After switching my network to a more strict proxy server recently, I found that Windows 7 machines were reporting they weren't connected to the internet anymore. While this is partly true, unauthenticated users can no longer just access http, users don't need to get this message.
The probing software is called Microsoft NCSI. What it does, is:
- perform a DNS lookup on www.msftncsi.com, and request http://www.msftncsi.com/ncsi.txt. This file is a plain-text file that contains only the text Microsoft NCSI.
- then do a DNS lookup request for dns.msftncsi.com. The answer should be an A-record resolving to 220.127.116.11. If no answer, or a wrong answer is given, NCSI assumes the internet connection is faulty.
I whitelisted www.msftncsi.com in my proxy to allow outbound http-connections from unauthenticated users to this domain.
Windows 7 network awareness is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
Step 1. Install ntp and synchronize clocks
We'll be using winbind, kerberos and ntlm to authenticate the user. This requires the clocks of the AD server and the proxy server to be synchronized.
rpm -qa ntp || yum -y install ntp
sed -i "s/^server /#server /g" /etc/ntp.conf
echo "server YOURSERVERNAME" >> /etc/ntp.conf
ntpdate YOURSERVERNAME #synchronize right now
service ntpd start #and keep in sync
chkconfig ntpd on #after reboot as well
Step 2. Install required software
yum install krb5-workstation samba-common authconfig squid
chkconfig squid on
Step 3. Connect to active directory
Please note that MYCOMPANY.local and mycompany.local may be different domains due to the upper/lowercase.
authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=$ADSERVER \
--krb5realm=$DOMAIN --smbservers=$ADSERVER --smbworkgroup=$WORKGROUP \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall
I found some information saying that /var/cache/samba/winbindd_privileged should be chowned 750 to root:squid or that you should add user squid to group wbpriv. Also, squid.conf should not have cache_effective_group defined. However, this part was not relevant on my Centos 5.6. The reason could be that I installed 5.4, then upgraded, i'm not sure. Just leaving it as a note.
Now check your winbind connection using the following commands:
Step 4. Configure squid
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl our_networks src 192.168.0.0/16
acl ntlm proxy_auth REQUIRED
http_access allow our_networks ntlm
authenticate_ip_ttl 900 seconds
This will allow all valid, logged in users to surf the web. You could also limit which users can surf by adding
to the ntlm_auth command
Start Squid using /sbin/service squid restart and you're good to go.
You may want to check what else I'm writing on Squid. I'm planning to document a lot more in the next few weeks.
Squid active directory authentication on Centos 5.6 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info