Setting up Authentication on a clark connect system
dansguardian+squid
You’ll need to install webwin
Using either the webbased config settings or ssh in and use
>Apt-get update
>Apt-get install webmin
Rember to allow port 10000 connections for webmin on the firewall
http://yourserver:10000
It’s also handy to have the dans guardidan webmin plug in
http://surfnet.dl.sourceforge.net/sourceforge/dgwebminmodule/dg-0.5.10pr5.wbm
install using the webmin plugin manager
webmin->webmin configuration->webmin modules(lego brick)->
install module
then from either a uploaded file on your machine or the above address.
Install the ldap perl module in webmin/system
-ldap users and groups
it’ll give you a psudo error but don’t worry we don’t need that module part
to work .
On the active directory users and computers add in the clark
connectbox’s wins name and allow it to delegate .
Then
from http://www.squid-cache.org/Doc/FAQ/FAQ-23.html
/etc/samba/smb.conf
Edit smb.conf for winbindd functionality. The following entries in the
[global] section of smb.conf may be used as a template.
workgroup = mydomain
password server = myPDC
security = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
Join the NT domain as outlined in the winbindd man page for your version
of samba.
Start nmbd (required to insure proper operation).
Start winbindd.
Test basic winbindd functionality "wbinfo -t":
# wbinfo -t
Secret is good
Test winbindd user authentication:
# wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
error code was NT_STATUS_OK (0x0)
challenge/response password authentication succeeded
error code was NT_STATUS_OK (0x0)
NOTE: both plaintext and challenge/response should return "succeeded."
If there is no "challenge/response" status returned then Samba was not
built with "--with-winbind-auth-challenge" and cannot support ntlm
authentication.
This will allow samba connectivity
Now to setup squid
The file you need to edit is
/etc/squid/squid.conf
Edit squid.conf
Setup the authenticators. (Samba-3.X)
Add the following to enable both the winbind basic and ntlm
authenticators. IE will use ntlm and everything else basic:
auth_param ntlm program /usr/bin/ntlm_auth --helperprotocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helperprotocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Note: If your Samba was installed as a binary package ntlm_auth is
probably installed as /usr/bin/ntlm_auth, not /usr/local/bin/ntlm_auth.
Adjust the paths above accordingly.  done
Change the acl sections
as this allows anybody on the lan to access it when you really want only
authed users too.
Add acl entries to require authentication:
acl AuthorizedUsers proxy_auth REQUIRED
Put the above line at the top of the acl statements
The below lone goes in the
http_access allow all private1-3 area
comment out that line though.
http_access allow all AuthorizedUsers
now test to make sure all the authentication is working eg you need your
username/password to log on and that it’s connect to the domain
all good?
Lets start with making the logs reflect this
login as: root
root@192.168.2.245's password:
[root@server sarg]# cd /etc/sarg
[root@server sarg]# nano cc-sarg.conf
edit the following section from yes to no
# TAG: user_ip yes/no
#
Use Ip Address instead userid in reports.
#
sarg -p
user_ip no
create a report to test and your done :D
now to make sure it works on a full reboot
go to webmin
system
bootup and shutdown
tick the smb option and save
also do the same to the winbind deamon winbindd
Finally to make sure it works permanently setup a cron job to run the net
join command once a hour.
[root@gateway ~]# crontab -e
30 * * * * net join -U administrator%MYPASSWORD  add this into it
this runs it every hour on the 30
To test for authentication issues
Fire up putty from \\cwspdc\apps\putty
Test basic winbindd functionality "wbinfo -t":
# wbinfo -t
Secret is good  correct response
Test winbindd user authentication:
# wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
error code was NT_STATUS_OK (0x0)
challenge/response password authentication succeeded
error code was NT_STATUS_OK (0x0)
eg for us use the cws account on the cws domain
if these fail
use
#net join –U administrator
this will create the trust relation between the clark connect box and
the pdc
then try the above testing commands again.