Squid + NTLM

By admin on July 26, 2004 in Samba File Server, Squid Proxy

Setup working directory

> mkdir /root/squid
> cd /root/squid

Download squid and samba

> wget http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE3.tar.gz
> wget http://us2.samba.org/samba/ftp/samba-latest.tar.gz

Unpack squid and samba

> tar -xvzf squid-2.5.STABLE3.tar.gz
> tar -xvzf samba-latest.tar.gz

Build samba

> cd samba-2.2.8a/source
> ./configure --with-winbind --with-winbind-auth-challenge
> make
> make install

Configure samba

> cd /root/samba-2.2.8.a/examples/simple
> cp smb.conf /usr/local/samba/lib/
> emacs /usr/local/samba/lib/smb.conf

Add the following lines to the [global] section of the smb.conf file:

    encrypt passwords = true
    workgroup = RELIABLEPENGUIN
    password server = ADTEST
    security = domain
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes

Replace RELIABLEPENGUIN and ADTEST with the name of the domain and pdc to
be used for this install. Press Ctrl-X Ctrl-C to save and exit emacs.

Comment out entirely the [homes] and [printers] sections.

Join the server to the windows domain.

> ./smbpasswd -j RELIABLEPENGUIN -r ADTEST -U Administrator

Start the samba services:

> /usr/local/samba/bin/nmbd
> /usr/local/samba/bin/winbindd

Test and verify proper operation:

> /usr/local/samba/bin/wbinfo -t
Secret is good

If wbinfo returns "Secret is bad" then run the above command to join the domain
again.

> /usr/local/samba/bin/wbinfo -a RELIABLEPENGUIN\\Administrator%testing
plaintext password authentication succeeded
challenge/response password authentication succeeded

If you get and error then there is something wrong with the domain membership.

Now build squid:

> cd /root/squid/squid-2.5.STABLE3
> ./configure --enable-auth="ntlm,basic" \
     --enable-basic-auth-helpers="winbind" \
     --enable-ntlm-auth-helpers="winbind" \
     --sysconfdir=/etc/squid \
     --sbindir=/usr/sbin \
     --bindir=/usr/sbin \
     --libexecdir=/usr/lib/squid \
     --datadir=/usr/share/squid \
     --localstatedir=/var/run \
     --mandir=/usr/share/man
> make
> make install

Test the winbind helper:

> /usr/lib/squid/wb_auth -d
/wb_auth[16936](wb_basic_auth.c:168): basic winbindd auth helper build Jun  3 2003, 12:03:17 starting up...
RELIABLEPENGUIN\Administrator testing
/wb_auth[16936](wb_basic_auth.c:129): Got 'RELIABLEPENGUIN\Administrator testing' from squid (length: 37).
/wb_auth[16936](wb_basic_auth.c:55): winbindd result: 1
/wb_auth[16936](wb_basic_auth.c:58): sending 'OK' to squid
OK

Now configure squid to use the helper.
Edit /etc/squid/squid.conf and add the following lines:

  pid_filename /var/run/squid.pid

  ....

  cache_dir ufs /var/cache/squid 5000 16 256

  ....

  cache_access_log /var/log/squid/access.log

  ....

  cache_log /var/log/squid/cache.log

  ....

  cache_store_log /var/log/squid/store.log

  ....

  auth_param ntlm program /usr/lib/squid/wb_ntlmauth
  auth_param ntlm children 5
  auth_param ntlm max_challenge_reuses 0
  auth_param ntlm max_challenge_lifetime 2 minutes

  auth_param basic program /usr/lib/squid/wb_auth
  auth_param basic children 5
  auth_param basic realm Squid proxy-caching web server
  auth_param basic credentialsttl 2 hours

  ....

  acl localnetwork src 10.0.0.0/255.0.0.0
  acl password proxy_auth REQUIRED

  ....

  http_access allow password
  http_access allow localnetwork

Do squid cache setup:

> cd /var/cache
> mkdir squid
> chgrp squid squid
> chmod g+w squid
> squid -z

Do squid logs setup:

> cd /var/log
> mkdir squid
> chgrp squid squid
> chmod g+w squid

Setup squid and samba to start on boot:

The stock startup file distributed by redhat with squid is sufficient
for starting squid. This file is located at /etc/init.d/squid. If the file
does not exists on the target system then copy from another system or extract
from the redhat squid rpm.

A custom startup script is required for samba since we're not acting as a file
server - just nmbd and winbind. A suitable file is located at /etc/init.d/samba.
Copy this file to the target system.

Now symlink the startup scripts into the rc dirctories:

ln -s ../init.d/squid /etc/rc3.d/S25squid
ln -s ../init.d/samba /etc/rc3.d/S24samba
ln -s ../init.d/squid /etc/rc3.d/K25squid
ln -s ../init.d/samba /etc/rc3.d/K24samba

And that does it.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

Setup working directory

> mkdir /root/squid

> cd /root/squid

Download squid and samba

> wget http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE3.tar.gz

> wget http://us2.samba.org/samba/ftp/samba-latest.tar.gz

Unpack squid and samba

> tar -xvzf squid-2.5.STABLE3.tar.gz

> tar -xvzf samba-latest.tar.gz

Build samba

> cd samba-2.2.8a/source

> ./configure --with-winbind --with-winbind-auth-challenge

> make

> make install

Configure samba

> cd /root/samba-2.2.8.a/examples/simple

> cp smb.conf /usr/local/samba/lib/

> emacs /usr/local/samba/lib/smb.conf

Add the following lines to the [global] section of the smb.conf file:

encrypt passwords = true

workgroup = RELIABLEPENGUIN

password server = ADTEST

security = domain

winbind uid = 10000-20000

winbind gid = 10000-20000

winbind use default domain = yes

Replace RELIABLEPENGUIN and ADTEST with the name of the domain and pdc to

be used for this install. Press Ctrl-X Ctrl-C to save and exit emacs.

Comment out entirely the [homes] and [printers] sections.

Join the server to the windows domain.

> ./smbpasswd -j RELIABLEPENGUIN -r ADTEST -U Administrator

Start the samba services:

> /usr/local/samba/bin/nmbd

> /usr/local/samba/bin/winbindd

Test and verify proper operation:

> /usr/local/samba/bin/wbinfo -t

Secret is good

If wbinfo returns "Secret is bad" then run the above command to join the domain

again.

> /usr/local/samba/bin/wbinfo -a RELIABLEPENGUIN\\Administrator%testing

plaintext password authentication succeeded

challenge/response password authentication succeeded

If you get and error then there is something wrong with the domain membership.

Now build squid:

> cd /root/squid/squid-2.5.STABLE3

> ./configure --enable-auth="ntlm,basic" \

--enable-basic-auth-helpers="winbind" \

--enable-ntlm-auth-helpers="winbind" \

--sysconfdir=/etc/squid \

--sbindir=/usr/sbin \

--bindir=/usr/sbin \

--libexecdir=/usr/lib/squid \

--datadir=/usr/share/squid \

--localstatedir=/var/run \

--mandir=/usr/share/man

> make

> make install

Test the winbind helper:

> /usr/lib/squid/wb_auth -d

/wb_auth[16936](wb_basic_auth.c:168): basic winbindd auth helper build Jun 3 2003, 12:03:17 starting up...

RELIABLEPENGUIN\Administrator testing

/wb_auth[16936](wb_basic_auth.c:129): Got 'RELIABLEPENGUIN\Administrator testing' from squid (length: 37).

/wb_auth[16936](wb_basic_auth.c:55): winbindd result: 1

/wb_auth[16936](wb_basic_auth.c:58): sending 'OK' to squid

Now configure squid to use the helper.

Edit /etc/squid/squid.conf and add the following lines:

pid_filename /var/run/squid.pid

....

cache_dir ufs /var/cache/squid 5000 16 256

....

cache_access_log /var/log/squid/access.log

....

cache_log /var/log/squid/cache.log

....

cache_store_log /var/log/squid/store.log

....

auth_param ntlm program /usr/lib/squid/wb_ntlmauth

auth_param ntlm children 5

auth_param ntlm max_challenge_reuses 0

auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/lib/squid/wb_auth

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

....

acl localnetwork src 10.0.0.0/255.0.0.0

acl password proxy_auth REQUIRED

....

http_access allow password

http_access allow localnetwork

Do squid cache setup:

> cd /var/cache

> mkdir squid

> chgrp squid squid

> chmod g+w squid

> squid -z

Do squid logs setup:

> cd /var/log

> mkdir squid

> chgrp squid squid

> chmod g+w squid

Setup squid and samba to start on boot:

The stock startup file distributed by redhat with squid is sufficient

for starting squid. This file is located at /etc/init.d/squid. If the file

does not exists on the target system then copy from another system or extract

from the redhat squid rpm.

A custom startup script is required for samba since we're not acting as a file

server - just nmbd and winbind. A suitable file is located at /etc/init.d/samba.

Copy this file to the target system.

Now symlink the startup scripts into the rc dirctories:

ln -s ../init.d/squid /etc/rc3.d/S25squid

ln -s ../init.d/samba /etc/rc3.d/S24samba

ln -s ../init.d/squid /etc/rc3.d/K25squid

ln -s ../init.d/samba /etc/rc3.d/K24samba

And that does it.

Top Nav

Navigation

Squid + NTLM