Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
I spent quite a bit of time working on this and so I thought I'd share a step by step on how I got this working as I've seen a lot of people ask about it. Thanks to marcelloc for all the help. Much of the information I've pieced together from http://forum.pfsense.org/index.php/topic,43786.0.html and http://forum.pfsense.org/index.php/topic,47532.msg250366.html#msg250366 (after translating it) along with a LOT of trial and error.
This is a work in progress and there may be improvements to the steps I have to make it more secure or simpler. I welcome any suggestions. I just documented the steps in outline form and it does require being familiar with pfsense. Also I highly recommend getting this set up individually before syncing with pfsync in a CARP scenario. Also I really needed the squid3 features so I replaced the version included in the dansguardian package. Here are the steps:
- Install Dansguardian and Shellcmd (you’ll need this later) packages
- Log in via SSH and run “pkg_delete -f squid-2.7.9_3”
- Install Squid 3 package
- Services –> Proxy
a. General tab
i. Squid General Settings Section –> Proxy interface = loopback
ii. Logging Settings Section - Enabled logging = checked
- Log rotate = <set days="">3. Visible hostname = <hostname>4. Administrator email = <admin email="">5. Disable X–Forward = checked
- Disable VIA = checked
- Suppress Squid Version = checked
b. ACLs tab –> Squid Access Control Lists section – add the subnet of a test client to Allowed subnets (only needed during squid testing) - Status –> Services – Restart squid
- Services –> Firewall
a. Rules –> LAN tab – Create a proxy rule to allow TCP port 3128 to the LAN address for testing (will change later)
b. NAT –> Port Forward tab - Create a proxy port forward from LAN on port 3128 to the loopback adapter (127.0.0.1) for testing - Configure a client to use <server name="">port 3128 and test squid access – once squid is confirmed working, continue on
- Disable NAT/Firewall rules that were just created (port 3128) as it is no longer needed (but you can then enable later for troubleshooting)
- Services –> Dansguardian
a. Daemon tab
i. Check Enable Dansguardian
ii. Listen Interface(s) = loopback
iii. Parent Proxy Settings section - Proxy IP = 127.0.0.1
- Proxy Port = 3128
b. General tab
i. Config settings section –> Auth Plugins = none (for testing)
ii. Misc settings section –> Misc Options – select forwardedfor (off)
c. Report and log tab –> Logging section –> Log file format = Squid log file format - Services –> Firewall
a. Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
b. NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1) - Status –> Services – Restart squid and dansguardian
- Change the test client to port 8080 and test dansguardian – once it is confirmed working, continue on
- Connect via SSH and enter the shell. Then run the following commands to install Samba and Kerberos support:
pkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
pkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/heimdal-1.4_1.tbz
cd /usr/local/lib
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10- Edit/Create the following files using Diagnostics –> Edit file (or your favorite text editor in an SSH session). The below examples assumes the following: AD domain is “mydomain.local” with DCs “mydc1” and “mydc2”, pfsense hostname is “pfproxy01”, LAN interface is “e1000g0”, and an AD account with permissions to join a computer to the domain is “myadmin”. Where you see these values, change them to match your environment. (note you need to match all CAPS where shown – important!!)
a. /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log
[libdefaults]
default_realm = MYDOMAIN.LOCAL.
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
default_tkt_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
preferred_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
[realms]
MYDOMAIN.LOCAL = {
kdc = mydc1.mydomain.local.:88
kdc = mydc2.mydomain.local.:88
admin_server = mydc1.mydomain.local.:749
default_domain = mydomain.
}
[domain_realm]
.mydomain. = MYDOMAIN.LOCAL.
mydomain. = MYDOMAIN.LOCAL.
[kdc]
profile = /var/heimdal/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}b. /var/heimdal/kdc.conf:
[kdcdfefaults]
acl_file = /var/heimdal/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/heimdal/kadm5.keytab
v4_mode = noreauth
[libdefaults]
default_realm = MYDOMAIN.
[realms]
MYDOMAIN. = {
master_key_type = des–cbc–crc
supported_enctypes = des3–hmac–sha1:normal arcfourhmac:
normal des–hmac–sha1:normal des–cbc–md5:normal des–cbc–crc:normal
des–cbc–crc:v4 des–cbc–crc:afs3
}c. /var/heimdal/kadm5.acl:
*/*Administrator@MYDOMAIN.LOCAL *
d. /usr/local/etc/smb.conf:
[global]
interfaces = e1000g0
bind interfaces only = yes
netbios name = PFPROXY01
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = Domain Proxy Server
encrypt passwords = yes
security = ADS
password server = *
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
dns proxy = No
ldap ssl = no
; idmap uid = 10000–20000
; idmap gid = 10000–20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
; winbind separator =
client use spnego = yes
client ntlmv2 auth = yes
cups options = rawe. /etc/rc.conf.local:
samba_enable="YES"
winbindd_enable="YES"- In SSH run the following commands, entering the myadmin account password where prompted:
/usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL
net ads join -U myadmin@MYDOMAIN.LOCAL
/usr/local/etc/rc.d/samba restart
chgrp proxy /var/db/samba/winbindd_privileged- Services –> Shellcmd
a. Add “mkdir /var/run/samba” of type shellcmd
b. Add “/usr/local/etc/rc.d/samba start” of type shellcmd - Reboot
- In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain) - Services –> Proxy
a. General tab –> Custom settings section – Copy/Paste the following into Integrations:
acl_uses_indirect_client on;follow_x_forwarded_for allow localhost;auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 10;auth_param ntlm keep_alive on;acl password proxy_auth REQUIRED;http_access allow password
- Create a service account in Active Directory (in this example I’ve used “ldapsvc01” in “myservices” OU)
- Create Groups in Active Directory
- Services –> Dansguardian
a. General Tab -> Config settings section –> Auth Plugins = Proxy-Ntlm
b. LDAP Tab – Add New
i. Hostname = mydc1.mydomain.local
ii. Domain = dc=mydomain,dc=local
iii. Username = cn=ldapsvc01,ou=myservices
iv. Password = <enter it="">v. Mask = USER
c. Groups Tab – Create groups with the exact same name as the groups created in Active Directory (avoid special characters for the name and display names of both users and groups)
i. Setup filter settings as desired
ii. LDAP section – Select LDAP server created previously and set desired update frequency - Users Tab will now update the pfsense groups automatically based on the AD groups – you can run this command at SSH for troubleshooting:
php /usr/local/www/dansguardian_ldap.php
- Configure a client to use pfproxy01.mydomain.local port 8080 and test – You can use the following command in an SSH session to check the access logs in real time for the user name to show up:
tail -f /var/log/dansguardian/access.log
Let me know if you see anything that should be corrected.</enter></server></admin></hostname></set>
-
Great 22 easy steps to get it working :D
I'll link it to portuguese tutorial you used as reference.
Thanks wheelz!
-
Please let me know if anyone else is able to get multiple auth plugins to work. In my particular scenario I'd like it to use NTLM or IP, and then allow access for unauthenticated through the default filtering.
-
Are you sure samba is absolutely needed? I know there are dependencies for winbind requires certain samba libraries and depending how it's packaged it could mean that you do need to install the complete Samba suite, but there should be no need to actually run the Samba daemon. I know I have working SSO on Linux webservers without SMB service even installed.
-
IIRC, Without samba, you will configure kerberos auth, not ntlm.
Only ie, Firefox and chrome on windows supports kerberos "transparent" auth.
-
Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!
-
Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!
I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it. Let me know if that works and I'll edit the original post to include that.
For the fetch commands I could not find those same files in a non-amd64 area. Perhaps marcelloc would know where the x86 version of those files could be downloaded from?
-
Yep that worked for all the url's, fetch as well. Continuing on now!
Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!
I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it. Let me know if that works and I'll edit the original post to include that.
For the fetch commands I could not find those same files in a non-amd64 area. Perhaps marcelloc would know where the x86 version of those files could be downloaded from?
-
Getting following error after reboot:
wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret -
Ok I got wbinfo working, samba service wasn't starting. Needed to add one more shellcmd:
mkdir /var/db/samba -
It's pretty cool, it works very smooth to seamlessly authenticated dansguardian groups.
For some reason though on every reboot I have to do:
chgrp proxy /var/db/samba/winbindd_privileged
and restart squid
Otherwise authentication fails, any idea why that's happening? I suppose I could just add shellcmd's for this but not sure if that's the correct solution?Thanks again for a great howto!
-
I was able to get it working reliably on reboot, This is what my shellcmd lines look like:
mkdir /var/run/samba
mkdir /var/db/samba/winbindd_privileged
/usr/bin/chgrp proxy /var/db/samba/winbindd_privileged
chmod 0750 /var/db/samba/winbindd_privileged
/usr/local/etc/rc.d/samba start -
Strange that I did not run into this but thanks for posting as this will help anyone else that does.
-
I'm pretty sure the issue is related to the fact that I'm running nanoBSD on CF card. I just did the install on another system that's on a HDD and did not have to add those extra lines.
One more not is that if you are doing this install on nanoBSD you need to mount the card in Read/Write before making those file changes, see this thread:
http://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write -
How did You solved issue with not starting Squid3 daemon?
Mar 25 00:06:37 check_reload_status: Syncing firewall
Mar 25 00:06:37 check_reload_status: Reloading filter
Mar 25 00:07:15 squid[60713]: Squid Parent: child process 61160 exited due to signal 15 with status 0
Mar 25 00:07:15 squid[60713]: Exiting due to unexpected forced shutdown
Mar 25 00:07:17 squid[34206]: Squid Parent: child process 34441 started
Mar 25 00:08:09 squid[60554]: Squid Parent: child process 60691 started
Mar 25 00:08:19 squid[765]: Squid Parent: child process 1120 started
Mar 25 00:08:32 squid[5630]: Squid Parent: child process 6099 started
My version:
2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6
Packages:
Dansguardian 2.12.0.3 pkg v.0.1.7_3
squid3 3.1.20 pkg 2.0.6I'm on step 12. Upgrading to 2.0.2 to see if it helps.
UPDATE: Yep, upgrade to 2.0.2-RELEASE i386 solved the issue. Squid is starting, all packages were reinstalled during update.UPDATE2. Correct download links for i386:
pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz
cd /usr/local/lib
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libroken.so.10However:
[2.0.2-RELEASE][admin@somesite.com]/root(8): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz… Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done.
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1
pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed!
Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done.
pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installedThis is because of 2.0.1 -> 2.0.2 upgrade, so again:
pkg_delete -f squid-2.7.9_3After some fight with dependencies..
Samba3 package now doesn't include ADS support due the portability problems
with Kerberos5 libraries on different installations. You need to compile the
port yourself to get this functionality.So far I was able to create working proxy on port 8080, visible to sites like http://www.whatismyip.com/ but no luck with AD.
-
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
-
I try to do like this tip for a month of Sundays., but not success.
I found now squid have integrate some many auth plugin
for example:basic_ldap_auth、ntlm_fake_auth 、 ntlm_smb_lm_auth and negotiate_kerberos_auth
now I can auth though basic_ldap_auth in squid, it's very easy.
just one line auth config, and 4 line relate config.so I can't understand that still use so many many third part lib,and so many many config
I am in pfsense 2.0.2 + dansguardian + squid 3+win2003 AD
I know how to use basic auth in squid,but don't know how to wok in dansguardian.
I try to add a ldap in dansguardian,then add a group name's "Administrator". I can't add a group like "domain user",but most of my account is in that AD group.
then run the commandphp /usr/local/www/dansguardian_ldap.php
it return a error
Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65
-
Working very good. Thank you!
Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.
Any idea?
-
Did anyone manage to get samba and heimdal installed? I get the same version conflicts with some of the dependencies.
[2.0.3-RELEASE][admin@fw01.us.local]/root(1): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done. pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1 pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1 pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed! Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done. pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed
[2.0.3-RELEASE][admin@fw01.us.local]/root(34): pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz Fetching http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/sqlite3-3.7.9_1.tbz... Done. pkg_add: warning: package 'heimdal-1.4_1' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed
Not sure where to go from here, I can try removing the newer packages but that then means removing squid again.
Or force install the prerequisites for samba but not sure what that may break. -
I used -f to force install. It installed fine and two weeks later still running smooth..
Or force install the prerequisites for samba but not sure what that may break.
-
I used -f to force install. It installed fine and two weeks later still running smooth..
Or force install the prerequisites for samba but not sure what that may break.
Well, this is what i did, however you do get a message stating:
=============================================================================== Samba3 *package* now doesn't include ADS support due the portability problems with Kerberos5 libraries on different installations. You need to compile the port yourself to get this functionality. For additional hints and directions, please, look into the README.FreeBSD file. ===============================================================================
I believe ADS is required for authenticating against a domain?
I guess I need to build a system for compiling the port… :-\
-
I believe ADS is required for authenticating against a domain?
I guess I need to build a system for compiling the port… :-\
Nope, I got that message too but after following the instructs here, I have working NTLM silent authentication. No need to compile anything.
-
well giving it a go then!
Though I have got as far as authenticating the fw on the dc but getting kerberos failures with an admins username & password.
edit
Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.
-
http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.
did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.
-
Also regarding the SuppressExtendedProtection, That is interesting. I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.
Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.
-
Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!
Has anyone got this working on a domain with 2008 function level?
-
Has anyone got this working on a domain with 2008 function level?
Thats what im working on now, presumably you tried it on a 2003 domain?
did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.
Well, admin@domain.local I get password incorrect (even though it says auth successful on the 2008 server security log). admin (with no @) defaults to admin.domain.local. and gives the same error. admin@domain throws a unable to reach any KDC in realm.
So the username format is correct. Just going to try a tcpdump or so.EDIT:
Finally got the FW to join the domain… it turned out I had an old GPO set on the DC's that wouldnt let the fw join.
EDIT2:
Well, I have got to the end of wheelz steps, finally, however after a reboot winbind seems to have dropped out.. (or screwed up)
when I run wbinfo -t I get success, however if I run wbinfo -u or -g I get nothing.Seems dansguardian_ldap.php wont connect either (suspect its due to wbinfo.)
EDIT3:
wbinfo fixed, restarted samba. seems wbind may have come up before the nic was ready...
I had to add user@domain.local for the username in the Dansguardian LDAP tab, it wouldnt accept the user cn=ldapquery,ou=users
-
hi, I am in pfense2.02+squid3+dansguardian
I just add this line below,then the squid is work with basic auth in pfsense, and authen by win2003AD
when client access web, input AD login in password correct, then they cant pass.
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=jian,dc=com" -D "cn=squid,cn=Users,dc=jian,dc=com" -w "Admin@8888" -f sAMAccountName=%s -h jxad.jian.com
auth_param basic children 5
auth_param basic realm jianxun.com
auth_param basic credentialsttl 60 minuteacl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth
http_access allow localhostAnd finally deny all other access to this proxy
http_access deny all
and then I chose "Proxy-basic" authentication in dansguardian.
refer you tips stip step 18 to 21,
then the add a ldap like thishostname=jian.com
dc=jian,dc=com
cn=squid,ou=Users
password=Admin@8888
mask=Userthe squid account is ou=users,group=users(bulid in)
make a group in dansguardian name "users"
after I do this,the users won't update the user's list
if you know why please tell me,thanks.
-
Hi all,
I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL
Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.
The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?
thanks,
Jeroen -
Hi all,
I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL
Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.
The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?
thanks,
JeroenNever mind, installed amd64 instead of i386 packages…. (face palm)
-
Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames. -
Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.+1
Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?
-
A few thoughts:
-What do the squid logs show?
-Did you check group ownership of /var/db/samba/winbindd_privileged
-What do wbinfo -t and wbinfo -u show?Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.+1
Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?
-
Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.+1
Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?
I had the problem with the users not appearing in users, which also showed from errors when running
php /usr/local/www/dansguardian_ldap.php
I fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.
-
I had the problem with the users not appearing in users, which also showed from errors when running
php /usr/local/www/dansguardian_ldap.php
I fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.
I had to do this too, I do have my users showing up in the users tab. As far as wbinfo -u, -t and -g, they all work.
Squid, doesn't show any users either.
as for /var/db/samba/winbindd_privileged I have user root, group proxy.
any more ideas? Im half wondering if its not the clients rather than the proxy. but if others are having the same issue i suspect its not going to be one of our group policies.
UPDATE:
Right, I have just wiresharked a http request and we are not getting any authorisation challange, so the proxy isn't even requesting ntlm auth. This takes us straight back to dansguardian.
I have flipped it over to identd and that works, it seems its just the ntlm auth plugin, however not all our clients have identd installed so it can leave a 5minute lag or so while it times out.
UPDATE2:
I think I may have solved it….
This works on one line now so you can ignore the following... Not sure why it didn't work before but it does now!
In the squid config -> custom settings -> integration's, its one long line. Squid doesn't seem to be reading this line (i suspect its thinking the ; is a comment??) but remove all the semi colons and but each part on a new line like this:acl_uses_indirect_client on follow_x_forwarded_for allow localhost auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm keep_alive on acl password proxy_auth REQUIRED http_access allow password
At least now I have usernames showing up!
I'm using Windows Server 2008R2 with a 2008 domian level, mixed xp and win 7 clients.
Oh and one more tip, using the text editor in pfsense and copy / pasting text in can provide some very interesting issues, such as the hyphens changing to other characters. (though they look fine on the webpage, running vi/cat/less you can see the different encoding.
-
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.if it's auto complete, does firefox support NTLM?
-
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.This is SSO using NTLM so its automatic, taking the logged in user name for authentication. No need to enter username or password. Users in the required groups are pulled from active directory.
Of course if the machine isn't part of the domain, and the user logged in doesn't exist on the domain it will ask.if it's auto complete, does firefox support NTLM?
I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
-
I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
Not sure if this is a bug or something I did wrong in my setup..
@LokisMischief:I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
-
Cheers dig, that's good to know!
-
I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
Not sure if this is a bug or something I did wrong in my setup..
@LokisMischief:I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
Usually, those pop-up requests are caused by ads/ad-media on a page that don't "inherit" the page's authentication; usually you'll then see an "error page" inside an ad area of the page. If you are blocking most ads before pages are served, you'll rarely see it.
Firefox does support NTLM. We've been using it on our domain against a MS ISA server firewall for years.