Squid + Dansguardian + AD Pass Through

tupoar · May 14, 2012, 3:43 PM

Hey all,

This is my first post so please be gentle with me! I'm sort of a noob with pfsense though I have converted my company from a Cisco 1800 router to a pfsense box which is running happily.

I've set up a new box and am currently testing Squid + Dansguardian as a company proxy server (with content filtering) and have Squid authenticating with our Active Directory infrastructure. The system prompts for a user name and password and everything works ok. I was wondering if there was a way to support pass-through authentication so that the system does not prompt for credentials? I've had a look but can't seem to find any decent guides. Can anyone help?

Thanks in advance!

T

marcelloc · May 14, 2012, 6:50 PM

tupoar,

You will need to install samba and configure ntlm auth on squid to get this working.

There is on post at portuguese forum(google translate it) that can help you:

http://forum.pfsense.org/index.php/topic,47532.msg250366.html#msg250366

att,
Marcello Coutinho

tupoar · May 15, 2012, 7:39 AM

Thank you Marcello!

I'll take a look :)

Cheers

T

tupoar · May 15, 2012, 11:45 AM

@marcelloc:

tupoar,

You will need to install samba and configure ntlm auth on squid to get this working.

There is on post at portuguese forum(google translate it) that can help you:

http://forum.pfsense.org/index.php/topic,47532.msg250366.html#msg250366

att,
Marcello Coutinho

Hi Marcello,

I followed the code till I got the following error

compact disc /usr/local/lib
compact: Command not found.

I'm not sure what to do next. Any guidance will be well recieved!!

Cheers

T

EDIT: Ignore that!! Google translate is to blame for my ignorance!!

tupoar · May 16, 2012, 9:25 AM

I have finally managed to get through the guide and join the pfsense box to the domain.

However, the Proxy Server service will not start. The system log says

May 16 10:13:44 squid[46380]: Squid Parent: child process 46967 started
May 16 10:13:45 (squid): The ntlmauthenticator helpers are crashing too rapidly, need help!
May 16 10:13:45 squid[46380]: Squid Parent: child process 46967 exited with status 1

The Cache.log states
2012/05/16 10:13:45| Unlinkd pipe opened on FD 88
2012/05/16 10:13:45| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2012/05/16 10:13:45| Store logging disabled
2012/05/16 10:13:45| Swap maxSize 102400 + 8192 KB, estimated 8507 objects
2012/05/16 10:13:45| Target number of buckets: 425
2012/05/16 10:13:45| Using 8192 Store buckets
2012/05/16 10:13:45| Max Mem size: 8192 KB
2012/05/16 10:13:45| Max Swap size: 102400 KB
2012/05/16 10:13:45| Version 1 of swap file with LFS support detected…
2012/05/16 10:13:45| Rebuilding storage in /var/squid/cache (CLEAN)
2012/05/16 10:13:45| Using Least Load store dir selection
2012/05/16 10:13:45| Current Directory is /usr/local/www
2012/05/16 10:13:45| Loaded Icons.
2012/05/16 10:13:45| helperOpenServers: Starting 0/0 'ssl_crtd' processes
2012/05/16 10:13:45| helperOpenServers: No 'ssl_crtd' processes needed.
2012/05/16 10:13:45| Accepting HTTP connections at 192.168.1.26:3128, FD 91.
2012/05/16 10:13:45| Accepting ICP messages at [::]:7, FD 92.
2012/05/16 10:13:45| HTCP Disabled.
2012/05/16 10:13:45| Ready to serve requests.
2012/05/16 10:13:45| Done reading /var/squid/cache swaplog (965 entries)
2012/05/16 10:13:45| Finished rebuilding storage from disk.
2012/05/16 10:13:45| 965 Entries scanned
2012/05/16 10:13:45| 0 Invalid entries.
2012/05/16 10:13:45| 0 With invalid flags.
2012/05/16 10:13:45| 965 Objects loaded.
2012/05/16 10:13:45| 0 Objects expired.
2012/05/16 10:13:45| 0 Objects cancelled.
2012/05/16 10:13:45| 0 Duplicate URLs purged.
2012/05/16 10:13:45| 0 Swapfile clashes avoided.
2012/05/16 10:13:45| Took 0.02 seconds (59235.16 objects/sec).
2012/05/16 10:13:45| Beginning Validation Procedure
2012/05/16 10:13:45| Completed Validation Procedure
2012/05/16 10:13:45| Validated 1955 Entries
2012/05/16 10:13:45| store_swap_size = 3914
2012/05/16 10:13:45| WARNING: ntlmauthenticator #1 (FD 14) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #2 (FD 16) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #3 (FD 18) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #4 (FD 20) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #5 (FD 22) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #6 (FD 24) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #7 (FD 26) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #8 (FD 28) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #9 (FD 30) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #10 (FD 32) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #11 (FD 34) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #12 (FD 36) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #13 (FD 38) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #14 (FD 40) exited
2012/05/16 10:13:45| WARNING: ntlmauthenticator #15 (FD 42) exited
2012/05/16 10:13:45| Too few ntlmauthenticator processes are running
2012/05/16 10:13:45| storeDirWriteCleanLogs: Starting…
2012/05/16 10:13:45| Finished. Wrote 965 entries.
2012/05/16 10:13:45| Took 0.06 seconds (15061.42 entries/sec).
FATAL: The ntlmauthenticator helpers are crashing too rapidly, need help!

Squid Cache (Version 3.1.19): Terminated abnormally.
CPU Usage: 0.142 seconds = 0.110 user + 0.033 sys
Maximum Resident Size: 10320 KB
Page faults with physical i/o: 0

I'm stuck and starting to get frustrated. I'm not sure where I've gone wrong. Any ideas??

marcelloc · May 16, 2012, 2:40 PM

what you get if you try to run the ntlmauthenticator cmd line from console?

It's crashing, so it may help you identifying why.

att,
Marcello Coutinho

tupoar · May 17, 2012, 11:16 AM

Hi Marcello,

I have managed to get past that problem but face more issues, too many to post.

I've decided to give up at the moment as I am very frustrated and am liable to do something silly! I have followed every possible posting on the forum and nothing seems to work.

is it possible to provide a step-by-step guide (in English) to getting this working??

For now, I am going to have a lie down in a dark room…

tupoar · May 17, 2012, 2:37 PM

@marcelloc:

what you get if you try to run the ntlmauthenticator cmd line from console?

It's crashing, so it may help you identifying why.

att,
Marcello Coutinho

Sorry, in answer to your previous question…

[2.0.1-RELEASE][root@XXXXX]/root(10): /usr/local/bin/ntlm_auth –helper-protocol=squid-2.5-basic
could not obtain winbind domain name!

marcelloc · May 17, 2012, 3:48 PM

@tupoar:

[2.0.1-RELEASE][root@XXXXX]/root(10): /usr/local/bin/ntlm_auth –helper-protocol=squid-2.5-basic
could not obtain winbind domain name!

Set pfsense dns server ip to your active directory dns and test again.

tupoar · May 18, 2012, 10:05 AM

@marcelloc:

@tupoar:

[2.0.1-RELEASE][root@XXXXX]/root(10): /usr/local/bin/ntlm_auth –helper-protocol=squid-2.5-basic
could not obtain winbind domain name!

Set pfsense dns server ip to your active directory dns and test again.

Hey Marcello,

The DNS has already been set to Active Directory DNS. I can also confirm that the box can ping the domain controllers by name.

T

marcelloc · May 18, 2012, 2:14 PM

did you checked smb.conf?
winbind should work with this config.

tupoar · May 21, 2012, 10:19 AM

We have a break through!!

I checked the samba.log and the winbindd.log and they indicated that the /var/log/smaba directory was missing. I have recreated the folder and everything seems to work!! Except…

The Proxy Server service still fails to start....

May 21 10:52:28 squid[11026]: Squid Parent: child process 38490 started
May 21 10:52:29 (squid): The ntlmauthenticator helpers are crashing too rapidly, need help!
May 21 10:52:29 squid[11026]: Squid Parent: child process 38490 exited with status 1
May 21 10:52:32 squid[11026]: Squid Parent: child process 48613 started
May 21 10:52:33 (squid): The ntlmauthenticator helpers are crashing too rapidly, need help!
May 21 10:52:33 squid[11026]: Squid Parent: child process 48613 exited with status 1
May 21 10:52:36 squid[11026]: Squid Parent: child process 9080 started
May 21 10:52:37 (squid): The ntlmauthenticator helpers are crashing too rapidly, need help!
May 21 10:52:37 squid[11026]: Squid Parent: child process 9080 exited with status 1
May 21 10:52:40 squid[11026]: Squid Parent: child process 16030 started
May 21 10:52:41 (squid): The ntlmauthenticator helpers are crashing too rapidly, need help!
May 21 10:52:41 squid[11026]: Squid Parent: child process 16030 exited with status 1

I think it has something to do with the custom options as when I remove them, the service starts.

auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 30;auth_param ntlm keep_alive on;auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic;auth_param basic children 5;auth_param basic realm Squid proxy-caching web server;auth_param basic credentialsttl 2 hours;acl password proxy_auth REQUIRED;http_access allow password

Any advice?

tupoar · May 23, 2012, 2:33 PM

–Bump--