CNTLM is awesome for enabling the use of Linux in a Microsoft dominated workplace. In particular getting onto the Internet when you need to authenticate with Microsoft Domain credentials.
CNTLM runs on your Linux system as a small proxy server. It received requests for connections to web based services and adds the necessary Microsoft authentication Meta-data to the outgoing packets before forwarding them on to the upstream "corporate" proxy servers.
For this CNTLM stores your credentials in a text file, usually /etc/cntlm.conf ... This file is checked on start-up.
When your Domain password changes, you need to "inform" CNTLM of the new password to use to get past the corporate proxy system. This is done by updating the cntlm.conf file and restarting the CNTLM service.
I recommend that, because MS domain and authentication data often "takes a while to propagate to all services", that the following overall process be followed.
- Prevent any programs/devices from using old passwords (otherwise these may get you locked out of the network)
- Change your Domain password. Write it down (In a safe place)
- Go have a cup of coffee or do whatever you like, give the network "a while" (20 minutes) to propagate your new password.
- Log off and back on, access the Internet via MS Internet Explorer, access your web-based exchange, etc... what ever you find convenient to make sure that your password is updated throughout the network.
- Follow the steps below to update your CNTLM password.
- Re-enable programs and devices with your updated password. This may include your Exchange account on your smart phone, proxy settings in your Linux package manager etc.
The CNTLM configuration file stores the following authentication details:
- MS domain Name
- MS domain user name
- MS domain authentication type (Usually NTLMv2)
- MS domain user password or a Hashed version of the password
It is recommended to use a hashed version of the password (in stead of the actual password) in the configuration file. CNTLM includes a way of generating the updated hash so that you do not need to store the password in plain text, which adds a layer of security to the system, eg besides the fact that the file is readable only by the superuser.
Start by preventing any applications from using the proxy - I use ProxyManager to disable the Proxy settings everywhere, ensuring that nothing will try to connect while the update is in progress.
johan@Komputer:~$ p-off Disabling for KDE global Disabling for S3cmd Disabling for Dropbox Disabling for VirtualBox Disabling for Git global Disabling for Wine IE Disabling for Curl Disabling for wget Disabling for APT Disabling for Root Bash Disabling proxy for Root Curl |
CNTLM must run when you update the password - start it if it is not.
johan@Komputer:~$ ps -ef|grep cntlm cntlm 2102 1 0 Jan04 ? 00:00:05 /usr/sbin/cntlm -U cntlm -P /var/run/cntlm/cntlm.pid johan 31452 30162 0 10:02 pts/2 00:00:00 grep --color=auto cntlm |
You need to "be root" to update the CNTLM configuration
johan@Komputer:~$ sudo -s root@Komputer:~# cntlm -IM http://test.com Password: Config profile 1/4... OK (HTTP code: 302) ----------------------------[ Profile 0 ]------ Auth NTLMv2 PassNTLMv2 FEDCBA9876543210CC747CDB22103C1D ------------------------------------------------ |
What happens is that CNTLM Prompts for a new password, and uses the Domain and User details from the config file to connect to the test URL provided. It tries all the known methods of authentication, and when a working method is found it displays the hash and method of authenticating.
Use a text editor to update the configuration file using the displayed details. Save the file and then restart CNTLM to get it to read the updated hash from the configuration file.
root@Komputer:~# /etc/init.d/cntlm restart Stopping CNTLM Authentication Proxy: cntlm. Starting CNTLM Authentication Proxy: cntlm. root@Komputer:~# exit |
Finally re-enable the Proxy in all applications.
johan@Komputer:~$ p-on Enabling for APT Enabling for Root Bash Enabling for Root Curl (eg for Yast) Enabling for KDE global Enabling for wget Enabling for Curl Enabling for S3cmd Enabling for VirtualBox Enabling for Git global Enabling for Wine IE Enabling for Dropbox |
Now if only there were a way to change the password for CNTLM, Contacts sync on my Android phone, Calendar Sync on my Tablet, MS Linc client on my phone, AND on the Microsoft domain, all at once.
Posts
