squid: Add NTLM authentication against Windows Active Directory servers.

2026-04-27 11:13:24 +02:00 · 2014-03-24 01:30:23 +01:00
parent 0ffbb688d3
commit 603248db53
15 changed files with 67 additions and 9 deletions
--- a/config/etc/group
+++ b/config/etc/group
@@ -25,6 +25,7 @@ stunnel:x:51:
 lock:x:54:
 sshd:x:74:
 pcap:x:77:
 wbpriv:x:88:squid
 nobody:x:99:
 users:x:100:
 snort:x:101:
--- a/config/rootfiles/packages/samba
+++ b/config/rootfiles/packages/samba
@@ -219,6 +219,7 @@ var/ipfire/samba/shares
 var/ipfire/samba/smb.conf
 var/ipfire/samba/smb.conf.default
 var/lib/samba
 var/lib/samba/winbindd_privileged
 var/log/samba
 var/nmbd
 etc/rc.d/init.d/samba
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -587,6 +587,7 @@ WARNING: untranslated string: Set time on boot
 WARNING: untranslated string: addons
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -597,6 +597,7 @@ WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: addons
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -654,6 +654,7 @@ WARNING: untranslated string: Number of Countries for the pie chart
 WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: atm device
 WARNING: untranslated string: bytes
 WARNING: untranslated string: capabilities
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -587,6 +587,7 @@ WARNING: untranslated string: Set time on boot
 WARNING: untranslated string: addons
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -590,6 +590,7 @@ WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: addons
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -653,6 +653,7 @@ WARNING: untranslated string: Number of Countries for the pie chart
 WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
 WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: bytes
 WARNING: untranslated string: capabilities
 WARNING: untranslated string: default
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -17,6 +17,7 @@
 < administrator password
 < administrator username
 < adsl settings
 < advproxy AUTH method ntlm auth
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -543,6 +544,7 @@
 < administrator password
 < administrator username
 < adsl settings
 < advproxy AUTH method ntlm auth
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -1062,6 +1064,7 @@
 < administrator password
 < administrator username
 < adsl settings
 < advproxy AUTH method ntlm auth
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -1557,6 +1560,7 @@
 < administrator password
 < administrator username
 < adsl settings
 < advproxy AUTH method ntlm auth
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -172,6 +172,8 @@ unless (-e $acl_include) { system("touch $acl_include"); }
 unless (-e $browserdb) { system("touch $browserdb"); }
 unless (-e $mimetypes) { system("touch $mimetypes"); }
 my $HAVE_NTLM_AUTH = (-e "/usr/bin/ntlm_auth");
 open FILE, $browserdb;
@useragentlist = sort { reverse(substr(reverse(substr($a,index($a,',')+1)),index(reverse(substr($a,index($a,','))),',')+1)) cmp reverse(substr(reverse(substr($b,index($b,',')+1)),index(reverse(substr($b,index($b,','))),',')+1))} grep !/(^$)|(^\s*#)/,<FILE>;
 close(FILE);
@@ -860,6 +862,7 @@ $checked{'AUTH_METHOD'}{'ncsa'} = '';
 $checked{'AUTH_METHOD'}{'ident'} = '';
 $checked{'AUTH_METHOD'}{'ldap'} = '';
 $checked{'AUTH_METHOD'}{'ntlm'} = '';
 $checked{'AUTH_METHOD'}{'ntlm-auth'} = '';
 $checked{'AUTH_METHOD'}{'radius'} = '';
 $checked{'AUTH_METHOD'}{$proxysettings{'AUTH_METHOD'}} = "checked='checked'";
@@ -1686,18 +1689,33 @@ print <<END
 END
 ;
-print <<END
+my $auth_columns = 5;
 if ($HAVE_NTLM_AUTH) {
 	$auth_columns++;
 }
 my $auth_column_width = 100 / $auth_columns;
 print <<END;
 <table width='100%'>
 <tr>
-	<td colspan='5'><b>$Lang::tr{'advproxy AUTH method'}</b></td>
+	<td colspan='$auth_columns'><b>$Lang::tr{'advproxy AUTH method'}</b></td>
 </tr>
 <tr>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='none' $checked{'AUTH_METHOD'}{'none'} />$Lang::tr{'advproxy AUTH method none'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='none' $checked{'AUTH_METHOD'}{'none'} />$Lang::tr{'advproxy AUTH method none'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='ncsa' $checked{'AUTH_METHOD'}{'ncsa'} />$Lang::tr{'advproxy AUTH method ncsa'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ncsa' $checked{'AUTH_METHOD'}{'ncsa'} />$Lang::tr{'advproxy AUTH method ncsa'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='ident' $checked{'AUTH_METHOD'}{'ident'} />$Lang::tr{'advproxy AUTH method ident'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ident' $checked{'AUTH_METHOD'}{'ident'} />$Lang::tr{'advproxy AUTH method ident'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='ldap' $checked{'AUTH_METHOD'}{'ldap'} />$Lang::tr{'advproxy AUTH method ldap'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ldap' $checked{'AUTH_METHOD'}{'ldap'} />$Lang::tr{'advproxy AUTH method ldap'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='ntlm' $checked{'AUTH_METHOD'}{'ntlm'} />$Lang::tr{'advproxy AUTH method ntlm'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ntlm' $checked{'AUTH_METHOD'}{'ntlm'} />$Lang::tr{'advproxy AUTH method ntlm'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='radius' $checked{'AUTH_METHOD'}{'radius'} />$Lang::tr{'advproxy AUTH method radius'}</td>
+END
 if ($HAVE_NTLM_AUTH) {
 	print <<END;
 	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ntlm-auth' $checked{'AUTH_METHOD'}{'ntlm-auth'} />$Lang::tr{'advproxy AUTH method ntlm auth'}</td>
 END
 }
 print <<END
 	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='radius' $checked{'AUTH_METHOD'}{'radius'} />$Lang::tr{'advproxy AUTH method radius'}</td>
 </tr>
 </table>
 END
@@ -3143,7 +3161,6 @@ END
 	print FILE <<END
 cache_effective_user squid
 cache_effective_group squid
 umask 022
 pid_filename /var/run/squid.pid
@@ -3300,6 +3317,12 @@ END
 			}
 		}
 		if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
 		{
 			print FILE "auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp\n";
 			print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n";
 		}
 		if ($proxysettings{'AUTH_METHOD'} eq 'radius')
 		{
 			print FILE "auth_param basic program $authdir/basic_radius_auth -h $proxysettings{'RADIUS_SERVER'} -p $proxysettings{'RADIUS_PORT'} ";
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -115,6 +115,7 @@
 'advproxy AUTH method ncsa' => 'Lokal',
 'advproxy AUTH method none' => 'Keine',
 'advproxy AUTH method ntlm' => 'Windows',
 'advproxy AUTH method ntlm auth' => 'Windows Active Directory',
 'advproxy AUTH method radius' => 'RADIUS',
 'advproxy AUTH no auth' => 'Domains ohne Authentifizierung (eine pro Zeile)',
 'advproxy AUTH number of auth processes' => 'Anzahl der Authentifizierungsprozesse',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -115,6 +115,7 @@
 'advproxy AUTH method ncsa' => 'Local',
 'advproxy AUTH method none' => 'None',
 'advproxy AUTH method ntlm' => 'Windows',
 'advproxy AUTH method ntlm auth' => 'Windows Active Directory',
 'advproxy AUTH method radius' => 'RADIUS',
 'advproxy AUTH no auth' => 'Domains without authentication (one per line)',
 'advproxy AUTH number of auth processes' => 'Number of authentication processes',
--- a/lfs/samba
+++ b/lfs/samba
@@ -82,6 +82,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--libdir=/usr/lib/ \
 		--sysconfdir=/var/ipfire \
 		--localstatedir=/var \
 		--with-lockdir=/var/lib/samba \
 		--with-piddir=/var/run \
 		--with-ads \
 		--with-acl-support \
@@ -115,5 +116,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cat /var/ipfire/samba/global /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf
 	-mkdir -p /var/log/samba
 	install -v -m 644 $(DIR_SRC)/config/backup/includes/samba /var/ipfire/backup/addons/includes/samba
 	-mkdir -p 750 /var/lib/samba/winbindd_privileged
 	chgrp wbpriv /var/lib/samba/winbindd_privileged
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
--- a/src/paks/samba/install.sh
+++ b/src/paks/samba/install.sh
@@ -22,6 +22,14 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
 # If the wbpriv group does not exist yet, then create it and put squid
 # into it.
 if ! getent group wbpriv >/dev/null; then
 	groupadd -g 88 wbpriv
 	usermod -a -G wbpriv squid
 fi
 extract_files
 restore_backup ${NAME}
 /usr/local/bin/sambactrl smbstart
--- a/src/paks/samba/update.sh
+++ b/src/paks/samba/update.sh
@@ -23,6 +23,14 @@
 #
 . /opt/pakfire/lib/functions.sh
 ./uninstall.sh
 # If the wbpriv group does not exist yet, then create it and put squid
 # into it.
 if ! getent group wbpriv >/dev/null; then
 	groupadd -g 88 wbpriv
 	usermod -a -G wbpriv squid
 fi
 extract_files
 restore_backup ${NAME}
 echo "passdb backend = smbpasswd" >> /var/ipfire/samba/smb.conf