On Tue, 2006-03-07 at 17:27 +0000, Gary Mansell wrote: > I need to setup a Web/Ftp Proxy server for our site of 700 or so Windows > users. Most of the client machines will be Windows boxes and so I will > need to authenticate the users (transparently) against our Windows NT4 > PDC. > > >From what I have read, I will need to configure winbindd, samba and > squid but I could not find a definitive guide for what I would guess is > a fairly common procedure. Well, it turns out it isn't quite as simple as you might think. It requires a number of bits working together and configured just so. I have this working and in use right now by a few clients except they are authenticating against a Samba PDC instead of an NT 4 PDC. In theory though it should be similar. I do not believe that NTLM auth will work with a transparent proxy, but this solution will allow the Windows stations to transparently perform NTLM auth with IE or recent Firefoxes. Unfortunately, I don't have any type of write-up or How-To at this time, though I wouldn't be opposed to putting one together if there is interest and I can find the time. Basically, here are the pieces you need to look at: 0) If you are using SELinux in enforcing mode I would suggest, at least temporarily, switching it to Permissive mode or make sure you watch your SELinux access denied messages very carefully. If the SELinux labeling isn't just right you can have problems which might cause it to not work in mysterious ways. The standard policy will work, but just ensure the labeling is correct and watch the logs. 1) Install Samba on your proxy server, even if you aren't serving files. You need to setup winbindd and Samba to the point where you get these results: # ntlm_auth --username=VALIDUSER password: NT_STATUS_OK: Success (0x0) If it just returns to the command prompt without doing anything then you are probably hitting an SELinux problem. You will need to join your Samba system to your domain for this to work. See the 'net' command. You will need something like 'net rpc join' and then, to test, 'net rpc testjoin' I think you can run winbind in 'netlogon proxy only mode' and this will work (no idmap parameters needed in smb.conf). I am running that way, but I don't know if the PDC being on NT4 will matter or not. 2) Setup Squid to use NTLM authentication: Add the following lines to /etc/squid/squid.conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes (some you might want to eventually adjust to suit, such as "children") Make sure they come before any auth_param basic lines. Squid will try each authentication method in the order it is listed in the conf file. If basic is first it will never make it to NTLM auth. Always restart Squid (not just reload the conf) after changing auth_param lines. 3) Make Squid perform an authentication check using Squid ACLs, this will verify that the user is a valid user: acl validuser proxy_auth REQUIRED and then, somewhere before your http_access line which allows them access to the Internet, do: http_access allow validuser This will force Squid to perform an NTLM auth with the browser if it makes it to this http_access rule. That is the rapid summary :). Fortunately, RHEL 4 comes with everything you need to make this work out of the box. Note: I've found that it is wise to put ACLs in Squid before any proxy authentication happens to allow automated things that go out on the Internet such as Windows updates, virus updates, etc. Needless to say, it helps greatly to have more then a passing familiarity with Samba and Squid configurations :) Also, I've had varied successes and failures with FTP via the proxy depending on the FTP client. But with HTTP it works like a charm. If you are currently using transparent proxying (not to be confused with transparent authentication) you will probably have to switch to static proxy configuration or using proxy auto-configuration with .pac/wpad.dat files (which is what we use). > I would also be interested to hear any recommendations for Web > Spyware/Virus/Ad filtering software that would work in conjunction with > the Squid server. We use F-Secure's Internet Gatekeeper for Linux (FSIGK) product. I have been fairly happy with their product and very happy with their technical support. Disclaimer: We were happy enough with it that we became F-Secure resellers. http://www.f-secure.com/products/fsigkl/ I have FSIGK listening on port 9080 on the Squid proxy machine and then use the following Squid lines: # This tells Squid to use FSIGK as it's parent cache cache_peer localhost parent 9080 0 no-query default # This tells Squid to force all accesses via parent caches never_direct allow all You can also add some 'always_direct' lines before the never_direct line to allow certain things through without scanning (such as software updates from "trusted" sources, etc.). I'm sure you could use something similar to the above lines to hook Squid into any HTTP proxy capable virus scanning product. I think ClamAV http://www.clamav.net/ might have something similar you could setup. If you have any questions go ahead and ask, I'll try to answer them if I can. Hope that helps, Sean -- Sean E. Millichamp, Enertron LLC, 586-757-1200 x102
Attachment:
signature.asc
Description: This is a digitally signed message part