How to Install and configure Dansguardian with NTLM auth and multi-group Filtering on Debian Etch

This how-to describes how to install, configure, and get around some hurdles along the way.

Install Debian Etch with the base system only

The base system install does not install SSH so we will do that now.

apt-get install ssh

Now that SSH is installed you can finish the rest of this how-to
from another machine so you can copy and paste if you like

Add the following line to your /etc/apt/sources.lst

deb http://download.webmin.com/download/repository sarge contrib
deb http://www.backports.org/debian etch-backports main contrib non-free

ClamAV in Etch has a bug in that when you start Dansguardian it takes a long time to load.
We are going to set Apt to get a newer version of ClamAV from Debian Backports to avoid this.

apt-get update
apt-get install debian-backports-keyring

Edit /etc/apt/preferences and enter the following:

Package: clamav
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-base
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-freshclam
Pin: release a=etch-backports
Pin-Priority: 999
Package: libclamav2
Pin: release a=etch-backports
Pin-Priority: 999

The above info in /etc/apt/preferences tells Apt to only get ClamAV from backports.org.
Note: If a newer version then "0.91.2" of ClamAV comes out for Etch that fixes the bug then you may not have to do this step.

Run the following:

apt-get update
apt-get install squid dansguardian samba winbind krb5-user –y

Install some software and configure Kerberos

You will be asked the following questions:

Please specify the workgroup you want this server to appear to be in when queried by clients.<-- exampledomain

Modify smb.conf to use WINS settings from DHCP? <-- No

Note: It is imperitve that you answer these questions with upper case and lower case letters as in the example below.

Kerberos servers for your realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL

Administrative server for your Kerberos realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL

dpkg-reconfigure krb5-config

And again some more questions.

Default Kerberos version 5 realm: <-- EXAMPLEDOMAIN.LOCAL

Does DNS contain pointers to your realm's Kerberos Servers? <-- Yes

Configure Dansguardian

Edit /etc/dansguardian/dansguardian.conf and comment out line 3

Now find filterip and enter 127.0.0.1 after it.
Scrole down to filterport and change 8080 to 3130 so it looks like this and save it

# you can limit it to only 1 IP.  Yes only one.
filterip = 127.0.0.1
# the port that DansGuardian listens to.
filterport = 3130
# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1
# the port DansGuardian connects to proxy on
proxyport = 3128

And restart Dansguardian.

/etc/init.d/dansguardian restart

Install and configure Webmin

Webmin makes an administrator's work a bit easier since it give you a GUI for most applications that run on Linux so let's install it now.

apt-get install webmin libcompress-zlib-perl

Run ifconfig and make note of the IP address listed for eth0

ifconfig

Now open a web browser on another machine and goto https://IPRecordedEarlier:10000/ and logon with root.

On the left hand menu goto Webmin > Webmin Configuration > Webmin Modules
Select Third party module from and enter http://internap.dl.sourceforge.net/sourceforge/dgwebminmodule/dg-0.5.10-pr5.wbm and click Install Module

Refresh the page after the module has been installed

Configure Samba and join the domain.

First make a copy of your /etc/samba/smb.conf and then wipe it out.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
cat /dev/null >/etc/samba/smb.conf

Now go back to Webmin - Servers - Samba Windows File Sharing and select Unix Networking under Global Configuration.

We don't want Samba listening on all interfaces so we will set it to listen on the local interface

Under Network interfaces select use list and enter your internal network IP address and netmask and then click Save.
Click on Windows Networking
Click on the Workgroup radio button to specify EXAMPLEDOMAIN for the workgroup.
Under Security select Active Directory and Master browser? select No and click Save

Click Winbind Options
In Kerberos realm on domain server enter EXAMPLEDOMAIN.LOCAL
In Range of UIDs for Windows users enter 10000-20000
In Trust domain server users? click Yes
In Seconds to cache user details for change to 3600
In Range of GIDs for Windows groups enter 10000-20000 and click Save

Now click Edit Config File. It shoud look like this below.

[global]
	idmap gid = 10000-20000
	socket options = TCP_NODELAY
	idmap uid = 10000-20000
	workgroup = EXAMPLEDOMAIN
	os level = 20
	interfaces = 192.168.0.1/255.255.255.0
	winbind trusted domains only = yes
	realm = EXAMPLEDOMAIN.LOCAL
	security = ads
	preferred master = no
	max log size = 1000
	winbind cache time = 3600

If all looks well, restart samba, winbind and synchronize the time with the domain controller.

net time set -S domaincontroller
/etc/init.d/samba restart
/etc/init.d/winbind restart

Now join the domain

net ads join -U Administrator

If all goes well you shoud be able to run the following with success.

wbinfo -t

The output should be checking the trust secret via RPC calls succeeded

wbinfo -u

This should list all users in the domain

wbinfo -g

This should list all of the groups in the domain

Squid needs access to /var/run/samba/winbindd_privileged
We can easly fix this but the permissions will change when we reboot
So Jesse Waters on ubuntuforums.org posted a script that will set the permissions on every system boot.

Edit /etc/init.d/winbind-ch.sh and paste the following into it.

#!/bin/sh
#set -x
WINBINDD_PRIVILEGED=/var/run/samba/winbindd_privileged
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
}
case "$1" in
start)
chmodgrp
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
#EOF

update-rc.d winbind-ch.sh start 21 2 3 4 5 .

Configure the Squid Proxy Server

Make a backup of /etc/squid/squid.conf and delete the comments.

cp /etc/squid/squid.conf /etc/squid/squid.conf.bak
egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/squid/squid.conf.bak >/etc/squid/squid.conf

Now go back to Webmin - Servers - Squid Proxy Server and click on Ports and Networking
Under Proxy addresses and ports and enter 3128 for the port and 127.0.0.1 for the IP address
Enter another port 8080 and click Save

Windows clients have a problem if you don't request NTLM before basic authentication so we will configure NTLM first.
click on Authentication Programs

In NTLM authentication program enter /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
In Number of authentication programs enter 5 and click Save

Go back to Authentication Programs after clicking Save and enter the following...

In Basic authentication program enter /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
In Number of authentication programs enter 5
In Authentication cache time enter 2 hours
In Authentication realm enter Domain Proxy Server or what ever you want and click Save

Click on Access Control and then create a new ACL by selecting External Auth and click Create new ACL
In ACL Name enter ntlm_auth and click Save
Click on the Proxy restrictions tab and click Add proxy restriction
Select the Allow radio butten and under the Match ACLs
Scroll down and select ntlm_auth and click Save
On the far right click the move up arrow for ntlm_auth so the order of your ACLs look like the list below.

Allow 	manager localhost 	
Deny 	manager 	
Allow 	purge localhost 	
Deny 	purge 	
Deny 	!Safe_ports 	
Deny 	CONNECT !SSL_ports 	
Allow 	localhost 	
Allow 	ntlm_auth 	
Deny 	all

One final thought. Squid adds a Forwarded-For header to out going requests by default.
If you are on an internal network this can be a security risk. To turn it off go to Squid Proxy Server > Miscellaneous Options
and select No for X-Forwarded-For header? and click Save.

Ok now for the final test, reboot and point your web browser to use this machines IP address and port 8080 for its proxy.
If all goes well and your machine is joined to the domain it should automatically logon and connect to the internet.
Keep in mind that Internet Explorer requires you to specify the domainname\username in the username dialog if NTLM fails.
If it does not work, check your syslog for errors from Webmin under System > System Logs

This page is licensed under a Creative Commons License.