(For more resources on Ubuntu, see here.)

The basic setup

This article will be based around a typical workplace or school you’ll find almost anywhere. There is a proxy server wedged between users and the internet, as well as Windows throughout for the servers, meaning Windows-based NTLM authentication. With the advent of Linux servers and even Linux operating systems being deployed on desktops, the problems with proxy servers may not become non-issue quite soon.

Outgoing connections are blocked on all ports but 80 and 443 (those defaulting for HTTP and HTTPS) to ‘help’ security, creating a problem for those using various services such as games, chat and peer-to-peer sharing.

How it all works

Any packets sent from a computer that is headed towards an external host will reach the proxy server first, which will check if you are authenticated by passing on login information to the authentication server. Authentication using the ‘basic’ method is rare nowadays where NTLMv2 is widespread among large, internal domain networks. If the user is authenticated (and hence allowed to use the internet) and the port is allowed, then the packet will be passed on to the target host.

When a computer makes a HTTP request using Firefox, for example, everything works as expected. Firefox ‘understands’ the NTLMv2 protocol, and the request returns successfully. However, most other programs, especially those using the command line and not integrated with Gnome, generally only support basic authentication and things go haywire.

A proxy server for a proxy server

The solution to this authentication problem lies with NTLMaps, which is a proxy server that installs on the computer locally. It can handle the NTLMv2 protocol smoothly, and handles this for programs that can’t. Once it’s installed, you can point programs to connect through this proxy (without needing to supply authentication) and packets will pass through this proxy, and then be transferred to the ‘real’ proxy server, with authentication. NTLMaps was originally written to allow wget to make requests on a problematic network like this, and it works very well.

Installing NTLMaps

NTLMaps is available in the Ubuntu repository:

apt-get install ntlmaps

Debconf will then ask you for some information for NTLMaps. For the port number, enter any port that isn’t used by listened on by another daemon on your computer. 8080, 5865, or even 12345 work just fine. After this, enter the ‘real’ proxy server which NTLMaps will connect to. For example, ‘proxy’, or ‘10.148.88.13’. Do not enter the ‘real’ proxy’s port number.

In the next step, you can provide the port number that the ‘real’ proxy listens on. This is usually port 8080, and defaults as such. In the following steps, enter the domain name, user name and password that you wish to authenticate NTLMaps with. If you have Windows computers on the domain, you can see the domain name by checking the dropdown on the login dialog (e.g. ‘CURRIC4126’).

If you wish to configure NTLMaps again to add or change these settings, you can either edit the NTLMaps configuration file or use Debconf to do this process again:

nano /etc/ntlmaps/server.cfg; service ntlmaps restart

dpkg-reconfigure ntlmaps

Now that NTLMaps is installed and running, you may point your programs to use the local proxy server. The Gnome ‘Network proxy’ window has a bug in which the authentication user name and password did not carry through to the environment variables when set.

Having NTLMaps brings the added bonus of not having this problem, as no ‘client-side’ authentication information needs to be entered.

Downloading packages through a proxy server

After pointing programs to use the NTLMaps proxy server by using the Gnome ‘Network proxy’ dialog (gnome-network-properties), the proxy environment variables (HTTP_PROXY, http_proxy, etc.) should be set to something like http://localhost:12345/. You should make this setting system-wide (click “Apply System-Wide…“) so that these environment variables are set when logged in as root.

You should now be able to download and install or upgrade packages using Synaptic, apt-get or any other package management suite without any problems. If, however, the Gnome proxy settings don’t set the environment variables, or take effect, you can force the proxy server by adding this line to /etc/apt/apt.conf (this is quite inconvenient as there’s no “location” support and you must remove this line if you use the internet at home):

Acquire::http::Proxy "http://localhost:12345/";

Remember to make sure you change the port number if you are using a different one for NTLMaps, though.