Find out how to authenticate your Linux servers and desktops against an MS NTLM proxy server.
If you happen to work in a corporation that uses a Microsoft NTLM Proxy Server, and you also want to use Linux, you might find yourself unable to connect. Why? Because, out of the box Linux doesn't have the means to connect with the NTLM protocol. Fortunately, there's an easy way to get around that.
With the help of CNTLM, your Linux machine (be it a server or a desktop) can make the connection to the MS Proxy Server. The installation and configuration of CNTLM is actually quite simple.
SEE: Choosing your Windows 7 exit strategy: Four options (Tech Pro Research)
Let's make it happen.
What you need
The only things you need are a Linux machine (I'll demonstrate on Ubuntu Server 18.04), a user account with sudo privileges, and a Windows user account that can authenticate against the proxy server.
With all of those things in place, it's time to work.
Before you install CNTLM, it's best to update and upgrade your machine. Know that, should the kernel be upgraded, you'll probably have to reboot. Because of this, run the update/upgrade process at a time when a reboot is feasible. To update and upgrade, open a terminal window and issue the following commands:
sudo apt-get update sudo apt-get upgrade -y
Once the upgrade is complete, reboot (if necessary) and install CNTLM, with the command:
sudo apt-get install cntlm -y
Before you open the configuration file, it's best to hash your user password (for security reasons), instead of typing your password and saving it to the file directly. To do this, issue the command:
sudo cntlm -H -d DOMAIN -u USER
Where DOMAIN is the domain to be used and USER is the Windows user.
The above command will output the hashed passwords for PassLM, PassNT, and PssNTLMv2 (Figure A).
Copy theses hashed passwords (you'll use one of them in the configuration file).
The configuration of CNTLM is done within a single file. Issue the command:
sudo nano /etc/cntlm.conf
Within that file, you'll find four lines that need to be configured:
Username MS_USERNAME Domain DOMAIN Proxy IP:PORT Password PASSWORD
- MS_USERNAME is your actual Windows user name.
- DOMAIN is your Windows domain.
- IP is the IP address of the MS proxy server you want to connect to.
- PORT is the port used by the MS proxy server (most likely 8080).
- PASSWORD is the hashed password you created for your Windows user.
If you have more than one proxy server on your network, you can define each with the Proxy entry (one per line) like so:
Proxy 192.168.1.10:8080 Proxy 192.168.1.11:8080
Once you've finished your configurations, save and close the file.
Restart CNTLM with the command:
sudo systemctl restart cntlm
At this point, your machine is now capable of connecting to the MS NTLM proxy server. You will then need to configure apps or services to connect using the proxy. If you don't want to configure the apps, one at a time, you can try this.
Issue the command:
Paste the following to the bottom of that file:
export http_proxy=http://127.0.0.1:3128 export https_proxy=https://127.0.0.1:3128 export ftp_proxy=http://127.0.0.1:3128
Save and close that file. Finally, issue the command:
That's it. So long as your MS proxy server is configured properly, and you've used the correct addresses and credentials, all should now be working.
Congratulations, you finally have that Linux machine connecting to your MS NTLM proxy server. You can now get back to work.
- How to find out what's on your network with Nmap (TechRepublic)
- How to run a complete network scan with OpenVAS (TechRepublic)
- How to install the OPNsense Firewall/Router distribution (TechRepublic)
- Put the internet back under your control with the FreedomBox (ZDNet)
- 10 free alternatives to Microsoft Word and Excel (TechRepublic download)
- Microsoft Office 365 for business: Everything you need to know (ZDNet)
- The 10 most important iPhone apps of all time (Download.com)
- It takes work to keep your data private online. These apps can help (CNET)
- Programming languages and developer career resources coverage (TechRepublic on Flipboard)