ADS and Linux applications
The following article is meant to help out people who want to run Linux applications behind a ADS system.
WTF is ADS ?
I don't have the patience to blabber about a propitiatory applications like ADS which belongs some macrohard company.But still for you rinfo you can have a look at the following link http://en.wikipedia.org/wiki/Active_Directory .It basically is an alternative to kerberos which also a network authentication tool.
What is the problem with using Linux & ADS ?
ADS being a propitiatory application does not allow a lot of applications in linux to get authenticated, like synaptic,opera,gaim,xmms,gaim,etc.
How to overcome the problem ?
An alternative is to install\run NTLM . Unpack and browse into the directory.There edit the server.cfg file as per your requirements.I'm putting up a sample , you can modify yours as per your requirements.
#========================================================================
[GENERAL]
LISTEN_PORT:5865 ##Leave this as it is else add whatever port u want.
# If you want APS to authenticate you at WWW servers using NTLM then just leave this
# value blank like PARENT_PROXY: and APS will connect to web servers directly.
# You can specify more than one proxy by leaving a space between each one, and
# APS will detect when one fails and automatically fail-over to the next. EG:
#PARENT_PROXY:first_proxy second_proxy third_proxy
# And NOTE that NTLM cannot pass through another proxy server.
PARENT_PROXY:proxyserver.com ##This is where you specify the proxy server
PARENT_PROXY_PORT:3128 ##Specify the proxy port
# APS will poll the upstream proxy and attempt to fail-over to a new one if it doesn't
# get a response within an appropriate time frame. The amount of time that it will
# wait for a response before attempting fail-over is specified, in seconds, below:
PARENT_PROXY_TIMEOUT:15
# Set to 1 if you want to grant this authorization service to clients from other computers.
# NOTE: all the users from other hosts that will be using you copy of APS for authentication
# will be using your credentials in NTLM auth at the remote host.
ALLOW_EXTERNAL_CLIENTS:0
# If you want to allow some other but not all computers to use your proxy for authorization,
# just set ALLOW_EXTERNAL_CLIENTS:0 and put friendly IP addresses here.
# Use space as a delimiter.
# NOTE that special addesses don't work here (192.168.3.0 for example).
FRIENDLY_IPS:
# Requested URLs are written to "url.log" file. May be useful.
URL_LOG:0
# When a network service listens for connections, there is a maximum number of connection
# attempts to that service that the underlying OS will allow to backlog waiting for a response
# before the OS will start dropping new connection attempts with 'Connection refused'. The
# standard method of determining the maximum number of backlogged connections is to use the
# SOMAXCONN constant, which is supposed to represent the maximum number that an OS will support
# (for example, 5 on Windows 2000 Pro, and 200 on Windows 2000 server). However, because this
# is a statically compiled value in a Python distribution, usually this instead represents the
# the most conservative value (5 on all Windows platforms, and 128 on the GNU/Linux variant I
# tried). So if you are running (for example) a massively threaded/parallel download manager,
# the default value of, say, 5, or whatever SOMAXCONN happens to be set to, may be too low and
# cause some connections to fail. The value below can be set to any integer (it seems that
# Python just silently caps values above the hard limit for the underlying platform), or it can
# be set to the special value of SOMAXCONN (i.e. MAX_CONNECTION_BACKLOG:SOMAXCONN), to use
# whatever this value happens to be set to in your Python build. Setting this higher than
# necessary may cause APS to consume more memory than you needed to.
MAX_CONNECTION_BACKLOG:5
#========================================================================
[CLIENT_HEADER]
# This section describes what and how the server should change in the clients headers.
# Made in order to prevent parent proxy from seeing that you are using wget instead of IE5.5
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, text/html, application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*; q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT5)
Accept-Encoding: gzip, deflate
Keep-Alive: 300
Proxy-Connection: keep-alive ##Few lines are missing from the default one in order to make apt or synaptic work you need to add the xml phrase also
# You can uncomment these chages in client's header to mimic IE5+ better, but in this case
# you may expirience problems with *.html if your client does not really handle compression.
#Accept-Encoding: gzip, deflate
#========================================================================
[NTLM_AUTH]
# Optional value, if leaved blank then APS will use gethostname() to determine
# host's name.
# NOTE1: If you Linux host name differs from Windows host name then it may be that
# MS server wont recognize you host at all and wont grant you access
# to resources requested. Then you have to use this option and APS will use
# this name in NTLM negotiations.
# NOTE2: There are several reports that you can successfully use "foreign" host name
# here. Say, if user may access a resource from 'host1' and may not from 'host2'
# then there is a chance that APS running on 'host2' with NT_HOSTNAME:host1 will
# be able to be granted access to the restricted resource. However use this on
# you own risk as such a trick may be considered as a hack or something.
NT_HOSTNAME:abracadabra ##Put your linux comps hostname here
# Windows Domain.
# NOTE: it is not full qualified internet domain, but windows network domain.
NT_DOMAIN:domain.com ##Put the domain name here eg. people in IIT-M campus can use iitm.ac.in as domain name else you can leave it blank
# What user's name to use during authorization. It may differ form real current username.
# If you enable NTLM_TO_BASIC, below, you can either leave this blank or simply
# hash it out.
USER:username ## Your ADS username
# Password. Just leave it blank here and server will request it at the start time,
# or, if you enable NTLM_TO_BASIC, below, you can either leave this blank or simply
# hash it out, and you *won't* be prompted for a password at start time.
PASSWORD:passwd ## Your ADS password
# These two options replace old FULL_NTLM option.
# NTLM authentication consists virtually of two parts: LM and NT. Windows95/98 use
# only LM part, WindowsNT/2000 can use NT and LM or just NT part.
# Almost always using just LM part will be enough. I had several reports
# about LM and NT requirement and no about just NT.
# So try to setup 1, 1 only if you have enough reasons to do so and when you understand
# what you are doing.
# 0, 0 is an illegal combination
# NOTE: if you change these options then you have to setup flag option accordingly.
LM_PART:1
NT_PART:0
# Highly experimental option. See research.txt for details.
# LM - 06820000
# NT - 05820000
# LM + NT - 07820000
NTLM_FLAGS: 06820000
# This option makes APS try to translate NTLM authentication to very usual "Basic"
# scheme. Almost all http clients know it. With this option set to 1 user will be requested
# by his browser to enter his credentials and these username and password will be used by
# APS for NTLM authentication at MS Proxy server or Web server.
# In such a case different users can use one runnig APS with their own credentials.
# NOTE1: currently translation works so it allows only one try for entering
# username/password. If you make a mistake you will have to restart you browser.
# NOTE2: With debug:1 basic username/password will be written in log file in clear
# text format. I could try hide it, but the basic scheme is so weak that anybody
# who had access to APS would be able to get it.
NTLM_TO_BASIC:0
#========================================================================
[DEBUG]
# Set this to 1 if you want to see debug info in many log files. One per connection.
DEBUG:0
# Set this to 1 to get even more debug info.
BIN_DEBUG:0
# Set this to 1 to see some strange activity on screen. Actually you won't want it.
SCR_DEBUG:0
# Not actually a debug option but gives you some details on authentication process
# into *.auth logs. Also see research.txt.
AUTH_DEBUG:0
Once You are done with the configuration all you need to do is typepython path/to/main.py
After that you can use localhost as the proxy server and 5865 as your port for the various linux applications.
