Re: How to configure a Squid Proxy server that authorises againstan Windows NT4 PDC

["Gary Mansell" <Gary Mansell ricardo com>]

I have successfully installed and configured squid and it authenticates against our NT4 PDC OK.

Here are the notes that I made, in case anyone needs to do the same. 



Perform minimal configuration of the machine and turn off any un-needed services.
Create a minimal samba configuration file – /etc/samba/smb.conf

[global]
workgroup = shoreham
password server = largo
security = domain
wins server = 172.30.24.1 172.30.24.2
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind separator = +

Populate the hosts file - /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       squidsrv        localhost.localdomain   localhost
172.30.50.253   dfgsrv
172.30.24.2     largo
172.30.10.6     mailhost

Start Samba:

chkconfig smb on
service smb start

Start winbind:

chkconfig winwind on
service winbind start

Join the NT4 Domain:

net rpc join -S largo -U Administrator

Test the domain join:

net rpc testjoin

Test both NTLM and Basic Authentication:

wbinfo -a <domain>+<username>%<password>

Response should be:
plaintext password authentication succeeded
challenge/response password authentication succeeded

Configure a root cron job to refresh the secret key every day

0 4 * * * net rpc changetrustpw > /dev/null 2>&1

Configure the DNS servers to be correct for the Internet Connection

# /etc/resolv.conf
nameserver 62.6.40.162
nameserver 62.6.40.178

Make the following changes from the defaults in the squid configuration file (/etc/squid/squid.conf):

icp_port 0
cache_mem 64 MB
maximum_object_size 8192 KB
maximum_object_size_in_memory 32 KB
cache_dir ufs /var/spool/squid 10000 32 512
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
acl purge method PURGE
acl validuser proxy_auth REQUIRED
# Obtain regex format list of adservers from: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=squid-dstdom-regex
acl blockads dstdom_regex -i "/etc/squid/adservers.list.regex"
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
http_access deny to_localhost
# Block Adverts
http_access deny blockads
# Allow authenticated users
http_access allow validuser
cache_mgr tct-it ricardo com
visible_hostname squidsrv

Download the adservers list from the following link on the Internet: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=squid-dstdom-regex and save it as /etc/squid/adservers.list.regex

Download the sarg reporting utility from http://dag.wieers.com/packages/sarg and install it

rpm -ivh sarg-1.4.1-5.2.el4.rf.i386.rpm
Turn on the apache webserver

chkconfig httpd on
service httpd start

Create a onetime report by running sarg (daily, weekly and monthly reports will be automatically created)

sarg

View the onetime report by viewing the report on the localhost using a web-browser:

firefox /var/www/sarg/ONE-SHOT/index.html

AntiVirus/Trojan & Spam filtering can be configured using ClamAV if necessary











--  

 
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to 

whom they are addressed.
If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system.  Please note that any views
or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other
documentation formally approved and signed for release to the intended recipient).  Only Directors or Duly Authorised Officers are authorised to 
enter into legally binding obligations on behalf of Ricardo unless the obligation is contained within a Ricardo Purchase Order.

Ricardo may monitor outgoing and incoming e-mails and other telecommunications on its e-mail and telecommunications systems.  By replying to
this e-mail you give consent to such monitoring.  The recipient should check e-mail and any attachments for the presence of viruses.  Ricardo 
accepts no liability for any damage caused by any virus transmitted by this e-mail.  "Ricardo" means Ricardo plc and its subsidiary companies.

Ricardo plc is a public limited company registered in England with registered number 00222915.
The registered office of Ricardo plc is Shoreham Technical Centre,Shoreham-by Sea, West Sussex, BN43 5FG.