Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

volkans80

Working very good. Thank you!

Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.

Any idea?

LokisMischief

Did anyone manage to get samba and heimdal installed? I get the same version conflicts with some of the dependencies.


[2.0.3-RELEASE][admin@fw01.us.local]/root(1): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done.
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1
pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed!
Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done.
pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed

[2.0.3-RELEASE][admin@fw01.us.local]/root(34): pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/sqlite3-3.7.9_1.tbz... Done.
pkg_add: warning: package 'heimdal-1.4_1' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed

Not sure where to go from here, I can try removing the newer packages but that then means removing squid again.
Or force install the prerequisites for samba but not sure what that may break.

dig1234

I used -f to force install. It installed fine and two weeks later still running smooth..

@LokisMischief:

Or force install the prerequisites for samba but not sure what that may break.

LokisMischief

@dig1234:

I used -f to force install. It installed fine and two weeks later still running smooth..

Or force install the prerequisites for samba but not sure what that may break.

Well, this is what i did, however you do get a message stating:

===============================================================================
Samba3 *package* now doesn't include ADS support due the portability problems
with Kerberos5 libraries on different installations. You need to compile the
port yourself to get this functionality.

For additional hints and directions, please, look into the README.FreeBSD file.
===============================================================================

I believe ADS is required for authenticating against a domain?

I guess I need to build a system for compiling the port… :-\

dig1234

@LokisMischief:

I believe ADS is required for authenticating against a domain?

I guess I need to build a system for compiling the port… :-\

Nope, I got that message too but after following the instructs here, I have working NTLM silent authentication. No need to compile anything.

LokisMischief

well giving it a go then!

Though I have got as far as authenticating the fw on the dc but getting kerberos failures with an admins username & password.

edit

Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.

dig1234

@LokisMischief:

http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.

did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.

dig1234

Also regarding the SuppressExtendedProtection, That is interesting. I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.

@LokisMischief:

Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.

OliverH

Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!

Has anyone got this working on a domain with 2008 function level?

LokisMischief

@OliverH:

Has anyone got this working on a domain with 2008 function level?

Thats what im working on now, presumably you tried it on a 2003 domain?

@dig1234:

did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.

Well, admin@domain.local I get password incorrect (even though it says auth successful on the 2008 server security log). admin (with no @) defaults to admin.domain.local. and gives the same error. admin@domain throws a unable to reach any KDC in realm.
So the username format is correct. Just going to try a tcpdump or so.

EDIT:

Finally got the FW to join the domain… it turned out I had an old GPO set on the DC's that wouldnt let the fw join.

EDIT2:

Well, I have got to the end of wheelz steps, finally, however after a reboot winbind seems to have dropped out.. (or screwed up)
when I run wbinfo -t I get success, however if I run wbinfo -u or -g I get nothing.

Seems dansguardian_ldap.php wont connect either (suspect its due to wbinfo.)

EDIT3:

wbinfo fixed, restarted samba. seems wbind may have come up before the nic was ready...

I had to add user@domain.local for the username in the Dansguardian LDAP tab, it wouldnt accept the user cn=ldapquery,ou=users

gdy1039

hi, I am in pfense2.02+squid3+dansguardian

I just add this line below,then the squid is work with basic auth in pfsense, and authen by win2003AD

when client access web, input AD login in password correct, then they cant pass.

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=jian,dc=com" -D "cn=squid,cn=Users,dc=jian,dc=com" -w "Admin@8888" -f sAMAccountName=%s -h jxad.jian.com
auth_param basic children 5
auth_param basic realm jianxun.com
auth_param basic credentialsttl 60 minute

acl ldap-auth proxy_auth REQUIRED

http_access allow ldap-auth
http_access allow localhost

And finally deny all other access to this proxy

http_access deny all

and then I chose "Proxy-basic" authentication in dansguardian.
refer you tips stip step 18 to 21,
then the add a ldap like this

hostname=jian.com
dc=jian,dc=com
cn=squid,ou=Users
password=Admin@8888
mask=User

the squid account is ou=users,group=users(bulid in)

make a group in dansguardian name "users"

after I do this,the users won't update the user's list

if you know why please tell me,thanks.

jbrandligt

Hi all,

I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL

Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.

The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?

thanks,
Jeroen

jbrandligt

@jbrandligt:

Hi all,

I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL

Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.

The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?

thanks,
Jeroen

Never mind, installed amd64 instead of i386 packages…. (face palm)

LokisMischief

Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

jbrandligt

@LokisMischief:

Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

+1

Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?

dig1234

A few thoughts:
-What do the squid logs show?
-Did you check group ownership of /var/db/samba/winbindd_privileged
-What do wbinfo -t and wbinfo -u show?

@jbrandligt:

@LokisMischief:

Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

+1

Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?

OliverH

@jbrandligt:

@LokisMischief:

Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

+1

Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?

I had the problem with the users not appearing in users, which also showed from errors when running

php /usr/local/www/dansguardian_ldap.php

I fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.

LokisMischief

@OliverH:

I had the problem with the users not appearing in users, which also showed from errors when running
php /usr/local/www/dansguardian_ldap.php
I fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.

I had to do this too, I do have my users showing up in the users tab. As far as wbinfo -u, -t and -g, they all work.

Squid, doesn't show any users either.

as for /var/db/samba/winbindd_privileged I have user root, group proxy.

any more ideas? Im half wondering if its not the clients rather than the proxy. but if others are having the same issue i suspect its not going to be one of our group policies.

UPDATE:

Right, I have just wiresharked a http request and we are not getting any authorisation challange, so the proxy isn't even requesting ntlm auth. This takes us straight back to dansguardian.

I have flipped it over to identd and that works, it seems its just the ntlm auth plugin, however not all our clients have identd installed so it can leave a 5minute lag or so while it times out.

UPDATE2:

I think I may have solved it….

This works on one line now so you can ignore the following... Not sure why it didn't work before but it does now!
In the squid config -> custom settings -> integration's, its one long line. Squid doesn't seem to be reading this line (i suspect its thinking the ; is a comment??) but remove all the semi colons and but each part on a new line like this:

acl_uses_indirect_client on
follow_x_forwarded_for allow localhost
auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
acl password proxy_auth REQUIRED
http_access allow password

At least now I have usernames showing up!

I'm using Windows Server 2008R2 with a 2008 domian level, mixed xp and win 7 clients.

Oh and one more tip, using the text editor in pfsense and copy / pasting text in can provide some very interesting issues, such as the hyphens changing to other characters. (though they look fine on the webpage, running vi/cat/less you can see the different encoding.

gdy1039

HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.

if it's auto complete, does firefox support NTLM?

LokisMischief

@gdy1039:

HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.

This is SSO using NTLM so its automatic, taking the logged in user name for authentication. No need to enter username or password. Users in the required groups are pulled from active directory.
Of course if the machine isn't part of the domain, and the user logged in doesn't exist on the domain it will ask.

@gdy1039:

if it's auto complete, does firefox support NTLM?

I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!