How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch

This how-to describes how to install and configure Dansguardian with multi-group filtering, Squid with NTLM auth, ipmasq, and dnsmasq to provide a full internet gateway solution for small to medium sized networks. This how-to requires two NICs in order to preform firewalling and transparent proxying.

Install Debian Etch with the base system only.


Configure the base system

This how-to assumes you have the following configured:

eth0 with a static or dynamic IP as the external NIC and eth1 with the static address of as the internal NIC

The base system install does not install SSH so we will do that now.

apt-get install ssh openssh-server

Now that SSH is installed you can finish the rest of this how-to
from within an SSH session if you wish.

ClamAV in Etch has a bug in that when you start Dansguardian it takes a long time to load. We are going to set Apt to get a newer version of ClamAV from Debian Backports to avoid this.

Edit and add the following line to your /etc/apt/sources.lst:

deb sarge contrib
deb etch-backports main contrib non-free

Adding the following info in /etc/apt/preferences tells Apt to only get ClamAV from
Note: If a newer version then "0.91.2" of ClamAV comes out for Etch that fixes the bug then you may not have to preform this step.

Edit /etc/apt/preferences and enter the following:

Package: clamav
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-base
Pin: release a=etch-backports
Pin-Priority: 999
Package: clamav-freshclam
Pin: release a=etch-backports
Pin-Priority: 999
Package: libclamav2
Pin: release a=etch-backports
Pin-Priority: 999

Update Apt, install some software, and configure Kerberos...

apt-get update
apt-get install debian-backports-keyring
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate

You will be asked the following questions:

Note: The answers to these questions are case sensitive. You must answer them as in the example below.

Please specify the workgroup you want this server to appear to be in when queried by clients. <-- EXAMPLEDOMAIN

Modify smb.conf to use WINS settings from DHCP? <-- No

Kerberos servers for your realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL

Administrative server for your Kerberos realm: <-- domaincontroller.EXAMPLEDOMAIN.LOCAL

dpkg-reconfigure krb5-config

And again some more questions.

Default Kerberos version 5 realm: <-- EXAMPLEDOMAIN.LOCAL

Does DNS contain pointers to your realm's Kerberos Servers? <-- Yes


Configure resolvconf and dnsmasq

Many internet connections are dynamic and because of this it can cause Kerberos to fail when the DNS servers are updated by pppd or dhcp. We installed resolvconf earlier which will help us solve the problem.

Edit  /etc/resolvconf/resolv.conf.d/head and add search exampledomain.local to line 3.

DNSmasq is a small dns forwarder and dhcp server which integrates into resolvconf

We need to verify that we have the right name servers in /var/run/dnsmasq/resolv.conf
Edit it to look like the example below.

nameserver <IP of domain controller>
nameserver <IP of primary ISP DNS server>
nameserver <IP of secondary ISP DNS server>

DNSmasq's config file needs to be modified for best preformance and security. Edit /etc/dnsmasq.conf make the nessisary changes listed below.

nano -c /etc/dnsmasq.conf

Uncomment lines 14 and 16
Uncomment line 71 and add eth0 to the end of the line.

Currently dnsmasq's DHCP feature is disabled but if you would like to use this feature then I would suggest starting at line 100 as the DHCP options start there. There are also some advanced options for DNS starting on line 307, such as configuring MX records and the like. Many more options are available but are beyond the scope of this how-to.


Set the domain controller as the time server

nano -c /etc/ntp.conf

Comment out lines 19 through 22 of /etc/ntp.conf and insert the following on line 23:

server domaincontroller.exampledomain.local iburst


Configure Samba and join the domain

First make a copy of your /etc/samba/smb.conf and then edit it.

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
nano -c /etc/samba/smb.conf

Enter on line 53 interfaces =
Uncomment line 59.
Uncomment line 91 and change to security = ads.
Uncomment lines 204 and 205.
Add the following lines before line 217:

winbind trusted domains only = yes
winbind cache time = 3600

Restart samba, winbind and synchronize the time with the domain controller.

net time set -S domaincontroller
/etc/init.d/samba restart
/etc/init.d/winbind restart

Now join the domain

net ads join -U Administrator

If all went well you should be able to run the following with success.

wbinfo -t

The output should be "checking the trust secret via RPC calls succeeded"

wbinfo -u

This should list all users in the domain.

wbinfo -g

This should list all of the groups in the domain.

Share this page:

4 Comment(s)