Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
Getting following error after reboot:
wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret -
Ok I got wbinfo working, samba service wasn't starting. Needed to add one more shellcmd:
mkdir /var/db/samba -
It's pretty cool, it works very smooth to seamlessly authenticated dansguardian groups.
For some reason though on every reboot I have to do:
chgrp proxy /var/db/samba/winbindd_privileged
and restart squid
Otherwise authentication fails, any idea why that's happening? I suppose I could just add shellcmd's for this but not sure if that's the correct solution?Thanks again for a great howto!
-
I was able to get it working reliably on reboot, This is what my shellcmd lines look like:
mkdir /var/run/samba
mkdir /var/db/samba/winbindd_privileged
/usr/bin/chgrp proxy /var/db/samba/winbindd_privileged
chmod 0750 /var/db/samba/winbindd_privileged
/usr/local/etc/rc.d/samba start -
Strange that I did not run into this but thanks for posting as this will help anyone else that does.
-
I'm pretty sure the issue is related to the fact that I'm running nanoBSD on CF card. I just did the install on another system that's on a HDD and did not have to add those extra lines.
One more not is that if you are doing this install on nanoBSD you need to mount the card in Read/Write before making those file changes, see this thread:
http://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write -
How did You solved issue with not starting Squid3 daemon?
Mar 25 00:06:37 check_reload_status: Syncing firewall
Mar 25 00:06:37 check_reload_status: Reloading filter
Mar 25 00:07:15 squid[60713]: Squid Parent: child process 61160 exited due to signal 15 with status 0
Mar 25 00:07:15 squid[60713]: Exiting due to unexpected forced shutdown
Mar 25 00:07:17 squid[34206]: Squid Parent: child process 34441 started
Mar 25 00:08:09 squid[60554]: Squid Parent: child process 60691 started
Mar 25 00:08:19 squid[765]: Squid Parent: child process 1120 started
Mar 25 00:08:32 squid[5630]: Squid Parent: child process 6099 started
My version:
2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6
Packages:
Dansguardian 2.12.0.3 pkg v.0.1.7_3
squid3 3.1.20 pkg 2.0.6I'm on step 12. Upgrading to 2.0.2 to see if it helps.
UPDATE: Yep, upgrade to 2.0.2-RELEASE i386 solved the issue. Squid is starting, all packages were reinstalled during update.UPDATE2. Correct download links for i386:
pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz
cd /usr/local/lib
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libroken.so.10However:
[2.0.2-RELEASE][admin@somesite.com]/root(8): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz… Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done.
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1
pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed!
Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done.
pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installedThis is because of 2.0.1 -> 2.0.2 upgrade, so again:
pkg_delete -f squid-2.7.9_3After some fight with dependencies..
Samba3 package now doesn't include ADS support due the portability problems
with Kerberos5 libraries on different installations. You need to compile the
port yourself to get this functionality.So far I was able to create working proxy on port 8080, visible to sites like http://www.whatismyip.com/ but no luck with AD.
-
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
-
I try to do like this tip for a month of Sundays., but not success.
I found now squid have integrate some many auth plugin
for example:basic_ldap_auth、ntlm_fake_auth 、 ntlm_smb_lm_auth and negotiate_kerberos_auth
now I can auth though basic_ldap_auth in squid, it's very easy.
just one line auth config, and 4 line relate config.so I can't understand that still use so many many third part lib,and so many many config
I am in pfsense 2.0.2 + dansguardian + squid 3+win2003 AD
I know how to use basic auth in squid,but don't know how to wok in dansguardian.
I try to add a ldap in dansguardian,then add a group name's "Administrator". I can't add a group like "domain user",but most of my account is in that AD group.
then run the commandphp /usr/local/www/dansguardian_ldap.php
it return a error
Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65
-
Working very good. Thank you!
Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.
Any idea?
-
Did anyone manage to get samba and heimdal installed? I get the same version conflicts with some of the dependencies.
[2.0.3-RELEASE][admin@fw01.us.local]/root(1): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done. pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1 pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1 pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed! Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done. pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed
[2.0.3-RELEASE][admin@fw01.us.local]/root(34): pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz Fetching http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz... Done. Fetching http://e-sac.siteseguro.ws/packages/8/All/sqlite3-3.7.9_1.tbz... Done. pkg_add: warning: package 'heimdal-1.4_1' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed
Not sure where to go from here, I can try removing the newer packages but that then means removing squid again.
Or force install the prerequisites for samba but not sure what that may break. -
I used -f to force install. It installed fine and two weeks later still running smooth..
Or force install the prerequisites for samba but not sure what that may break.
-
I used -f to force install. It installed fine and two weeks later still running smooth..
Or force install the prerequisites for samba but not sure what that may break.
Well, this is what i did, however you do get a message stating:
=============================================================================== Samba3 *package* now doesn't include ADS support due the portability problems with Kerberos5 libraries on different installations. You need to compile the port yourself to get this functionality. For additional hints and directions, please, look into the README.FreeBSD file. ===============================================================================
I believe ADS is required for authenticating against a domain?
I guess I need to build a system for compiling the port… :-\
-
I believe ADS is required for authenticating against a domain?
I guess I need to build a system for compiling the port… :-\
Nope, I got that message too but after following the instructs here, I have working NTLM silent authentication. No need to compile anything.
-
well giving it a go then!
Though I have got as far as authenticating the fw on the dc but getting kerberos failures with an admins username & password.
edit
Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.
-
http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.
did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.
-
Also regarding the SuppressExtendedProtection, That is interesting. I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.
Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.
-
Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!
Has anyone got this working on a domain with 2008 function level?
-
Has anyone got this working on a domain with 2008 function level?
Thats what im working on now, presumably you tried it on a 2003 domain?
did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.
Well, admin@domain.local I get password incorrect (even though it says auth successful on the 2008 server security log). admin (with no @) defaults to admin.domain.local. and gives the same error. admin@domain throws a unable to reach any KDC in realm.
So the username format is correct. Just going to try a tcpdump or so.EDIT:
Finally got the FW to join the domain… it turned out I had an old GPO set on the DC's that wouldnt let the fw join.
EDIT2:
Well, I have got to the end of wheelz steps, finally, however after a reboot winbind seems to have dropped out.. (or screwed up)
when I run wbinfo -t I get success, however if I run wbinfo -u or -g I get nothing.Seems dansguardian_ldap.php wont connect either (suspect its due to wbinfo.)
EDIT3:
wbinfo fixed, restarted samba. seems wbind may have come up before the nic was ready...
I had to add user@domain.local for the username in the Dansguardian LDAP tab, it wouldnt accept the user cn=ldapquery,ou=users
-
hi, I am in pfense2.02+squid3+dansguardian
I just add this line below,then the squid is work with basic auth in pfsense, and authen by win2003AD
when client access web, input AD login in password correct, then they cant pass.
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=jian,dc=com" -D "cn=squid,cn=Users,dc=jian,dc=com" -w "Admin@8888" -f sAMAccountName=%s -h jxad.jian.com
auth_param basic children 5
auth_param basic realm jianxun.com
auth_param basic credentialsttl 60 minuteacl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth
http_access allow localhostAnd finally deny all other access to this proxy
http_access deny all
and then I chose "Proxy-basic" authentication in dansguardian.
refer you tips stip step 18 to 21,
then the add a ldap like thishostname=jian.com
dc=jian,dc=com
cn=squid,ou=Users
password=Admin@8888
mask=Userthe squid account is ou=users,group=users(bulid in)
make a group in dansguardian name "users"
after I do this,the users won't update the user's list
if you know why please tell me,thanks.