domingo, 7 de octubre de 2012

Internet access through a Micro$ft proxy from a GNU/Linux client

From the serie: Get down to the job

Maybe it never happened to you, but there are some working scenarios where we are behind a Micro$otf Proxy and we still want to keep using out GNU/Linux client box in a normal way. For the unpatient: It's possible but you have to follow some actions and be carefully.

Before we start, I don't want to waste your time, if the one and only thing you want to get is an Internet access with a browser, you don't need to continue reading, all of the browsers in the net as the possibility of connecting to a web proxy. All you need is: Window$ Domain user credentials and the information where proxy is.

In this article we are going to explain how to configure a GNU/Linux box behind a MS-Proxy and be able to do some of this tasks (i.e.):
  • Update system
  • Install distribution packages this system tools
  • Instant Messaging (IM) with a specific client (not browser)


 All the information we have to gather to do a right configuration for the access through the MS-Proxy is:
  • Web proxy for downloading distribution packages for the system.
  • DHCP client in our GNU/Linux box
  • Network information of the proxy server (IP adress, port number)
  • Credentials in Window$ Domain to go through the proxy


 As always, we should plan the task for the execution:
  1. Gather necessary information from the net
  2. Config webproxy in browser for downloading GNU/Linux Debian packages.
  3. Download, installation of the cntlm package  and all its dependences (if are needed)
  4. GNU/Linux box cntlm config to authenticate and access through the proxy
  5. Test deployment

Gather necessary information from the net

What do we need to begin our project?
  • Output proxy information (IP address and port). Note: M$-proxy protocol is not necessary, it's going to be find out by the cntlm.
  • Do we have a windows domain user with go through the proxy grant?

Config webproxy in browser

Second important thing to be care of, are we able to download Debian packages via web?. It's very important because the cntlm and all its dependencies are needed. Let's see how to do that ...

Normally, M$-proxy is open as a webproxy service, that means it's possible to config a browser to use it to go to the Internet. You just have to go to (for Firefox): Menu edit -> Preferences -> Advanced icon -> Network tab -> Settings button -> Manual proxy configuration checkbox


(for the good observers :-)  yes the capture was taken with an Ubuntu box, it's the machine I had on my hands in that moment)

Download, install of the cntlm package

Put you browser to Debian GNU/Linux repository at:, this is the homepage for the package. Be sure to select you architecture and click on it to download.

In my case it's because, you know, I'm using wheezy version with amb64. Be sure to choose the right one.

After downloading, and before install, we have to be sure all cntlm packages dependences are fulfilled. Know do we know these?, Here comes aptitude to save us:

$aptitude show cntlm 

Package: cntlm                           
State: installed
Automatically installed: no
Version: 0.92.3-1
Priority: optional
Section: net
Maintainer: David Watson 
Architecture: amd64
Uncompressed Size: 180 k
Depends: adduser, libc6 (>= 2.10)
Replaces: ntlmaps
Description: Fast NTLM authentication proxy with tunneling
 Cntlm is a fast and efficient NTLM proxy, with support for TCP/IP tunneling, authenticated connection caching, ACLs, proper
 daemon logging and behaviour and much more. It has up to ten times faster responses than similar NTLM proxies, while using
 by orders or magnitude less RAM and CPU. Manual page contains detailed information.

This command shows information about the package been asked for and, of courses its dependencies. Line 'Depends' shows it has two, adduser and libc6. Know you have to confirm these packages are installed:

$dpkg -l 'adduser'
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                      Version           Architecture      Description
ii  adduser                   3.113+nmu3        all               add and remove users and groups 
$ dpkg -l 'libc6'
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                      Version           Architecture      Description
ii  libc6:amd64               2.13-35           amd64             Embedded GNU C Library: Shared libraries

Please, look in man about dpkg command to learn more uses for it. And just a note, all these commands has been executed with a non privileged user (not root).

GNU/Linux box cntlm config to authenticate and access through the proxy

Once you have installed cntlm package is time to config authentication against M$-Proxy. First of any other action: Make a backup of the conf file your are going to modify (this is something not necessary to remember every time but sometimes you, me and everybody forgets). This is what I do:

$ cp /etc/cntlm.conf /etc/cntlm.conf.orig

Now edit the file we just backed up, modify these entries:
  • Username
  • Domain
  • (Comment line) Password
  • proxy
  • NoProxy
If it's possible you should use the highest authentication protocol your proxy serves. How can you know it? good question, read man page ...

... now that you have already read man page for cntlm you should know there is a parameter to query that to MS-Proxy via cntlm executable:
cntlm -I -M

These parameters give us the best (or the highest) security protocol to communicate against the proxy server. Use the hash string that comment give us to authenticate at proxy server. See that example (captured from

$ cntlm -I -M
Config profile  1/11... OK (HTTP code: 200)
Config profile  2/11... OK (HTTP code: 200)
Config profile  3/11... OK (HTTP code: 200)
Config profile  4/11... OK (HTTP code: 200)
Config profile  5/11... OK (HTTP code: 200)
Config profile  6/11... Credentials rejected
Config profile  7/11... Credentials rejected
Config profile  8/11... OK (HTTP code: 200)
Config profile  9/11... OK (HTTP code: 200)
Config profile 10/11... OK (HTTP code: 200)
Config profile 11/11... OK (HTTP code: 200)
----------------------------[ Profile  0 ]------
Auth            NTLMv2
PassNTLMv2      4AC6525378DF8C69CF6B6234532943AC

And modify that parameter in cntlm.conf (see string mark in yelow) in this case my proxy is able to authenticate in NTLMv2.

# Cntlm Authentication Proxy Configuration
# NOTE: all values are parsed literally, do NOT escape spaces,
# do not quote. Use 0600 perms if you use plaintext password.

Username    adrian
Domain        MYDOMAIN
#Password    ******
# NOTE: Use plaintext password only at your own risk
# Use hashes instead. You can use a "cntlm -M" and "cntlm -H"
# command sequence to get the right config for your environment.
# See cntlm man page
# Example secure config shown below.
# PassLM          1AD35398BE6565DDB5C4EF70C0593492
# PassNT          77B9081511704EE852F94227CF48A793
### Only for user 'testuser', domain 'corp-uk'
PassNTLMv2      6E2567JFCGHIIIKLL23445CC4ED58D24

# Specify the netbios hostname cntlm will send to the parent
# proxies. Normally the value is auto-guessed.
# Workstation    netbios_hostname

# List of parent proxies to use. More proxies can be defined
# one per line in format <proxy_ip>:<proxy_port>
Proxy        proxyxoc3.micro$

# List addresses you do not want to pass to parent proxies
# * and ? wildcards can be used
NoProxy        localhost, 127.0.0.*, 10.*, 192.168.*, *
# Specify the port cntlm will listen on
# You can bind cntlm to specific interface by specifying
# the appropriate IP address also in format <local_ip>:<local_port>
# Cntlm listens on by default
Listen        3128

# If you wish to use the SOCKS5 proxy feature as well, uncomment
# the following option. It can be used several times
# to have SOCKS5 on more than one port or on different network
# interfaces (specify explicit source address for that).
# WARNING: The service accepts all requests, unless you use
# SOCKS5User and make authentication mandatory. SOCKS5User
# can be used repeatedly for a whole bunch of individual accounts.
#SOCKS5Proxy    8010
#SOCKS5User    dave:password

# Use -M first to detect the best NTLM settings for your proxy.
# Default is to use the only secure hash, NTLMv2, but it is not
# as available as the older stuff.
# This example is the most universal setup known to man, but it
# uses the weakest hash ever. I won't have it's usage on my
# conscience. :) Really, try -M first.
#Auth        LM
#Flags        0x06820000

# Enable to allow access from other computers
#Gateway    yes

# Useful in Gateway mode to allow/restrict certain IPs
# Specifiy individual IPs or subnets one rule per line.
#Deny        0/0

# GFI WebMonitor-handling plugin parameters, disabled by default
#ISAScannerSize     1024
#ISAScannerAgent    Wget/
#ISAScannerAgent    APT-HTTP/
#ISAScannerAgent    Yum/

# Headers which should be replaced if present in the request
#Header        User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

# Tunnels mapping local port to a machine behind the proxy.
# The format is <local_port>:<remote_host>:<remote_port>

Test deployment 

In fact we have test access through proxy yet with command line when we was trying to configure protocol and passwd.

I usually use local proxy to update and install system packages for linux clients. For access to Internet I have more that enough this the webproxy service. If this is your case you can use system packages update to test your environment. This is how I do it:
  1. Configure apt to access through the proxy. Modify (or create if it doesn't exist) this file: /etc/apt/apt.conf.d/80apt-proxy and add:   Acquire::http::Proxy "http://localhost:3128";   
  2. Now you can test proxy updating the packages list, execute: aptitude update.  If every thing is OK, you should have updated you package list with no error in screen.

References (thanks a lot to every one)

What's next

  •  I will continue working and writing for my 3 or 4 readers to configure a desktop environment using GNU/Linux

Goodbye my friends ...

No hay comentarios:

Publicar un comentario