Authenticate
NtlmCentOS5
squid-cache wiki
Navigation
FrontPage
RecentChanges
FindPage
HelpContents
NtlmCentOS5
Page
Immutable Page
Discussion
Info
Attachments
Search
User
Login
MoinMoin Powered
Prerequisites
Network Time Protocol (NTP)
In order for Kerberos to function, proper time synchronization between your Active Directory
PDC Emulator and this server must be maintained.
Check if the ntp client is installed:
# rpm -qa ntp
Now edit /etc/ntp.conf and comment out any lines that begin with server and create only one
that points to your Active Directory PDC Emulator.
Set the daemon to start automatically at boot and start it:
# vi /etc/ntp.conf
server pdce.example.local
# chkconfig ntpd on
# service ntpd start
Squid
Squid is available in the Base repo, check if it's installed:
# rpm -qa squid
Configure Kerberos
To enable Active Directory Group and User enumeration by the helper, we join the CentOS
server to Active Directory. You can use authconfig to configure Samba, Winbind and perform the
join in one step.
[FAILED]
[ OK ]
If Winbind wasn't running before this it can't shutdown, but authconfig will start it and enable it
to start at boot.
The default permissions for /var/cache/samba/winbindd_privileged in RHEL/CentOS 5.4 were
750 root:squid (which worked by default) but are now 750 root:wbpriv in 5.5 which doesn't
allow the user Squid runs under to access the socket. Make sure squid.conf does not have a
cache_effective_group defined and add wbpriv as a supplementary group to the user Squid runs
under:
# usermod -a -G wbpriv squid
You can test Active Directory Group and User enumeration by viewing the output of wbinfo:
# wbinfo -{u|g}
If you are able to enumerate your Active Directory Groups and Users, everything is working.
Configuring Squid
I created an Active Directory Group to control who gets access to the proxy. Check the man
pages for ntlm_auth for options.
Edit your /etc/squid/squid.conf to enable the helper and adjust our_networks accordingly:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--require-membership-of=EXAMPLE+ADGROUP
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl our_networks 192.168.0.0/24 192.168.1.0/24
acl ntlm proxy_auth REQUIRED
http_access allow our_networks ntlm
This is not an inclusive set of parameters for Squid to function but is what is required for
the authentication portion.
Notes
Current versions of Firefox are capable of ntlm authentication so you need not enable
basic.
You need not install the full Samba package, nor have smbd and nmbd running for
authentication to take place.
CategoryConfigExample