How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch

Want to support HowtoForge? Become a subscriber!
 
Submitted by archerjd (Contact Author) (Forums) on Wed, 2008-07-16 18:21. :: Debian | Samba | Security | Storage

How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch

This how-to describes how to install and configure Dansguardian with multi-group filtering, Squid with NTLM auth, ipmasq, and dnsmasq to provide a full internet gateway solution for small to medium sized networks. This how-to requires two NICs in order to preform firewalling and transparent proxying.

Install Debian Etch with the base system only.

 

Configure the base system

This how-to assumes you have the following configured:

eth0 with a static or dynamic IP as the external NIC and eth1 with the static address of 192.168.1.1/24 as the internal NIC

The base system install does not install SSH so we will do that now.

apt-get install ssh openssh-server

Now that SSH is installed you can finish the rest of this how-to
from within an SSH session if you wish.

ClamAV in Etch has a bug in that when you start Dansguardian it takes a long time to load. We are going to set Apt to get a newer version of ClamAV from Debian Backports to avoid this.

Edit and add the following line to your /etc/apt/sources.lst:

deb http://download.webmin.com/download/repository sarge contrib
deb http://www.backports.org/debian etch-backports main contrib non-free

Adding the following info in /etc/apt/preferences tells Apt to only get ClamAV from backports.org.
Note: If a newer version then "0.91.2" of ClamAV comes out for Etch that fixes the bug then you may not have to preform this step.

Edit /etc/apt/preferences and enter the following:

Package: clamav
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-base
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-freshclam
Pin: release a=etch-backports
Pin-Priority: 999
Package: libclamav2
Pin: release a=etch-backports
Pin-Priority: 999

Update Apt, install some software, and configure Kerberos...

apt-get update
apt-get install debian-backports-keyring
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate

You will be asked the following questions:

Note: The answers to these questions are case sensitive. You must answer them as in the example below.

Please specify the workgroup you want this server to appear to be in when queried by clients. <-- EXAMPLEDOMAIN

Modify smb.conf to use WINS settings from DHCP? <-- No

Kerberos servers for your realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL

Administrative server for your Kerberos realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL

dpkg-reconfigure krb5-config

And again some more questions.

Default Kerberos version 5 realm: <-- EXAMPLEDOMAIN.LOCAL

Does DNS contain pointers to your realm's Kerberos Servers? <-- Yes

 

Configure resolvconf and dnsmasq

Many internet connections are dynamic and because of this it can cause Kerberos to fail when the DNS servers are updated by pppd or dhcp. We installed resolvconf earlier which will help us solve the problem.

Edit  /etc/resolvconf/resolv.conf.d/head and add search exampledomain.local to line 3.

DNSmasq is a small dns forwarder and dhcp server which integrates into resolvconf

We need to verify that we have the right name servers in /var/run/dnsmasq/resolv.conf
Edit it to look like the example below.

nameserver <IP of domain controller>
nameserver <IP of primary ISP DNS server>
nameserver <IP of secondary ISP DNS server>

DNSmasq's config file needs to be modified for best preformance and security. Edit /etc/dnsmasq.conf make the nessisary changes listed below.

nano -c /etc/dnsmasq.conf

Uncomment lines 14 and 16
Uncomment line 71 and add eth0 to the end of the line.

Currently dnsmasq's DHCP feature is disabled but if you would like to use this feature then I would suggest starting at line 100 as the DHCP options start there. There are also some advanced options for DNS starting on line 307, such as configuring MX records and the like. Many more options are available but are beyond the scope of this how-to.

 

Set the domain controller as the time server

nano -c /etc/ntp.conf

Comment out lines 19 through 22 of /etc/ntp.conf and insert the following on line 23:

server domaincontroller.exampledomain.local iburst

 

Configure Samba and join the domain

First make a copy of your /etc/samba/smb.conf and then edit it.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
nano -c /etc/samba/smb.conf

Enter on line 53 interfaces = 192.168.1.1/255.255.255.0.
Uncomment line 59.
Uncomment line 91 and change to security = ads.
Uncomment lines 204 and 205.
Add the following lines before line 217:

winbind trusted domains only = yes
realm = EXAMPLEDOMAIN.LOCAL
winbind cache time = 3600

Restart samba, winbind and synchronize the time with the domain controller.

net time set -S domaincontroller
/etc/init.d/samba restart
/etc/init.d/winbind restart

Now join the domain

net ads join -U Administrator

If all went well you should be able to run the following with success.

wbinfo -t

The output should be "checking the trust secret via RPC calls succeeded"

wbinfo -u

This should list all users in the domain.

wbinfo -g

This should list all of the groups in the domain.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Tue, 2010-11-16 10:43.

absolute nonsense

etch is now defunct and the line numbers DO NOT align with those in lenny

 please update tutorial for lenny debian

Submitted by Jose Perez (not registered) on Sat, 2009-08-08 17:03.

Is it possible that you specify the contents of the lines that need to be changed/uncommented and not just the line numbers?

Great guide otherwise.

Submitted by Robert (not registered) on Tue, 2010-06-08 00:05.

This is a non sense tutorial

Just writing modify this line number that line number is a non sense

files may change between versions and the tutorial become useless.

While copying each modification would make the tutorial useable also with different files versions.

Kind regards

 R.

Submitted by muncom, free on... (not registered) on Mon, 2009-06-22 23:25.

Hi, can you make auth from different groups to manage differential bandwidth for each group?

 

thanks in advance

............................