Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
Are you sure samba is absolutely needed? I know there are dependencies for winbind requires certain samba libraries and depending how it's packaged it could mean that you do need to install the complete Samba suite, but there should be no need to actually run the Samba daemon. I know I have working SSO on Linux webservers without SMB service even installed.
-
IIRC, Without samba, you will configure kerberos auth, not ntlm.
Only ie, Firefox and chrome on windows supports kerberos "transparent" auth.
-
Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!
-
Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!
I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it. Let me know if that works and I'll edit the original post to include that.
For the fetch commands I could not find those same files in a non-amd64 area. Perhaps marcelloc would know where the x86 version of those files could be downloaded from?
-
Yep that worked for all the url's, fetch as well. Continuing on now!
Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!
I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it. Let me know if that works and I'll edit the original post to include that.
For the fetch commands I could not find those same files in a non-amd64 area. Perhaps marcelloc would know where the x86 version of those files could be downloaded from?
-
Getting following error after reboot:
wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret -
Ok I got wbinfo working, samba service wasn't starting. Needed to add one more shellcmd:
mkdir /var/db/samba -
It's pretty cool, it works very smooth to seamlessly authenticated dansguardian groups.
For some reason though on every reboot I have to do:
chgrp proxy /var/db/samba/winbindd_privileged
and restart squid
Otherwise authentication fails, any idea why that's happening? I suppose I could just add shellcmd's for this but not sure if that's the correct solution?Thanks again for a great howto!
-
I was able to get it working reliably on reboot, This is what my shellcmd lines look like:
mkdir /var/run/samba
mkdir /var/db/samba/winbindd_privileged
/usr/bin/chgrp proxy /var/db/samba/winbindd_privileged
chmod 0750 /var/db/samba/winbindd_privileged
/usr/local/etc/rc.d/samba start -
Strange that I did not run into this but thanks for posting as this will help anyone else that does.
-
I'm pretty sure the issue is related to the fact that I'm running nanoBSD on CF card. I just did the install on another system that's on a HDD and did not have to add those extra lines.
One more not is that if you are doing this install on nanoBSD you need to mount the card in Read/Write before making those file changes, see this thread:
http://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write -
How did You solved issue with not starting Squid3 daemon?
Mar 25 00:06:37 check_reload_status: Syncing firewall
Mar 25 00:06:37 check_reload_status: Reloading filter
Mar 25 00:07:15 squid[60713]: Squid Parent: child process 61160 exited due to signal 15 with status 0
Mar 25 00:07:15 squid[60713]: Exiting due to unexpected forced shutdown
Mar 25 00:07:17 squid[34206]: Squid Parent: child process 34441 started
Mar 25 00:08:09 squid[60554]: Squid Parent: child process 60691 started
Mar 25 00:08:19 squid[765]: Squid Parent: child process 1120 started
Mar 25 00:08:32 squid[5630]: Squid Parent: child process 6099 started
My version:
2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6
Packages:
Dansguardian 2.12.0.3 pkg v.0.1.7_3
squid3 3.1.20 pkg 2.0.6I'm on step 12. Upgrading to 2.0.2 to see if it helps.
UPDATE: Yep, upgrade to 2.0.2-RELEASE i386 solved the issue. Squid is starting, all packages were reinstalled during update.UPDATE2. Correct download links for i386:
pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz
cd /usr/local/lib
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libroken.so.10However:
[2.0.2-RELEASE][admin@somesite.com]/root(8): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz… Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done.
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1
pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed!
Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done.
pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installedThis is because of 2.0.1 -> 2.0.2 upgrade, so again:
pkg_delete -f squid-2.7.9_3After some fight with dependencies..
Samba3 package now doesn't include ADS support due the portability problems
with Kerberos5 libraries on different installations. You need to compile the
port yourself to get this functionality.So far I was able to create working proxy on port 8080, visible to sites like http://www.whatismyip.com/ but no luck with AD.
-
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
-
I try to do like this tip for a month of Sundays., but not success.
I found now squid have integrate some many auth plugin
for example:basic_ldap_auth、ntlm_fake_auth 、 ntlm_smb_lm_auth and negotiate_kerberos_auth
now I can auth though basic_ldap_auth in squid, it's very easy.
just one line auth config, and 4 line relate config.so I can't understand that still use so many many third part lib,and so many many config
I am in pfsense 2.0.2 + dansguardian + squid 3+win2003 AD
I know how to use basic auth in squid,but don't know how to wok in dansguardian.
I try to add a ldap in dansguardian,then add a group name's "Administrator". I can't add a group like "domain user",but most of my account is in that AD group.
then run the commandphp /usr/local/www/dansguardian_ldap.php
it return a error
Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65
-
Working very good. Thank you!
Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.
Any idea?
-
Did anyone manage to get samba and heimdal installed? I get the same version conflicts with some of the dependencies.
[2.0.3-RELEASE][admin@fw01.us.local]/root(1): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done. pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1 pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1 pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed! Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done. pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed
[2.0.3-RELEASE][admin@fw01.us.local]/root(34): pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz Fetching http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/sqlite3-3.7.9_1.tbz... Done. pkg_add: warning: package 'heimdal-1.4_1' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed
Not sure where to go from here, I can try removing the newer packages but that then means removing squid again.
Or force install the prerequisites for samba but not sure what that may break. -
I used -f to force install. It installed fine and two weeks later still running smooth..
Or force install the prerequisites for samba but not sure what that may break.
-
I used -f to force install. It installed fine and two weeks later still running smooth..
Or force install the prerequisites for samba but not sure what that may break.
Well, this is what i did, however you do get a message stating:
=============================================================================== Samba3 *package* now doesn't include ADS support due the portability problems with Kerberos5 libraries on different installations. You need to compile the port yourself to get this functionality. For additional hints and directions, please, look into the README.FreeBSD file. ===============================================================================
I believe ADS is required for authenticating against a domain?
I guess I need to build a system for compiling the port… :-\
-
I believe ADS is required for authenticating against a domain?
I guess I need to build a system for compiling the port… :-\
Nope, I got that message too but after following the instructs here, I have working NTLM silent authentication. No need to compile anything.
-
well giving it a go then!
Though I have got as far as authenticating the fw on the dc but getting kerberos failures with an admins username & password.
edit
Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.