Dansguardian package for 2.0
-
Is it possible to have Active Directory pass-through authentication so that users don't have to enter a user name and password to browse through squid/dans?
-
I did it last week with squid + samba + Kerberos but dansguardian ntlm plugin could not detect squid ntlm responses.
The way I got it working was squid with ntlm or negociate then dansguardian then another squid in cache mode.
I did a smal post in portugueses forum with steps I did. Try to google translate it :)
http://forum.pfsense.org/index.php/topic,47532.msg250366.html#msg250366
-
So I am following your posts on what you did for the samba authentication. Everything went ok and I ran the kinit command ok but the domain join returns the following:
net ads join -U MyAdminAccount@MYDOMAIN.LOCAL
Host is not configured as a member server.
Invalid configuration. Exiting….
Failed to join domain: This operation is only allowed for the PDC of the domain.Perhaps it is just easier if I post my files. If you assume the following:
AD Domain is mydomain.local
PDC Emulator DC is mydc.mydomain.local
Admin Account for domain join is MyAdminAccount
pfsense host name is pfsenseIs this configuration correct?
/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/ksadmind.log [libdefaults] default_realm = MYDOMAIN.LOCAL. dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC [realms] PRIVATE.V.VNET = { kdc = mydc.mydomain.local.:88 admin_server = mydc.mydomain.local.:749 default_domain = domain. } [domain_realm] .domain. = MYDOMAIN.LOCAL. domain. = MYDOMAIN.LOCAL. [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
/etc/samba.smb.conf
[global] netbios name = MYDC workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL server string = Domain Proxy Server encrypt passwords = yes security = ADS password server = mydc.mydomain.local log level = 3 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap preferred master = No dns proxy = No ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = yes cups options = raw
/var/heimdal/kdc.conf
[kdcdfefaults] acl_file = /var/heimdal/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = noreauth [libdefaults] default_realm = MYDOMAIN. [realms] MYDOMAIN. = { master_key_type = des-cbc-crc supported_enctypes = des3-hmac-sha1:normal arcfourhmac: normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 }
/var/heimdal/kadm5.acl
*/admin@MYDOMAIN.LOCAL *
Additional Squid parameters (I added the acl all src 0.0.0.0/0.0.0.0 to fix my previous issue)
acl all src 0.0.0.0/0.0.0.0;auth_param ntlm program /usr/local/bin/ntlm_auth -use-cached-creds -helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 30;on auth_param ntlm keep_alive;proxy_auth REQUIRED acl password;http_access allow password
I wasn't completely sure about the pathing in the config files as they weren't changed in the other guy's posts that you were helping. Also I wasn't sure which NETBIOS name to use in the samba config and exactly what is supposed to be in the kadm5.acl file. I did a copy/paste of the Proxy parameters but it didn't paste right so that's why I wanted to confirm those as well.
Also for when you specify the PDC, does this have to be the DC with the PDC emulator role or can it be any DC?
Thanks in advance!
-
wheelz,
some checks:
-
Make sure pfsense machine name isn't the same name as any user on your active directory
-
perform a kinit/klist to make sure you have kerberos comunication do active directory before net ads join
-
Pay attention on . and UPPERCASES of kerberos config files, follow exactly what is on squid howto.
att,
Marcello Coutinho -
-
Version 1.5.2 is out with some bug fixes including startup script exclusion on package reinstalls.
-
Cant do it on x86 :(
-
-
strange, dansguardian wont start when I reboot the box.. But i can manually start it. I looked around in my log and I see reloads itself a few times on startup… I can confirm it started during the boot process but then it dies... When I manually start it, it stays running.
-
I am trying to install Dansguardian into PFsense It says on boot up that it started, however in services it reported it has stopped. When I go into the webgui for the settings it has the icapserver address in the contentscannertimeout field. Below is the log. I corrected the dansguardian configuation file to read the default of 60 seconds, however the web gui field will not reflect the change. On reboot the icapserver address is back in the .conf file.
Mar 29 13:54:10 root: /usr/local/etc/rc.d/dansguardian: WARNING: failed to start dansguardian
Mar 29 13:54:10 dansguardian[666]: Error parsing the dansguardian.conf file or other DansGuardian configuration files
Mar 29 13:54:10 dansguardian[666]: Config problem; check allowed values for contentscannertimeout
Mar 29 13:47:06 root: /usr/local/etc/rc.d/dansguardian: WARNING: failed to start dansguardian
Mar 29 13:47:06 dansguardian[15796]: Error parsing the dansguardian.conf file or other DansGuardian configuration files
Mar 29 13:47:06 dansguardian[15796]: Config problem; check allowed values for contentscannertimeout -
FiscoKid,
What field gui and config options are wrong?
-
strange, dansguardian wont start when I reboot the box.. But i can manually start it. I looked around in my log and I see reloads itself a few times on startup… I can confirm it started during the boot process but then it dies... When I manually start it, it stays running.
i made a quick rc.d script to start dansguardian on startup..
-
I get this error if i want to use Dansguardian :
dansguardian[723]: Error connecting to proxy
Squid is installed and running … Any help ?
-
dansguardian[723]: Error connecting to proxy
Are you listening squid on loopback and configured dansguardian with 127.0.0.1 on port 3128?
-
i made a quick rc.d script to start dansguardian on startup..
You did a second startup or changed current script?
Can you check if dansguardian default rc script is on the same folder and what permission it has?
-
i made a quick rc.d script to start dansguardian on startup..
You did a second startup or changed current script?
Can you check if dansguardian default rc script is on the same folder and what permission it has?
I didn't change the 'dansguardian' script, permissions are 755. I created 'dansguardian.sh' which basically run's '/usr/local/sbin/dansguardian -Q'
-
I didn't change the 'dansguardian' script, permissions are 755. I created 'dansguardian.sh' which basically run's '/usr/local/sbin/dansguardian -Q'
Ok. I'll do some tests and/or logs to see what is happening.
-
dansguardian[723]: Error connecting to proxy
Are you listening squid on loopback and configured dansguardian with 127.0.0.1 on port 3128?
Yes, Squid and Dansguardian interfaces are LAN/Loopback, Dansguardian is configured with 127.0.0.1:3128. Squid is running without problems.
-
wheelz,
some checks:
-
Make sure pfsense machine name isn't the same name as any user on your active directory
-
perform a kinit/klist to make sure you have kerberos comunication do active directory before net ads join
-
Pay attention on . and UPPERCASES of kerberos config files, follow exactly what is on squid howto.
att,
Marcello CoutinhoOK, so now I am getting closer. After much trial and error I was able to get it to join the domain. Also now I have wbinfo showing the trust is successful and it can pull users and groups from the domain. I did the chgrp command, set up the group policy setting for NTLM on Win 7 etc, and added:
acl all src 0.0.0.0/0.0.0.0;auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 30;auth_param ntlm keep_alive on;acl AuthorizedUsers proxy_auth REQUIRED;http_access allow AuthorizedUsers
to the custom options. Now it mentions removing the "cache_effective_group" setting is squid.conf but how do you do that properly? I did it manually, but I imagine that will get overridden on the next boot. Even with that and restarting the services I don't get the user names showing in the access.log. What am I missing or what should my next steps be?
-
-
One more note… It does look like the user name is showing up in the squid access log. So it is the dansguardian that isn't picking it up. Any ideas on that? Thanks!
-
to the custom options. Now it mentions removing the "cache_effective_group" setting is squid.conf but how do you do that properly? I did it manually, but I imagine that will get overridden on the next boot. Even with that and restarting the services I don't get the user names showing in the access.log. What am I missing or what should my next steps be?
if you dont mind hand editing files… edit /usr/local/pkg/squid.inc. Search for 'cache_effective_group' then either remove that line or add comment it out, by adding '# ' in front. Without the quotes tho... They will create the squid.conf file without 'cache_effective_group' on reboots/and restarts