ConfigExamples Authenticate NtlmCentOS5squid-cache wiki Navigation FrontPage RecentChanges FindPage HelpContents NtlmCentOS5Page Immutable Page Discussion Info Attachments Top of FormBottom of Form Top of FormBottom of FormSearch Top of Form

Bottom of Form Top of FormBottom of FormUser Login MoinMoin Powered Design by FrancescoChemolli (credits) Hosting donated by MessageNet Contents are their respective authors, licensed under the Creative Commons Attribution Sharealike 2.5 LicenseConfiguring Squid for NTLM with Winbind Authentication on CentOS 5By Joseph L. Casale Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list. This Configuration Example illustrates a simplified method to setup Squid on CentOS 5 (or any RHEL 5 flavor) using built in configuration tools while enabling only the needed services for authentication to be carried out by Winbind. Contents1. Configuring Squid for NTLM with Winbind Authentication on CentOS 51. Prerequisites1. Network Time Protocol (NTP)2. Samba and Winbind3. Squid2. Configure Kerberos3. Configuring Squid4. NotesPrerequisitesNetwork Time Protocol (NTP)In order for Kerberos to function, proper time synchronization between your Active Directory PDC Emulator and this server must be maintained.Check if the ntp client is installed: # rpm -qa ntpIf this query returns nothing, install it: # yum install ntpNow edit /etc/ntp.conf and comment out any lines that begin with server and create only one that points to your Active Directory PDC Emulator.Set the daemon to start automatically at boot and start it: # vi /etc/ntp.confserver pdce.example.local# chkconfig ntpd on# service ntpd startSamba and WinbindThe Samba configuration file /etc/samba/smb.conf and Squid authentication helper /usr/bin/ntlm_auth are provided by the samba-common package.Check if the software is installed: # rpm -qa |egrep -i '(krb5-workstation|samba-common|authconfig)'authconfig-5.3.21-5.el5krb5-workstation-1.6.1-25.el5_2.1samba-common-3.0.28-1.el5_2.1If not, install it with yum: # yum install authconfig krb5-workstation samba-commonSquidSquid is available in the Base repo, check if it's installed: # rpm -qa squidIf this query returns nothing, install it and/or set it to start at boot: # yum install squid# chkconfig squid onConfigure KerberosTo enable Active Directory Group and User enumeration by the helper, we join the CentOS server to Active Directory. You can use authconfig to configure Samba, Winbind and perform the join in one step. Replace ads.example.local with the fqdn of your Active Directory Server. Replace EXAMPLE with the netbios name of your domain. Replace EXAMPLE.LOCAL with the full name of your domain. # authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=ads.example.local \--krb5realm=EXAMPLE.LOCAL --smbservers=ads.example.local --smbworkgroup=EXAMPLE \--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=EXAMPLE.LOCAL \--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall[/usr/bin/net join -w EXAMPLE -S ads.example.local -U Administrator]Administrator's password:Using short domain name -- EXAMPLEJoined 'SERVER' to realm 'EXAMPLE.LOCAL'

Shutting down Winbind services: [FAILED]Starting Winbind services: [ OK ]If Winbind wasn't running before this it can't shutdown, but authconfig will start it and enable it to start at boot. The default permissions for /var/cache/samba/winbindd_privileged in RHEL/CentOS 5.4 were 750 root:squid (which worked by default) but are now 750 root:wbpriv in 5.5 which doesn't allow the user Squid runs under to access the socket. Make sure squid.conf does not have a cache_effective_group defined and add wbpriv as a supplementary group to the user Squid runs under: # usermod -a -G wbpriv squidYou can test Active Directory Group and User enumeration by viewing the output of wbinfo: # wbinfo -{u|g}If you are able to enumerate your Active Directory Groups and Users, everything is working. Configuring SquidI created an Active Directory Group to control who gets access to the proxy. Check the man pages for ntlm_auth for options.Edit your /etc/squid/squid.conf to enable the helper and adjust our_networks accordingly: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE+ADGROUPauth_param ntlm children 5auth_param ntlm keep_alive on

acl our_networks 192.168.0.0/24 192.168.1.0/24

acl ntlm proxy_auth REQUIREDhttp_access allow our_networks ntlm This is not an inclusive set of parameters for Squid to function but is what is required for the authentication portion. Notes Current versions of Firefox are capable of ntlm authentication so you need not enable basic. You need not install the full Samba package, nor have smbd and nmbd running for authentication to take place.

CategoryConfigExample ConfigExamples/Authenticate/NtlmCentOS5 (last edited 2010-06-18 20:18:37 by JosephCasale)NoteEdit MYGROUP dari file : etc/samba/smb.conf