From 603248db53e41290600a25a140e7f033bbe09abd Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 24 Mar 2014 01:30:23 +0100
Subject: [PATCH 1/1] squid: Add NTLM authentication against Windows Active
 Directory servers.

---
 config/etc/group                |  1 +
 config/rootfiles/packages/samba |  1 +
 doc/language_issues.es          |  1 +
 doc/language_issues.fr          |  1 +
 doc/language_issues.nl          |  1 +
 doc/language_issues.pl          |  1 +
 doc/language_issues.ru          |  1 +
 doc/language_issues.tr          |  1 +
 doc/language_missings           |  4 ++++
 html/cgi-bin/proxy.cgi          | 41 +++++++++++++++++++++++++--------
 langs/de/cgi-bin/de.pl          |  1 +
 langs/en/cgi-bin/en.pl          |  1 +
 lfs/samba                       |  5 ++++
 src/paks/samba/install.sh       |  8 +++++++
 src/paks/samba/update.sh        |  8 +++++++
 15 files changed, 67 insertions(+), 9 deletions(-)

diff --git a/config/etc/group b/config/etc/group
index ab5f4af511..51334aafbc 100644
--- a/config/etc/group
+++ b/config/etc/group
@@ -25,6 +25,7 @@ stunnel:x:51:
 lock:x:54:
 sshd:x:74:
 pcap:x:77:
+wbpriv:x:88:squid
 nobody:x:99:
 users:x:100:
 snort:x:101:
diff --git a/config/rootfiles/packages/samba b/config/rootfiles/packages/samba
index 807dd9f217..aafa112ace 100644
--- a/config/rootfiles/packages/samba
+++ b/config/rootfiles/packages/samba
@@ -219,6 +219,7 @@ var/ipfire/samba/shares
 var/ipfire/samba/smb.conf
 var/ipfire/samba/smb.conf.default
 var/lib/samba
+var/lib/samba/winbindd_privileged
 var/log/samba
 var/nmbd
 etc/rc.d/init.d/samba
diff --git a/doc/language_issues.es b/doc/language_issues.es
index b512534400..42eb15de14 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -587,6 +587,7 @@ WARNING: untranslated string: Set time on boot
 WARNING: untranslated string: addons
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
+WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index e6730da917..bbaee46990 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -597,6 +597,7 @@ WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: addons
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
+WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 8d24134710..164d3cc563 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -654,6 +654,7 @@ WARNING: untranslated string: Number of Countries for the pie chart
 WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
+WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: atm device
 WARNING: untranslated string: bytes
 WARNING: untranslated string: capabilities
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index b512534400..42eb15de14 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -587,6 +587,7 @@ WARNING: untranslated string: Set time on boot
 WARNING: untranslated string: addons
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
+WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index e4c0e6a199..7a4c33f910 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -590,6 +590,7 @@ WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: addons
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
+WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: advproxy cache-digest
 WARNING: untranslated string: advproxy errmsg cache
 WARNING: untranslated string: advproxy errmsg invalid upstream proxy
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 4a0afb53a6..383086d694 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -653,6 +653,7 @@ WARNING: untranslated string: Number of Countries for the pie chart
 WARNING: untranslated string: Scan for Songs
 WARNING: untranslated string: administrator password
 WARNING: untranslated string: administrator username
+WARNING: untranslated string: advproxy AUTH method ntlm auth
 WARNING: untranslated string: bytes
 WARNING: untranslated string: capabilities
 WARNING: untranslated string: default
diff --git a/doc/language_missings b/doc/language_missings
index 78e249c21a..c42f2ec63a 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -17,6 +17,7 @@
 < administrator password
 < administrator username
 < adsl settings
+< advproxy AUTH method ntlm auth
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -543,6 +544,7 @@
 < administrator password
 < administrator username
 < adsl settings
+< advproxy AUTH method ntlm auth
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -1062,6 +1064,7 @@
 < administrator password
 < administrator username
 < adsl settings
+< advproxy AUTH method ntlm auth
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
@@ -1557,6 +1560,7 @@
 < administrator password
 < administrator username
 < adsl settings
+< advproxy AUTH method ntlm auth
 < advproxy cache-digest
 < advproxy errmsg cache
 < advproxy errmsg invalid upstream proxy
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 2a9d493942..9476b74324 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -172,6 +172,8 @@ unless (-e $acl_include) { system("touch $acl_include"); }
 unless (-e $browserdb) { system("touch $browserdb"); }
 unless (-e $mimetypes) { system("touch $mimetypes"); }
 
+my $HAVE_NTLM_AUTH = (-e "/usr/bin/ntlm_auth");
+
 open FILE, $browserdb;
 @useragentlist = sort { reverse(substr(reverse(substr($a,index($a,',')+1)),index(reverse(substr($a,index($a,','))),',')+1)) cmp reverse(substr(reverse(substr($b,index($b,',')+1)),index(reverse(substr($b,index($b,','))),',')+1))} grep !/(^$)|(^\s*#)/,<FILE>;
 close(FILE);
@@ -860,6 +862,7 @@ $checked{'AUTH_METHOD'}{'ncsa'} = '';
 $checked{'AUTH_METHOD'}{'ident'} = '';
 $checked{'AUTH_METHOD'}{'ldap'} = '';
 $checked{'AUTH_METHOD'}{'ntlm'} = '';
+$checked{'AUTH_METHOD'}{'ntlm-auth'} = '';
 $checked{'AUTH_METHOD'}{'radius'} = '';
 $checked{'AUTH_METHOD'}{$proxysettings{'AUTH_METHOD'}} = "checked='checked'";
 
@@ -1686,18 +1689,33 @@ print <<END
 END
 ;
 
-print <<END
+my $auth_columns = 5;
+if ($HAVE_NTLM_AUTH) {
+	$auth_columns++;
+}
+my $auth_column_width = 100 / $auth_columns;
+
+print <<END;
 <table width='100%'>
 <tr>
-	<td colspan='5'><b>$Lang::tr{'advproxy AUTH method'}</b></td>
+	<td colspan='$auth_columns'><b>$Lang::tr{'advproxy AUTH method'}</b></td>
 </tr>
 <tr>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='none' $checked{'AUTH_METHOD'}{'none'} />$Lang::tr{'advproxy AUTH method none'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='ncsa' $checked{'AUTH_METHOD'}{'ncsa'} />$Lang::tr{'advproxy AUTH method ncsa'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='ident' $checked{'AUTH_METHOD'}{'ident'} />$Lang::tr{'advproxy AUTH method ident'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='ldap' $checked{'AUTH_METHOD'}{'ldap'} />$Lang::tr{'advproxy AUTH method ldap'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='ntlm' $checked{'AUTH_METHOD'}{'ntlm'} />$Lang::tr{'advproxy AUTH method ntlm'}</td>
-	<td width='16%' class='base'><input type='radio' name='AUTH_METHOD' value='radius' $checked{'AUTH_METHOD'}{'radius'} />$Lang::tr{'advproxy AUTH method radius'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='none' $checked{'AUTH_METHOD'}{'none'} />$Lang::tr{'advproxy AUTH method none'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ncsa' $checked{'AUTH_METHOD'}{'ncsa'} />$Lang::tr{'advproxy AUTH method ncsa'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ident' $checked{'AUTH_METHOD'}{'ident'} />$Lang::tr{'advproxy AUTH method ident'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ldap' $checked{'AUTH_METHOD'}{'ldap'} />$Lang::tr{'advproxy AUTH method ldap'}</td>
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ntlm' $checked{'AUTH_METHOD'}{'ntlm'} />$Lang::tr{'advproxy AUTH method ntlm'}</td>
+END
+
+if ($HAVE_NTLM_AUTH) {
+	print <<END;
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ntlm-auth' $checked{'AUTH_METHOD'}{'ntlm-auth'} />$Lang::tr{'advproxy AUTH method ntlm auth'}</td>
+END
+}
+
+print <<END
+	<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='radius' $checked{'AUTH_METHOD'}{'radius'} />$Lang::tr{'advproxy AUTH method radius'}</td>
 </tr>
 </table>
 END
@@ -3143,7 +3161,6 @@ END
 	print FILE <<END
 
 cache_effective_user squid
-cache_effective_group squid
 umask 022
 
 pid_filename /var/run/squid.pid
@@ -3300,6 +3317,12 @@ END
 			}
 		}
 
+		if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
+		{
+			print FILE "auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp\n";
+			print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n";
+		}
+
 		if ($proxysettings{'AUTH_METHOD'} eq 'radius')
 		{
 			print FILE "auth_param basic program $authdir/basic_radius_auth -h $proxysettings{'RADIUS_SERVER'} -p $proxysettings{'RADIUS_PORT'} ";
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 5b110a5207..98502a1628 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -115,6 +115,7 @@
 'advproxy AUTH method ncsa' => 'Lokal',
 'advproxy AUTH method none' => 'Keine',
 'advproxy AUTH method ntlm' => 'Windows',
+'advproxy AUTH method ntlm auth' => 'Windows Active Directory',
 'advproxy AUTH method radius' => 'RADIUS',
 'advproxy AUTH no auth' => 'Domains ohne Authentifizierung (eine pro Zeile)',
 'advproxy AUTH number of auth processes' => 'Anzahl der Authentifizierungsprozesse',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 1754147a08..5921681e89 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -115,6 +115,7 @@
 'advproxy AUTH method ncsa' => 'Local',
 'advproxy AUTH method none' => 'None',
 'advproxy AUTH method ntlm' => 'Windows',
+'advproxy AUTH method ntlm auth' => 'Windows Active Directory',
 'advproxy AUTH method radius' => 'RADIUS',
 'advproxy AUTH no auth' => 'Domains without authentication (one per line)',
 'advproxy AUTH number of auth processes' => 'Number of authentication processes',
diff --git a/lfs/samba b/lfs/samba
index 09221fb20b..2dda62ccfa 100644
--- a/lfs/samba
+++ b/lfs/samba
@@ -82,6 +82,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--libdir=/usr/lib/ \
 		--sysconfdir=/var/ipfire \
 		--localstatedir=/var \
+		--with-lockdir=/var/lib/samba \
 		--with-piddir=/var/run \
 		--with-ads \
 		--with-acl-support \
@@ -115,5 +116,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cat /var/ipfire/samba/global /var/ipfire/samba/shares > /var/ipfire/samba/smb.conf
 	-mkdir -p /var/log/samba
 	install -v -m 644 $(DIR_SRC)/config/backup/includes/samba /var/ipfire/backup/addons/includes/samba
+
+	-mkdir -p 750 /var/lib/samba/winbindd_privileged
+	chgrp wbpriv /var/lib/samba/winbindd_privileged
+
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
diff --git a/src/paks/samba/install.sh b/src/paks/samba/install.sh
index 9c4f7f4787..b7a2fc1cc8 100644
--- a/src/paks/samba/install.sh
+++ b/src/paks/samba/install.sh
@@ -22,6 +22,14 @@
 ############################################################################
 #
 . /opt/pakfire/lib/functions.sh
+
+# If the wbpriv group does not exist yet, then create it and put squid
+# into it.
+if ! getent group wbpriv >/dev/null; then
+	groupadd -g 88 wbpriv
+	usermod -a -G wbpriv squid
+fi
+
 extract_files
 restore_backup ${NAME}
 /usr/local/bin/sambactrl smbstart
diff --git a/src/paks/samba/update.sh b/src/paks/samba/update.sh
index 6f4cb60645..648b025b7e 100644
--- a/src/paks/samba/update.sh
+++ b/src/paks/samba/update.sh
@@ -23,6 +23,14 @@
 #
 . /opt/pakfire/lib/functions.sh
 ./uninstall.sh
+
+# If the wbpriv group does not exist yet, then create it and put squid
+# into it.
+if ! getent group wbpriv >/dev/null; then
+	groupadd -g 88 wbpriv
+	usermod -a -G wbpriv squid
+fi
+
 extract_files
 restore_backup ${NAME}
 echo "passdb backend = smbpasswd" >> /var/ipfire/samba/smb.conf
-- 
2.39.2