How to configure Linux to use NTLM using CNTLM

Find out how to authenticate your Linux servers and desktops against an MS NTLM proxy server.

tuxnetworkhero.jpg
Image: Jack Wallen

If you happen to work in a corporation that uses a Microsoft NTLM Proxy Server, and you also want to use Linux, you might find yourself unable to connect. Why? Because, out of the box Linux doesn't have the means to connect with the NTLM protocol. Fortunately, there's an easy way to get around that.

With the help of CNTLM, your Linux machine (be it a server or a desktop) can make the connection to the MS Proxy Server. The installation and configuration of CNTLM is actually quite simple.

SEE: Choosing your Windows 7 exit strategy: Four options (Tech Pro Research)

Let's make it happen.

What you need

The only things you need are a Linux machine (I'll demonstrate on Ubuntu Server 18.04), a user account with sudo privileges, and a Windows user account that can authenticate against the proxy server.

With all of those things in place, it's time to work.

Installing CNTLM

Before you install CNTLM, it's best to update and upgrade your machine. Know that, should the kernel be upgraded, you'll probably have to reboot. Because of this, run the update/upgrade process at a time when a reboot is feasible. To update and upgrade, open a terminal window and issue the following commands:

sudo apt-get update
sudo apt-get upgrade -y

Once the upgrade is complete, reboot (if necessary) and install CNTLM, with the command:

sudo apt-get install cntlm -y

Configuring CNTLM

Before you open the configuration file, it's best to hash your user password (for security reasons), instead of typing your password and saving it to the file directly. To do this, issue the command:

sudo cntlm -H -d DOMAIN -u USER

Where DOMAIN is the domain to be used and USER is the Windows user.

The above command will output the hashed passwords for PassLM, PassNT, and PssNTLMv2 (Figure A).

Figure A

Figure A: Our hashed passwords.

Copy theses hashed passwords (you'll use one of them in the configuration file).

The configuration of CNTLM is done within a single file. Issue the command:

sudo nano /etc/cntlm.conf

Within that file, you'll find four lines that need to be configured:

Username MS_USERNAME
Domain DOMAIN
Proxy IP:PORT
Password PASSWORD

Where:

  • MS_USERNAME is your actual Windows user name.
  • DOMAIN is your Windows domain.
  • IP is the IP address of the MS proxy server you want to connect to.
  • PORT is the port used by the MS proxy server (most likely 8080).
  • PASSWORD is the hashed password you created for your Windows user.

If you have more than one proxy server on your network, you can define each with the Proxy entry (one per line) like so:

Proxy 192.168.1.10:8080
Proxy 192.168.1.11:8080

Once you've finished your configurations, save and close the file.

Restart CNTLM with the command:

sudo systemctl restart cntlm

At this point, your machine is now capable of connecting to the MS NTLM proxy server. You will then need to configure apps or services to connect using the proxy. If you don't want to configure the apps, one at a time, you can try this.

Issue the command:

nano ~/.bashrc

Paste the following to the bottom of that file:

export http_proxy=http://127.0.0.1:3128
export https_proxy=https://127.0.0.1:3128
export ftp_proxy=http://127.0.0.1:3128

Save and close that file. Finally, issue the command:

. ~/.bashrc

That's it. So long as your MS proxy server is configured properly, and you've used the correct addresses and credentials, all should now be working.

Congratulations, you finally have that Linux machine connecting to your MS NTLM proxy server. You can now get back to work.

Also see