Reverse Proxy with NTLM authentication in Linux

The other day I got a fun project at work: We need to have several users authenticate to a site using the same SSL certificate, but with logs showing which users were connected at any time.

The basic premises are simple: A reverse proxy server takes calls to a specific address and sends them on to the actual service provider, along with the proper certificate, while logging the userID of the user making the request.

This looked like a good opportunity to introduce Linux into our environment, so that’s what I did.

The machine

The task isn’t very machine intensive – I predict at most a couple of users at any given time. Only in-house users means no need to put the machine in a DMZ or similar, and it also means I can talk about it in general terms on the web.

I chose to go with CentOS 5.x for this machine, since it’s RedHat compatible (easy to jump right in for external consultants if the need should arise) and since it’s the latest version of the distribution that our current hypervisor explicitly supports.

For the proxy server, I went with Squid. It’s lightweight and seems robust enough.

For logging of user activity, we need to know the IDs of users accessing the solution, and we need to validate them against a white-list. I wanted the validation process to be transparent to the users, which requires NTLM authentication against our AD. A regular LDAP authentication with a password prompt in the browser would have been my fallback solution if I hadn’t managed to get NTLM working.

NTLM Authentication

One thing I stumbled upon right away was that the Samba version in CentOS 5 doesn’t talk properly to Windows 2008 domain controllers. Since I wanted an RPM build for simplicity’s sake, I tried Sernet-Samba available through EnterpriseSamba.org, and installed samba, samba-client, samba-utils, samba-winbind and samba-doc for my selected version, platform and distribution.

The next problem I stumbled into was winbindd and nmbd not starting properly. It would work just fine if started from /usr/sbin but crash horribly when started from /etc/init.d.

#/etc/init.d/smb status
smbd (pid 15393 15385) is running...
nmbd is stopped
#/etc/init.d/winbind status
winbindd dead but subsys locked
#tail -4 /var/log/log.nmbd
[2012/01/11 15:33:07, 0] lib/util_sock.c:1366(create_pipe_sock)
bind failed on pipe socket /var/lib/samba/nmbd/unexpected: Permission denied
[2012/01/11 15:33:07, 0] nmbd/nmbd_packets.c:48(nmbd_init_packet_server)
ERROR: nb_packet_server_create failed: NT_STATUS_ACCESS_DENIED

After some forum browsing, I tried switching SELinux into permissive mode. This worked, and since this machine is running locally only, it’s an acceptable workaround for the moment.

Finishing up

The default config file for Squid is ginormous since it also includes all documentation. I ended up slashing it down to the bare essentials needed for the reverse proxy and the SSL definitions. I pulled my hair for a while over getting AD group membership to count in the config file, though. For some reason, I got an NT_STATUS_OK: Success (0x0) as an answer when I executed ntlm_auth –require-group-membership-of from a command line – that is the same as for a correct logon – even for users that aren’t members of the group, while from within Squid, I just got an endless row of password prompts until I click cancel. The symptoms were identical no matter if I specified the domain name or not, and no matter if I used the group name in human readable-format or if I specified it’s SID.

After both googling and trying to get some tips via various IRC channels, I finally decided to just remove the Linux server’s AD object and re-register it. Something in this process fixed the problem. The final thing I did when it comes to the AD was to set up a cron job to reset the machine password once a day. Since then I haven’t had any problems with this server.

I also finally got some hands-on experience with shell scripting. When I only used Linux for fun, I never had any use for anything more advanced than regular config file tweaking. The requirement to keep data for several years that this server has, gave me a reason to actually look at Bash and have a few hours of fun with it, also learning a couple of things about both Squid and grep that I hadn’t thought of earlier.

Running Tomb Raider 1 on modern hardware

The original

I found this old CD with Tomb Raider on it – you know, the old 3D puzzle/maze/action game from 1996 or something?

I don’t know how many hours I spent on it, and when I bought myself a 3Dfx Voodoo graphics accelerator, there was actually a patch to make this game use that lovely piece of hardware for real 640×480 action. Back then, it was so cool, I really don’t know what to compare it to.

But I digress. Okay, so I found this CD. Now what? I googled around a bit and found Tomb Raider Chronicles, who seem to have dedicated a lot of time to get these old games running on modern hardware. Unfortunately, they hadn’t done anything with TR1 since about 2007, so I was afraid things wouldn’t work really flawlessly anyway. And sure enough, their Advanced Installer software did it’s magic, but unfortunately the magic fizzled in the end. The game got installed, it seemed to start, but crashed right back to the desktop.

Now, I was determined to get things going, though, so I spent some more time with google and found a howto, using another piece of code on Tomb Raider Forums. It’s meant to solve the problem in Vista, but obviously it works just as well for XP SP3.

User Gidierre pointed me in the right way, to use SSDH in place of MSCDEX – actually I don’t even know if that’s required yet it seems to need to be done this way to work. However, user Chug a Bug gave me the required tips that made the game start:

1) Download and install VDMsound 2.10. Reboot.

2) Download and install the Advanced TR Installer (TR1setup.exe). Choose dgVoodoo 1.40 as the version. Do not choose the option to create an desktop shortcut.

3) Download ssdh.zip. Unzip the files.

4) Drag and drop ssdh.exe to C:\Tombraid and ssdh.dll to C:\windows\system32

5) Drag and drop glide2x.dll from C:\Tombraid to C:\windows\system32

6) Copy (not move) vddloader.dll from c:\program files\vdmsound to c:\windows\system32 (so theres a copy in both folders)

7) Open dgVoodooSetup if you havn’t opened it already (C:\tombraid\dgVoodooSetup > click it) – on the right hand side click the “search” button – point it towards c:\windows\system32\glide2x.dll. Buttons are now no longer greyed out? Good, you’ve found it. Click the “DOS” platform > click the “VESA” tab> tick “Use built in VESA support”. Click “ok”.

8) Make a batch file in the folder C:\Tombraid –

dosdrv
dgvesa
ssdh
tomb

And I can tell you that the game has aged. No doubt about that. But still: I’m actually re-living Tomb Raider 1 in a full 1920×1080 resolution in 2010. That’s pretty amazing if you ask me.

Respect to all the guys who were involved in making this possible!

Fixing a BMW E39 lazy eye

My mid-nineties BMW 525 TDS is a lovely car, but it came with a classic E39 problem: The left headlight reflector was loose and just pointed downwards and rattled when I bought it. I googled around to check the procedure and found a couple of good descriptions of the work needed, but I’d like to add to them, since they made it unnecessarily complicated.

Parts needed

Flimsy plasticky things that tend to break

Adjustment screws (set of two): BMW Part Number 63120027924

Tools

  • 8 mm hex head bit
  • Torx T15 bit
  • 8 mm Allen tool
  • Flat-head screwdriver (a couple of sizes might be good)
  • Possibly a pair of long pliers

Step-by-step How-To

  • Loosen cables to lightbulbs and height adjustment servo. You might just choose to remove the light bulbs already and leave them hanging in the cables, since that has to be done anyway.
  • Remove the four 8 mm hex head bolts holding the headlight in place and remove headlight gently, starting from the grille.
  • Place headlight on soft working area (I used a towel on a table) and remove the light bulbs if you didn’t already.
  • Remove the high and low beam brackets and the bellows around them (they use three T15 screws each).
  • With a flat head screwdriver, remove the plastic panel below the protective glass pane, and then continue to pry open each of the clips holding the back end of the headlight mount to the front end. On the side towards the turn indicator, there’s a slightly larger plastic clip. You don’t have to touch the turn indicator part at all for this operation, so just leave it closed.
  • Remove the back end. One or both of the adjustment screws in the upper part of the reflector housing will be broken. If it’s both, you just saved yourself some work, otherwise you have to pop the reflector off the ball on the end of the remaining screw. Remember: The screws are cheap. The receiving end on the reflector isn’t – you’ll probably have to buy a new reflector if you break this part…
  • Tilt the reflector forward and pull it upwards. It will slide off the nylon part on the lower (adjustment servo) screw. Other descriptions indicate a need to pull the reflector off the ball end here, but that’s just a useless thing that actually might break an important part of the reflector, so just do it the easy way. On Xeon equipped headlights, you do need to pip the reflector set off the adjustment servo screw – there’s no room to slide it off.
  • If possible, loosen the adjustment screws. Use an Allen tool and use the adjustment points at the back of the housing. These screws are threaded the “wrong” way around, so turn them clockwise to loosen the screws inside.  If the screws are broken, just use pliers to gently pull them out, and make sure no plastic splinters are left behind. Oh, and count the number of turns. It makes life a lot easier later on…

    No threads. No problem.
  • You’ll need to thread the new adjustment screws, so put some soap or other lube on the hole and start screwing counter-clockwise. If you found this the least bit dirty, go wash your mouth with soap and water. Just tighten it the same amount of turns as you had to loosen each screw earlier. I’d say around 30 rotations for each screw is a good number to start with if you forgot to count earlier.
  • Slide the reflector back down onto the nylon washer and snap it into place on the ball-ends of the adjustment screws.
  • Put everything back together in the same way as it was dismantled. The plastic panel under the headlight glass has a small hook on the outer end. Make sure it snaps into place in the side panel of the car.
  • Take care when changing light bulbs from now on – the plastic in the adjustment screws gets extremely brittle with the constant changes in temperature that it has to endure.