Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

LokisMischief

well giving it a go then!

Though I have got as far as authenticating the fw on the dc but getting kerberos failures with an admins username & password.

edit

Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.

dig1234

@LokisMischief:

http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.

did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.

dig1234

Also regarding the SuppressExtendedProtection, That is interesting.  I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.

@LokisMischief:

Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.

OliverH

Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!

Has anyone got this working on a domain with 2008 function level?

LokisMischief

@OliverH:

Has anyone got this working on a domain with 2008 function level?

Thats what im working on now, presumably you tried it on a 2003 domain?

@dig1234:

did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.

Well, admin@domain.local I get password incorrect (even though it says auth successful on the 2008 server security log). admin (with no @) defaults to admin.domain.local. and gives the same error. admin@domain throws a  unable to reach any KDC in realm.
So the username format is correct. Just going to try a tcpdump or so.

EDIT:

Finally got the FW to join the domain… it turned out I had an old GPO set on the DC's that wouldnt let the fw join.

EDIT2:

Well, I have got to the end of wheelz steps, finally, however after a reboot winbind seems to have dropped out.. (or screwed up)
when I run wbinfo -t I get success, however if I run wbinfo -u or -g I get nothing.

Seems dansguardian_ldap.php wont connect either (suspect its due to wbinfo.)

EDIT3:

wbinfo fixed, restarted samba. seems wbind may have come up before the nic was ready...

I had to add user@domain.local for the username in the Dansguardian LDAP tab, it wouldnt accept the user cn=ldapquery,ou=users

gdy1039

hi, I am in pfense2.02+squid3+dansguardian

I just add this line below,then the squid is work with basic auth in pfsense, and authen by win2003AD

when client access web, input AD login in password correct, then they cant pass.

auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=jian,dc=com" -D "cn=squid,cn=Users,dc=jian,dc=com" -w "Admin@8888" -f sAMAccountName=%s -h jxad.jian.com
auth_param basic children 5
auth_param basic realm jianxun.com
auth_param basic credentialsttl 60 minute

acl ldap-auth proxy_auth REQUIRED

http_access allow ldap-auth
http_access allow localhost

And finally deny all other access to this proxy

http_access deny all

and then I chose "Proxy-basic" authentication in dansguardian.
refer you tips stip step 18 to 21,
then the add a ldap like this

hostname=jian.com
dc=jian,dc=com
cn=squid,ou=Users
password=Admin@8888
mask=User

the squid account is ou=users,group=users(bulid in)

make a group in dansguardian name "users"

after I do this,the users won't update the user's list

if you know why please tell me,thanks.

jbrandligt

Hi all,

I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL

Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.

The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?

thanks,
Jeroen

jbrandligt

@jbrandligt:

Hi all,

I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL

Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.

The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?

thanks,
Jeroen

Never mind, installed amd64 instead of i386 packages…. (face palm)

LokisMischief

Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

jbrandligt

@LokisMischief:

Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

+1

Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?

dig1234

A few thoughts:
-What do the squid logs show?
-Did you check group ownership of /var/db/samba/winbindd_privileged
-What do  wbinfo -t and  wbinfo -u show?

@jbrandligt:

@LokisMischief:

Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

+1

Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?

OliverH

@jbrandligt:

@LokisMischief:

Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

+1

Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?

I had the problem with the users not appearing in users, which also showed from errors when running

php /usr/local/www/dansguardian_ldap.php

I fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.

LokisMischief

@OliverH:

I had the problem with the users not appearing in users, which also showed from errors when running

php /usr/local/www/dansguardian_ldap.php

I fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.

I had to do this too, I do have my users showing up in the users tab. As far as wbinfo -u, -t and -g, they all work.

Squid, doesn't show any users either.

as for /var/db/samba/winbindd_privileged I have user root, group proxy.

any more ideas? Im half wondering if its not the clients rather than the proxy. but if others are having the same issue i suspect its not going to be one of our group policies.

UPDATE:

Right, I have just wiresharked a http request and we are not getting any authorisation challange, so the proxy isn't even requesting ntlm auth. This takes us straight back to dansguardian.

I have flipped it over to identd and that works, it seems its just the ntlm auth plugin, however not all our clients have identd installed so it can leave a 5minute lag or so while it times out.

UPDATE2:

I think I may have solved it….

This works on one line now so you can ignore the following... Not sure why it didn't work before but it does now!
In the squid config -> custom settings -> integration's, its one long line. Squid doesn't seem to be reading this line (i suspect its thinking the ; is a comment??) but remove all the semi colons and but each part on a new line like this:

acl_uses_indirect_client on
follow_x_forwarded_for allow localhost
auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
acl password proxy_auth REQUIRED
http_access allow password

At least now I have usernames showing up!

I'm using Windows Server 2008R2 with a 2008 domian level, mixed xp and win 7 clients.

Oh and one more tip, using the text editor in pfsense and copy / pasting text in can provide some very interesting issues, such as the hyphens changing to other characters. (though they look fine on the webpage, running vi/cat/less you can see the different encoding.

gdy1039

HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.

if it's auto complete, does firefox support NTLM?

LokisMischief

@gdy1039:

HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.

This is SSO using NTLM so its automatic, taking the logged in user name for authentication. No need to enter username or password. Users in the required groups are pulled from active directory.
Of course if the machine isn't part of the domain, and the user logged in doesn't exist on the domain it will ask.

@gdy1039:

if it's auto complete, does firefox support NTLM?

I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!

dig1234

I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
Not sure if this is a bug or something I did wrong in my setup..
@LokisMischief:

I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!

LokisMischief

Cheers dig, that's good to know!

barky81

@dig1234:

I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
Not sure if this is a bug or something I did wrong in my setup..
@LokisMischief:

I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!

Usually, those pop-up requests are caused by ads/ad-media on a page that don't "inherit" the page's authentication; usually you'll then see an "error page" inside an ad area of the page. If you are blocking most ads before pages are served, you'll rarely see it.

Firefox does support NTLM. We've been using it on our domain against a MS ISA server firewall for years.

gdy1039

q1:
HI all,when I success to NTLM authencation with AD,
I try to login with a local Account instead of AD account,and access internet.
the IE will prompt me input login

WINXP SP3 + IE6 + FIREFOX20+ WIN2003 AD
my domain is jian.com

I input "gdy@jian.com" or  "jian\gdy"  to login
it alway prompt fail to authencation.

can I do something to access internet success?

q2:what's the different between kerberos and ntlm authentication? both of that are support in both win2003 and win2008?

thanks

gdy1039

I am in pfsense 2.0.2
after I run

pkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz

I run smbd or winbindd it wil prompt

Exec format error. Binary file not executable.