : no match for method kex algos: server [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256], client [diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] You have to add the requested al
Read more