DansGuardian and NTLM from Active Directory

Instructions on how to get DansGuardian and Squid to do auth against an Windows Server 2008 R2 Active Directory, to allow multi-group filtering options. To help with managing the server webmin is set up along side. This assumes you’re going to run this with one ethernet port to the local network, and that you have DNS servers that are stable on the network.

Install Debian

Install Debian from CD1, normal istall mode is fine. Mostly just answer the questions as normal except when you get to “tasksel”, unmark “Grahical Desktop environment” and mark “SSH server”. If it’s just a proxy, you don’t need anything else!

Once you’ve rebooted after installing Debian, log in and use “ifconfig” to find you IP address (unless you entered a static one during install), then you can complete the rest of these instructions via SSH (and copy/paste the commands in!). I also personally prefer to edit the config files via SCP so I get to use a pretty GUI text editor.

Configure network and DNS

Navigate to /etc/network/interfaces and edit the primary network interface settings to match below. Use your own IP address. The DNS nameserver should be your internal AD DNS server, probably your domain controller. It must be as an IP address.
allow-hotplug eth0
auto eth0
iface eth0 inet static
dns-search exampledomain.local

Then issue /etc/init.d/networking restart to change to the new IP settings. Remeber if you do this via SSH you will have to connection dropped and you’ll need to log in again.

Add Webmin repository

Webmin isn’t included in the standard Debian repository, but never fear, it’s got it own so we’ll get regular updates.

Add the following to the end of /etc/apt/sources.list:
# webmin repository
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

Now run the follwing three commands to download and install the GPG signing key used:
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc

Update repositories and upgrade packages

Next we’ll update the repository list and then apply any updates so we’re kept secure.
apt-get update
apt-get upgrade

Install our packages!

Now onto the install itself! The following command will install everything we need: Samba, Squid, DansGuardian, Webmin and a few dependencies on the side. It asks for the debian install CD to be inserted part way in, and depending on the speed of your internet connection could take several minutes.
apt-get install dnsmasq webmin squid dansguardian samba winbind krb5-user libcompress-zlib-perl resolvconf ntp ntpdate

It will ask to specify your workgroup/domain you want the server to be in, enter your domain in caps like this: EXAMPLE and not like this EXAMPLE.LOCAL

Configure Kerberos

Next a small bit of configration to take care of:
dpkg-reconfigure krb5-config
It will ask for:

  • Default Kerberos version 5 realm: EXAMPLEDOMAIN.LOCAL
  • Add locations of default Kerberos servers to /etc/krb5.conf? No

Configure NTP with your domain

Networks run better when all the machines have the same time, so we’ll change us from getting Network Time Protcotol updates from Debians servers to just using our domain controller.

Add server domaincontroller.exampledomain.local iburst
to /etc/ntp.conf below
# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
# pick a different set every time it starts up. Please consider joining the
# pool:
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst

and comment out the four Debian time server entries.

Configure Samba

Make a backup copy of /etc/samba/smb.conf before we start to edit it.

Under the section labeled “Authentication” add security = ads below the line which reads # security = user

Under the section labeled “Domains” add domain logons = no immediatly below the line ; domain logons = yes

Under the “Misc” section, find the following two lines:
; idmap uid = 10000-20000
; idmap gid = 10000-20000

and uncomment them (remove the ‘;’ from the begining of each line.)

At this point add the following three lines, just above the next section marked “Share Definitions”
winbind trusted domains only = yes
winbind cache time = 3600

All done for smb.conf, so save and exit.

Prepare to join the domain

Restart samba, winbind and synchronize the time with the domain controller.
net time set -S domaincontroller
/etc/init.d/winbind stop
/etc/init.d/samba restart
/etc/init.d/winbind start

Join the domain

First reboot: this may not be needed but it seems to help. Join the machine to the domain:
kinit Administrator
net ads join -U Administrator

You’ll be asked for the password of the domain user you specify at the end of the command, once for each command. You should get:
root@proxy:~# kinit Administrator
Password for Administrator@EXAMPLEDOMAIN.LOCAL:
root@sbproxy:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLEDOMAIN
Joined 'PROXY' to realm 'exampledomain.local'

As this sometimes gives a positive result without actually doing what’s required, the following is an essential check:
wbinfo -t
This should give: checking the trust secret for domain EXAMPLEDOMAIN via RPC calls succeeded. If this step fails, you can’t procede. Rebooting a few times and starting from the begining of ‘Join the domain’ should fix it.

Final checks on having the domain auth working, try these to commands, the first of which should all the users in the domain (which does mean it can take some time!) and the second of which should list all the groups on the domain.
wbinfo -u
wbinfo -g

Configure Squid

Make a backup copy of /etc/squid/squid.conf before we start to edit it.

Add the following three lines below the block of #auth_param that are there, leave them incase you want to change something in the future.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic realm exampledomain

acl ntlm_auth proxy_auth REQUIRED
http_access allow ntlm_auth

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

Comment out this line (shortly after the above code):
http_access allow localhost

Squid needs access to /var/run/samba/winbindd_privileged We can easily fix this but the permissions will reset when we reboot. So Jesse Waters on ubuntuforums.org posted a script that will set the permissions on every system boot. Create /etc/init.d/winbind-ch.sh and paste the following into it. You need to set it’s permissions to 755 to allow excution. You can download a copy of this in a file from www.petespcs.co.uk/dangerous/windbind-cd.sh
#set -x
chmodgrp() {
chgrp proxy $WINBINDD_PRIVILEGED || return 1
chmod g+w $WINBINDD_PRIVILEGED || return 1
case "$1" in
echo "Error: argument '$1' not supported" >&2
exit 3
echo "Usage: $0 start|stop" >&2
exit 3

Following this run update-rc.d winbind-ch.sh start 21 2 3 4 5 . to finish that off.

Configure Dans Guardian

Make a backup copy of /etc/dansguardian/dansguardian.conf before we start to edit it.

First, a simple edit: comment out the line UNCONFIGURED - Please remove this line after configuration

Find the line filtergroups = 1 and change it to however many filter groups you feel you need, but be warned that the webmin interface can only handle so many.

Uncomment the following two lines:
authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'

That’s all in that file, so close and save.

/etc/dansguardian/dansguardianf1.conf as a backup, and then make copies for each of your filter groups, so if you have 3 filter groups, you’ll need 3 files called:

No edits needed on them, it can all be easily done from Webmin later

Setup Webmin

Open a web browser to https://yourproxyip:10000/ and log in with root. Go to Webmin > Webmin Configuration > Webmin Modules Select “From ftp or http URL” and paste the link below into the dialog box and click Install Module.
You might want to check the SourceForge site for a newer version, see http://sourceforge.net/projects/dgwebminmodule/. You can get the address for the link above by going to download the lastest version, but when offered the download, cancel it and right click on the direct download link and select “Copy link location”.

Due to Debian choosing to install programs to slightly different location to others, you need to change a few of the settings in the Dans Guardian webmin module configration. Go to Servers > DansGuardian Web Content Filter > Module config and change Full path to DG binary to /usr/sbin/dansguardian We also need to remove rc.d/ from “Command to restart DG”, “Command to start DG” and “Command to stop DG”.

Setup regular blocklist updates

Shallalist provides freee for non-commerical use (including education) url and domain blocklists. They update these upto every 24 hours. A simple cron job can be setup to download these, all thats needed is a simple shell script. You can download a copy from www.petespcs.co.uk/dangerous/updatebl.sh

To create a cron job in Webmin, go to System > Scheduled Cron Jobs then click on “Create a new scheduled cron job.”. The answers I recommend you enter are:

  • Execute cron job as root
  • Command /path/to/updatebl.sh
  • When to execute Times and dates selected below ..
  • Mintues Selected .. 1
  • Hours Selected .. 0
  • Days All
  • Months All
  • Weekdays Selected .. Monday, Tuesday, Wednesday, Thursday, Friday

Click create and then you’ll be back at the list of cron jobs. Click on the one at the bottom of the list which will be the one you’ve just created, click on it to open it and click on “Run now” to make sure it works correctly and doesn’t give any errors, and also to put the blacklists in place to start with.

I recommend these settings as the blacklists are updated a maximium of once over 24 hours. The script will run while no-one is likely to be around, so won’t be interputed by DansGuardian restarting, but will only run on weekdays, so if it goes wrong for whatever reason – they don’t include one of the catagories for example – you’ll be there before anyone notices…just incase someone comes in on Saturday and finds that it’s not working!

To work with these blacklists, you’ll need to modify your /etc/dansguardian/lists/bannedurllist and /etc/dansguardian/lists/bannedsitelist files, otherwise DansGuardain won’t start as it won’t be able to find the files that are referenced. Example files are attahced, which matched the lists provided by Shalla in October 2011. For your ease they contain descriptive comments on each list, and all lists are commented out so they as they stand block nothing. Just uncomment the .Include lines that fit with what you want to block. You can find the same files at www.petespcs.co.uk/dangerous/bannedurllist and www.petespcs.co.uk/dangerous/bannedsitelist

This guide is based around advice from HowtoForge: How To Install And Configure Dansguardian With Multi-Group Filtering And Squid With NTLM Auth On Debian Etch

This entry was posted in dansguardian, howto, linux, networking. Bookmark the permalink.

10 Responses to DansGuardian and NTLM from Active Directory

  1. MrPaul says:

    Since Ubuntu is based on Debian will this work on Ubuntu?

    • Pete says:

      Yes, most of it will. Some commands will need to be prefixed by ‘sudo’ as they require root level access. The inital install is also different, as debian uses the text based mode by default, where Ubuntu uses the graphical install by default.
      Some details might be different, but this should still be a fairly good guide.

  2. George says:

    Very helpful howto thanks a lot.

  3. pablo says:

    what does .LOCAL mean? should I add to my domain name?
    sorry for the stoopid question

    • Pete says:

      example.local should be replaced by your internal Windows domain name – often these are not publicly registered so the ending .local is used to prevent confusion.
      Often its companyname.local or companyintials.local
      It needs to be correct for your Windows network – using the wrong one will cause problems.

  4. Pingback: Squid on Windows, Dansguardian on Linux will this work?

  5. ThcTLO says:

    Nice howto..
    and …
    You should never use .local or .lan as tld for you domain.
    .local and .lan are reserved TLD’s for mDNS ( avahi-daemon )

    • Pete says:

      I’d like to see a source for not using .local for your internal domain. However, regardless of the reason, it is a common occurance that it HAS been used previously. I’m using it to indicate it must match the full internal domain specified, not a shortened form of it.

  6. mercurio2054 says:

    this is the same for 2015 configuration?

    • Pete says:

      2015 configuration of what?

      It’s probably similar, but as I wrote this as part of my job and I since changed job, I haven’t need to update my knowledge to the latest versions of the software packages used.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.