Computers, bikes and things I’d like to remember.

Ubuntu — ntlmaps

August 10th, 2006 Posted in Computing

Are you trying to use apt-get or synaptic or adept or {package-manager-of-choice} to keep Debian or Ubuntu machines up to date? Are you stuck behind your employer’s firewall? Is that firewall a Microsoft ISA proxy? Gee, you must be frustrated.

Our MS proxy speaks NTLM for authentication, and no amount of setting the http_proxy environment variable or rewriting /etc/apt/apt.conf seems to make any difference; the Linux machines can’t get out to the outside world.

Well, they partly can. Set the proxy details in Firefox and web browsing is fine, but nothing else is.

So, enter a very useful little Python application called ntlmaps or NTLM Authenticating Proxy Server. Set this up on a machine that needs updating, edit your /etc/apt/apt.conf to point to it, and away you go.

A few caveats. If you’re running Ubuntu, you should grab the ntlm package from Ubuntu — ntlmaps. If you’re on Debian you can get it from Debian’s page and of course it may be downloaded from its own site. I’d suggest not using the Debian one on Ubuntu or the Ubuntu one on Debian unless you want to fiddle endlessly with Python versions. But who would be silly enough {ahem} to do that?

I have had mixed experiences with using ntlmaps. First of all, I have seen suggestions that all you need to do is:

apt-get update
apt-get install ntlmaps

Yeah, nice one. Install via the network the thing you need to install things via the network. Sheesh. That’s why it’s necessary to use another machine to grab the .deb package from one of the providers I mentioned above and install it with a:

dpkg -i name_of_downloaded_package.deb

The install should finish with a nice series of questions designed to configure the proxy for you.

If it installed properly…

ps aux | grep ntl

…should show you the details of the running proxy.

You should be able to control the proxy via:

/etc/init.d/ntlm start
/etc/init.d/ntlm stop
/etc/init.d/ntlm restart

But on one of my machines these all failed silently and the ps aux | grep ntl revealed no running proxy. I ended up having to copy the /etc/ntlm/server.conf file to /usr/lib/site-python/ntlm/ directory and run:
sudo python /usr/lib/site-python/ntlm/ &
to backdoor the thing into going.

Update: Ignore my convoluted and painful hackaround above. The sane way to get ntlmaps working is to realise that there is a bug in the Debian and Ubuntu packages and to do this after you install it:

sudo dpkg-reconfigure ntlmaps

This will re-run the setup script and this time ask you all of the questions you need to answer to actually get it working. I have reported this bug via Ubuntu’s launchpad so with any luck the future releases may have this sorted out so you won’t need to re-run the config script after initially installing.

Oh, and make sure to edit (or create if it doesn’t exist) your /etc/apt/apt.conf so it contains:

http://proxy ""

Update update: I see that more recent installations of the apt system no longer have something called /etc/apt/apt.conf to manage their apt setup. This has been replaced by a directory called /etc/apt/apt.conf.d. So to get the proxy working on a newer setup, create a file called /etc/apt/apt.conf.d/proxy and put the above ACQUIRE stuff in it. Or like this if you wish:

Acquire::http::Proxy "";

Port 5865 is the default port for the ntlmaps to listen on. If the planets are all in line, you should now be able to:

sudo apt-get update
or perhaps even better…
sudo aptitude update (aptitude apparently does a better job than apt-get)

Easy, eh? :-)

By the way, if your organisation has a password rotation policy that sees you changing your Windows login password with any sort of regularity, beware of being ambushed by ntlmaps. You will have given ntlmaps a password and it will keep using it. When you change your login password, be sure to reconfigure ntlmaps with your new one or it will silently continue authentication attempts via your user name and your old password. You may be happily logged in on another machine while ntlmaps quietly manages to get your account locked out. Hilarity ensues… or so I’m told.

Sorry, comments for this entry are closed at this time.