Winbind NTLM Authentication configuration for squid and apache Source

July 2, 2010 Markdown source

1---
2title: 'Winbind NTLM Authentication configuration for squid and apache'
3date: '2010-07-02'
4published_at: '2010-07-02T13:10:00.008+10:00'
5tags: ['apache', 'ntlm', 'samba', 'squid', 'sysadmin', 'winbind', 'windows']
6author: 'Gavin Jackson'
7excerpt: 'Introduction We want squid and apache (running on SLES 11) to use Microsoft Active Directory NTLM authentication. This means that users who have logged into our windows domain will not have to enter t...'
8updated_at: '2010-07-02T17:13:26.617+10:00'
9legacy_url: 'http://www.gavinj.net/2010/07/winbind-ntlm-authentication.html'
10---
11
12[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvAYzhkQ5_PZKehC3YyL9h73fPvPGQKmBbikPajlCmYuf62-EHV6biyLzSKwbGsETRs9YkCqu5z3_BI-qonJ6swNWsejBFz6Vw0_2MnkelkXCBCvcZCWPUWKrITZlBCz4WmfVgUjlM6ZE/s400/SquarePegRoundHole.jpg)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvAYzhkQ5_PZKehC3YyL9h73fPvPGQKmBbikPajlCmYuf62-EHV6biyLzSKwbGsETRs9YkCqu5z3_BI-qonJ6swNWsejBFz6Vw0_2MnkelkXCBCvcZCWPUWKrITZlBCz4WmfVgUjlM6ZE/s1600/SquarePegRoundHole.jpg)
13
14Introduction We want squid and apache (running on SLES 11) to use Microsoft Active Directory NTLM authentication. This means that users who have logged into our windows domain will not have to enter their user credentials to use these services. Package installation
15
16Install the following packages:
17
18```
19samba
20samba-winbind
21apache2-mod_auth_ntlm_winbind (for apache)
22```
23
24Samba Configuration Samba configuration (/etc/samba/smb.conf):
25
26```
27[global]
28workgroup = LESMILLS
29passdb backend = tdbsam
30security = ADS
31realm = lesmills.net.au
32password server = fs.lesmills.net.au
33encrypt passwords = yes
34winbind separator = \\
35idmap uid = 10000-20000
36idmap gid = 10000-20000
37winbind enum users = yes
38winbind enum groups = yes
39winbind use default domain = yes
40template shell = /bin/false
41template homedir = /home/winnt/%U
42allow trusted domains = no
43```
44
45Next, you need to bind the Linux host to the windows domain:
46
47```
48root#  net ads join -U Administrator%password
49```
50
51Modify /etc/nsswitch add the following line:
52
53```
54passwd: files winbind
55```
56
57Restart winbind and samba and you should be able to run getent passwd (you should see the AD users come back). Before modifying squid and/or apache you can test that ntlm_auth is working by typing:
58
59```
60/usr/bin/ntlm_auth --username gavinj --domain=lesmills.net.au
61
62password:
63NT_STATUS_OK: Success (0x0)
64```
65
66This is a good sign that the system can talk to your AD server. Squid Add the following lines to your /etc/squid/squid.conf:
67
68```
69auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=lesmills.net.au
70auth_param ntlm children 5
71auth_param ntlm keep_alive on
72```
73
74Apache
75
76```
77zypper install pam_smb
78setfacl -m u:wwwrun:rx /var/lib/samba/winbindd_privileged
79a2enmod auth_ntlm_winbind
80rcapache2 restart
81```
82
83Add the following directives to your Directory entry:
84
85```
86AuthName "NTLM Authentication thingy"
87NTLMAuth on
88NTLMAuthHelper "/usr/bin/ntlm_auth --domain=lesmills.net.au --helper-protocol=squid-2.5-ntlmssp"
89NTLMBasicAuthoritative on
90AuthType NTLM
91require valid-user
92```
93
94Note, to check that a user belongs to a specific AD group, you can use the following entry (it took me an hour to figure out the correct DOMAIN\\\GROUP syntax).
95
96```
97AuthName "NTLM Authentication thingy"
98NTLMAuth on
99NTLMAuthHelper "/usr/bin/ntlm_auth --domain=lesmills.net.au --require-membership-of=LESMILLS\\\IT --helper-protocol=squid-2.5-ntlmssp"
100NTLMBasicAuthoritative on
101AuthType NTLM
102require valid-user
103```
104
105Browser Testing This technique works over http under IE8 and Firefox 3.6.3 on Windows 2008 (Terminal Server). This technique does not work over https under IE 8 (get a 500 server error). It does however seem to work fine in Firefox 3.6.3.
106
107To white list ntlm servers in recent versions of Firefox (so that it doesn't ask for a username and password), you need to use about:config and edit the network.automatic-ntlm-auth.trusted-uris option (enter your webserver name). References
108
109- [http://en.wikipedia.org/wiki/NTLM](http://en.wikipedia.org/wiki/NTLM)
110- [http://blog.netnerds.net/2009/10/enable-windows-ntlm-pass-through-authentication-in-linux-based-apache/](http://blog.netnerds.net/2009/10/enable-windows-ntlm-pass-through-authentication-in-linux-based-apache/)
111- [ http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member ](http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member)
112
113
114

---
title: 'Winbind NTLM Authentication configuration for squid and apache'
date: '2010-07-02'
published_at: '2010-07-02T13:10:00.008+10:00'
tags: ['apache', 'ntlm', 'samba', 'squid', 'sysadmin', 'winbind', 'windows']
author: 'Gavin Jackson'
excerpt: 'Introduction We want squid and apache (running on SLES 11) to use Microsoft Active Directory NTLM authentication. This means that users who have logged into our windows domain will not have to enter t...'
updated_at: '2010-07-02T17:13:26.617+10:00'
legacy_url: 'http://www.gavinj.net/2010/07/winbind-ntlm-authentication.html'
---

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvAYzhkQ5_PZKehC3YyL9h73fPvPGQKmBbikPajlCmYuf62-EHV6biyLzSKwbGsETRs9YkCqu5z3_BI-qonJ6swNWsejBFz6Vw0_2MnkelkXCBCvcZCWPUWKrITZlBCz4WmfVgUjlM6ZE/s400/SquarePegRoundHole.jpg)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvAYzhkQ5_PZKehC3YyL9h73fPvPGQKmBbikPajlCmYuf62-EHV6biyLzSKwbGsETRs9YkCqu5z3_BI-qonJ6swNWsejBFz6Vw0_2MnkelkXCBCvcZCWPUWKrITZlBCz4WmfVgUjlM6ZE/s1600/SquarePegRoundHole.jpg)

Introduction We want squid and apache (running on SLES 11) to use Microsoft Active Directory NTLM authentication. This means that users who have logged into our windows domain will not have to enter their user credentials to use these services. Package installation

Install the following packages:

```
samba
samba-winbind
apache2-mod_auth_ntlm_winbind (for apache)
```

Samba Configuration Samba configuration (/etc/samba/smb.conf):

```
[global]
workgroup = LESMILLS
passdb backend = tdbsam
security = ADS
realm = lesmills.net.au
password server = fs.lesmills.net.au
encrypt passwords = yes
winbind separator = \\
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template shell = /bin/false
template homedir = /home/winnt/%U
allow trusted domains = no
```

Next, you need to bind the Linux host to the windows domain:

```
root#  net ads join -U Administrator%password
```

Modify /etc/nsswitch add the following line:

```
passwd: files winbind
```

Restart winbind and samba and you should be able to run getent passwd (you should see the AD users come back). Before modifying squid and/or apache you can test that ntlm_auth is working by typing:

```
/usr/bin/ntlm_auth --username gavinj --domain=lesmills.net.au

password:
NT_STATUS_OK: Success (0x0)
```

This is a good sign that the system can talk to your AD server. Squid Add the following lines to your /etc/squid/squid.conf:

```
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=lesmills.net.au
auth_param ntlm children 5
auth_param ntlm keep_alive on
```

Apache

```
zypper install pam_smb
setfacl -m u:wwwrun:rx /var/lib/samba/winbindd_privileged
a2enmod auth_ntlm_winbind
rcapache2 restart
```

Add the following directives to your Directory entry:

```
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --domain=lesmills.net.au --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
```

Note, to check that a user belongs to a specific AD group, you can use the following entry (it took me an hour to figure out the correct DOMAIN\\\GROUP syntax).

```
AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --domain=lesmills.net.au --require-membership-of=LESMILLS\\\IT --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
```

Browser Testing This technique works over http under IE8 and Firefox 3.6.3 on Windows 2008 (Terminal Server). This technique does not work over https under IE 8 (get a 500 server error). It does however seem to work fine in Firefox 3.6.3.

To white list ntlm servers in recent versions of Firefox (so that it doesn't ask for a username and password), you need to use about:config and edit the network.automatic-ntlm-auth.trusted-uris option (enter your webserver name). References

- [http://en.wikipedia.org/wiki/NTLM](http://en.wikipedia.org/wiki/NTLM)
- [http://blog.netnerds.net/2009/10/enable-windows-ntlm-pass-through-authentication-in-linux-based-apache/](http://blog.netnerds.net/2009/10/enable-windows-ntlm-pass-through-authentication-in-linux-based-apache/)
- [ http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member ](http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member)