11 August 2011

Use squid on ubuntu server linked with a domain controler in order to force NTLM authentication

(This installation was made on an ubuntu server 10.10)

Install squid:
sudo apt-get install squid

You can already test the installation by configuring your web browser to use your server on port 3128 as the proxy server. You should receive an error web page generated by squid or the requested web page.

In order to request your active directory server, you have to install the following packages:
sudo apt-get install samba krb5-user libpam-krb5 winbind

During the installation, you could be prompted for some information.
Just leave the default values, we will modify the config files later.

Edit /etc/krb5.conf and add or edit the following values :[libdefaults]
default_realm = YOURDOMAIN.COM
kdc = dc
admin_server = dc
default_domain = YOURDOMAIN.COM
.yourdomain.com = YOURDOMAIN.COM
yourdomain.com = YOURDOMAIN.COM

where yourdomain.com is your network domain (respect the character casing !) and dc is the dns name of your domain controler.

You can test that all is running fine by typing the followinf command:
sudo kinit Administrator
You will be prompted for the administartor password.
If all is correctly configured, you should have no result from this command.

Before configuring samba, stop the samba and the winbind service :
sudo service winbind stop
sudo service smbd stop

Edit /etc/samba/smb.conf and add or modify the following items:
workgroup = YOURDOMAIN
security = ads
encrypt passwords = yes
password server = dc.yourdomain.com
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
# only add the following line if your server's name is longer than 18 characters
netbios name = mysquidserver

where dc.yourdomain.com is your domain controler.

Restart samba and winbind services:
sudo service smbd start
sudo service winbind start

Try to join the domain with the following command:
sudo net join -U Administrator

You should get the following result:
Using short domain name -- YOURDOMAIN
Joined 'mysquidserver' to realm 'yourdomain.com'

You can now test the configuration with the following command that give you the list of users:
wbinfo -u

In case of any problem, restart samba and winbind before googleing.

Now that your server is joined to your AD domain, we can configure squid.

First, test the ntlm authentication:
sudo /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
Directly after, enter a valid domain user and password:
username password
The answer should be:

Edit the file /etc/squid/squid.conf.
Add or edit the following:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid AD
auth_param basic credentialsttl 2 hours
acl ntlm proxy_auth REQUIRED
http_access allow ntlm
append_domain .yourdomain.com

Restart squid : service squid restart

Enjoy !

--- EDIT 10/01/2012
I've tried a fresh install based on the current procedure on a ubuntu server 11.10 without success.
I've executed the following command in order to ge it working:
chmod -R 777 /var/run/samba/winbindd_privileged
--- ENDIT 10/01/2012

#1 #2 #3 #4 #5 #5