NTLM Authentication in Squid

21 01 2010

I spent so much time configuring squid on Debian, but finally I changed to CentOS. It turned out well. OK, don’t waste more lines explain my feeling.

1.Make sure our CentOS is synchonised with DC.

2.These packages must be installed:

> rpm -qa [package-name]

> yum install krb5-workstation samba authconfig

3. Install Squid

>yum install squid

4. Edit /etc/squid/smb.conf with authconfig command

# authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=sun.ambient.local \
--krb5realm=AMBIENT.LOCAL --smbservers=sun.ambient.local --smbworkgroup=AMBIENT \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=AMBIENT.LOCAL \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall

**My Domain: AMBIENT.LOCAL

**DC computername: SUN.AMBIENT.LOCAL

**CentOS Web proxy Server’s name: centos

5. Change security line in /etc/samba/smb.conf at global config

> security = ads

Moreover, refer to the right domain name inside /etc/krb5.conf.

*** You can test the configuration of smb.conf by

> testparm

6. Join centos to DC

>/usr/bin/net join -w AMBIENT -S sun.ambient.local -U Administrator

Then enter the password.

7. restart winbind service

> /etc/init.d/winbind restart

8. If it is successful, you will be able to traverse AD

> wbinfo -{u|g}

9. Set up and configure Squid. Please see the old post.

10. Edit NTLM authentication

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=SUN+internetuser
auth_param ntlm children 5
auth_param ntlm keep_alive on

acl myNetwork 192.168.51.0/24 192.168.52.0/24

acl ntlm proxy_auth REQUIRED
http_access allow myNetwork ntlm

**internetuser is in a lowercase format.

11. restart squid

> /etc/init.d/squid restart

12. Now, all clients setting up proxy connection need to be logged in to DC before going online.

Quite long and a little bit complicated, but it is as clear as I can.

For more details, please see this


Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: