Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
Also regarding the SuppressExtendedProtection, That is interesting. I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.
Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.
-
Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!
Has anyone got this working on a domain with 2008 function level?
-
Has anyone got this working on a domain with 2008 function level?
Thats what im working on now, presumably you tried it on a 2003 domain?
did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.
Well, admin@domain.local I get password incorrect (even though it says auth successful on the 2008 server security log). admin (with no @) defaults to admin.domain.local. and gives the same error. admin@domain throws a unable to reach any KDC in realm.
So the username format is correct. Just going to try a tcpdump or so.EDIT:
Finally got the FW to join the domain… it turned out I had an old GPO set on the DC's that wouldnt let the fw join.
EDIT2:
Well, I have got to the end of wheelz steps, finally, however after a reboot winbind seems to have dropped out.. (or screwed up)
when I run wbinfo -t I get success, however if I run wbinfo -u or -g I get nothing.Seems dansguardian_ldap.php wont connect either (suspect its due to wbinfo.)
EDIT3:
wbinfo fixed, restarted samba. seems wbind may have come up before the nic was ready...
I had to add user@domain.local for the username in the Dansguardian LDAP tab, it wouldnt accept the user cn=ldapquery,ou=users
-
hi, I am in pfense2.02+squid3+dansguardian
I just add this line below,then the squid is work with basic auth in pfsense, and authen by win2003AD
when client access web, input AD login in password correct, then they cant pass.
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=jian,dc=com" -D "cn=squid,cn=Users,dc=jian,dc=com" -w "Admin@8888" -f sAMAccountName=%s -h jxad.jian.com
auth_param basic children 5
auth_param basic realm jianxun.com
auth_param basic credentialsttl 60 minuteacl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth
http_access allow localhostAnd finally deny all other access to this proxy
http_access deny all
and then I chose "Proxy-basic" authentication in dansguardian.
refer you tips stip step 18 to 21,
then the add a ldap like thishostname=jian.com
dc=jian,dc=com
cn=squid,ou=Users
password=Admin@8888
mask=Userthe squid account is ou=users,group=users(bulid in)
make a group in dansguardian name "users"
after I do this,the users won't update the user's list
if you know why please tell me,thanks.
-
Hi all,
I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL
Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.
The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?
thanks,
Jeroen -
Hi all,
I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL
Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.
The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?
thanks,
JeroenNever mind, installed amd64 instead of i386 packages…. (face palm)
-
Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames. -
Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.+1
Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?
-
A few thoughts:
-What do the squid logs show?
-Did you check group ownership of /var/db/samba/winbindd_privileged
-What do wbinfo -t and wbinfo -u show?Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.+1
Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?
-
Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.+1
Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?
I had the problem with the users not appearing in users, which also showed from errors when running
php /usr/local/www/dansguardian_ldap.phpI fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.
-
I had the problem with the users not appearing in users, which also showed from errors when running
php /usr/local/www/dansguardian_ldap.phpI fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.
I had to do this too, I do have my users showing up in the users tab. As far as wbinfo -u, -t and -g, they all work.
Squid, doesn't show any users either.
as for /var/db/samba/winbindd_privileged I have user root, group proxy.
any more ideas? Im half wondering if its not the clients rather than the proxy. but if others are having the same issue i suspect its not going to be one of our group policies.
UPDATE:
Right, I have just wiresharked a http request and we are not getting any authorisation challange, so the proxy isn't even requesting ntlm auth. This takes us straight back to dansguardian.
I have flipped it over to identd and that works, it seems its just the ntlm auth plugin, however not all our clients have identd installed so it can leave a 5minute lag or so while it times out.
UPDATE2:
I think I may have solved it….
This works on one line now so you can ignore the following... Not sure why it didn't work before but it does now!
In the squid config -> custom settings -> integration's, its one long line. Squid doesn't seem to be reading this line (i suspect its thinking the ; is a comment??) but remove all the semi colons and but each part on a new line like this:acl_uses_indirect_client on follow_x_forwarded_for allow localhost auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm keep_alive on acl password proxy_auth REQUIRED http_access allow passwordAt least now I have usernames showing up!
I'm using Windows Server 2008R2 with a 2008 domian level, mixed xp and win 7 clients.
Oh and one more tip, using the text editor in pfsense and copy / pasting text in can provide some very interesting issues, such as the hyphens changing to other characters. (though they look fine on the webpage, running vi/cat/less you can see the different encoding.
-
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.if it's auto complete, does firefox support NTLM?
-
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.This is SSO using NTLM so its automatic, taking the logged in user name for authentication. No need to enter username or password. Users in the required groups are pulled from active directory.
Of course if the machine isn't part of the domain, and the user logged in doesn't exist on the domain it will ask.if it's auto complete, does firefox support NTLM?
I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
-
I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
Not sure if this is a bug or something I did wrong in my setup..
@LokisMischief:I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
-
Cheers dig, that's good to know!
-
I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
Not sure if this is a bug or something I did wrong in my setup..
@LokisMischief:I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
Usually, those pop-up requests are caused by ads/ad-media on a page that don't "inherit" the page's authentication; usually you'll then see an "error page" inside an ad area of the page. If you are blocking most ads before pages are served, you'll rarely see it.
Firefox does support NTLM. We've been using it on our domain against a MS ISA server firewall for years.
-
q1:
HI all,when I success to NTLM authencation with AD,
I try to login with a local Account instead of AD account,and access internet.
the IE will prompt me input loginWINXP SP3 + IE6 + FIREFOX20+ WIN2003 AD
my domain is jian.comI input "gdy@jian.com" or "jian\gdy" to login
it alway prompt fail to authencation.can I do something to access internet success?
q2:what's the different between kerberos and ntlm authentication? both of that are support in both win2003 and win2008?
thanks
-
I am in pfsense 2.0.2
after I runpkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
I run smbd or winbindd it wil prompt
Exec format error. Binary file not executable.
-
I am in pfsense 2.0.2
after I runpkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
I run smbd or winbindd it wil prompt
Exec format error. Binary file not executable.
The earlier answer on page 1 from Wheelz should fix this
I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it. Let me know if that works and I'll edit the original post to include that.
For the fetch commands I could not find those same files in a non-amd64 area. Perhaps marcelloc would know where the x86 version of those files could be downloaded from?[\quote]
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.