Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
with proxy pac/wpad you can do that. You put on your script that these sites do not pass on proxy or go direct to squid port.
-
Windows update refuses to authenticate with NTLM, only kerberos. What you need to do is tell squid to allow those domains through without asking for authentication. You must place these ACLS before the authentication acls. Here is a list of the domains:
http://wiki.squid-cache.org/SquidFaq/WindowsUpdateYou would also need to whitelist in dansguardian so that it doesn't block based on the lack of authentication. (I currently am running this single-sign-on setup w/o dansguardian so I can't tell you exactly where to whitelist in dans).
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
-
Hi all, unfortunately I had to step away from this project of mine for a while (work, family… craziness). Anyway I checked in on this thread and see that it is very active so I thought I'd respond to some things.
I went to edit the original post so I could add in the x86 paths for step 13 but my edit button is gone. Anyone know why that would be?
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
I have not but I am interested to know how some of these other auth plugins work (or if they even do).
Working very good. Thank you!
Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.
Any idea?
I'm not sure what you mean on this. I was able to use https with any name/IP. If you use a different port then it won't use the proxy if firewall rules allow it. You could use a NAT port forward to make it go through the proxy but then again until MITM is implemented dansguardian can't really filter on HTTPS anyway.
Also regarding the SuppressExtendedProtection, That is interesting. I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.
Odd, I didn't run into this… I did my testing in both Windows 7 SP1 and Windows 2008 R2 SP1.
Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!
Has anyone got this working on a domain with 2008 function level?
No problem, I had to do the work anyway for me so I figured why not share? I used a 2008 R2 functional level in my testing.
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.if it's auto complete, does firefox support NTLM?
It is auto authentication (single sign on or SSO). I used firefox during my testing so it does work. There are some tweaks you can do in the about:config as others have suggested if needed.
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
If you want to completely avoid the proxy for this, then I'd go with marcelloc's advice by using pac/wpad script. If you don't want to mess with the script then dig1234 method may be easier. In dansguardian you would just add the domains from his link to the ACLs -> Site Lists -> Exception List. I'm not sure if you'd also have to add it to the squid exception as well so it isn't even cached.
… I was toying with enabling ip and ntlm (with ip first) to allow specific computers... but not sure how that would work with a workstation vs server.
I really want to do this as well but I haven't had a chance to test it. For me it is for tablet/phones that cannot authenticate to AD. Please let me know the results if anyone tries this and I'll do the same.
-
Hi, First I'd like to say thanks for posting these instructions they've been a wonderful help (we probably wouldn't have anything running like this without this information)
I've not got much experience with setting up a proxy but I've followed these instructions and for 99% of the sites we visit work fine, but some don't load correctly first time.
I noticed on the squid logs that for some sites (Even ones that do seem to load correctly) squid looks like its returning status code 407, I don't know if this is normal or something to do with the problem i've been having and if I've missed something out on the setup (although I've been through it several times and everything else is working perfectly).Facebook loads okay but the squid access log shows status code 407. (I've changed the username of this user to user in these logs)
Squid access log - http://pastebin.com/Zf6Um8Kw
Dansguardian Access Log http://pastebin.com/XhJPPVU5if anyone can give me some pointers for figuring out what is causing this I'd appreciate it
-
Some additional information to the new squid package: The described way works for the new package!
@OliverH: Yes, Server 2008R2 with 2008 function level is working!
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
I have not but I am interested to know how some of these other auth plugins work (or if they even do).
Do you mean "ntlm_smb_lm_auth"? Did not work for me. There was some key exchange between dc and squid (so the connection was succesfully established) but no successfull authentication.
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
You created the computer account in AD before you did the join, correct? I would try a reboot as well. I haven't run into this so other than that I would just suggest rechecking that all the steps were completed and that your config files are correct.
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
First of all, thanks to the OP and all the others who contributed to make it work.
I ran into the same problem as well. I think that's because in my test environment, my domain name and pre-windows 2000 domain name are different.
After changing the default_domain = mydomain (to pre-windows 2000 domain name) in /etc/krb5.conf, I'm getting the user list correctly.
I hope it helps.
Cheers
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
If you want to completely avoid the proxy for this, then I'd go with marcelloc's advice by using pac/wpad script. If you don't want to mess with the script then dig1234 method may be easier. In dansguardian you would just add the domains from his link to the ACLs -> Site Lists -> Exception List. I'm not sure if you'd also have to add it to the squid exception as well so it isn't even cached.
We have tried using execptions in Dans and Squid.. to no avial… At least for like Outlook Icloud and Hotmail hooks.. Hotmail fails and Icloud asks for authentication?? Any ideas?
-
At the top of your custom integrations box add the following: http_access allow whitelist;
The problem is the squid whitelist is allowed after the Custom Integration settings so the authentication kicks in before the whitelist, that line forces it to allow first.
-
Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?
-
At the top of your custom integrations box add the following: http_access allow whitelist;
The problem is the squid whitelist is allowed after the Custom Integration settings so the authentication kicks in before the whitelist, that line forces it to allow first.
Thanks…......................... That worked perfectly..
-
Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?
We had issues at first you might try..
The option in the pfSense GUI is in Services > Proxy Server > General > Resolv dns v4 first
This worked for us.. -
Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?
We had issues at first you might try..
The option in the pfSense GUI is in Services > Proxy Server > General > Resolv dns v4 first
This worked for us..perycii I could kiss you. That's worked perfectly.
-
Hi Guys, i got a problem when running the command wbinfo -t and -u, what could be the problem?
wbinfo -t
/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8" -
Just to report back my experience with this was that I could never completely prevent users from getting the annoying authentication popup. Most of the time silent authentication works great but randomly users get popups and sometimes many repeated popups really driving them crazy. I suspect the issue is with poorly designed NTLM protocol and browser implementation bugs. I was unable to get a working Kerberos installation on pfsense so I ended up moving Squid to a windows box. The native kerberos authentication in Squid 2.7 for Windows works flawlessly and requires no configuration. Kerberos seems to be a much better solution than NTLM for single sign on proxy authentication. If Kerberos ever comes to pfsense I would try again but at this point all my Squid's are on windows servers for this reason…
-
Hi Guys, i got a problem when running the command wbinfo -t and -u, what could be the problem?
wbinfo -t
/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8"I haven't seen that file requirement. Double check your configuration files are set correctly. I could be wrong but I don't think it should be using ldap with the configuration I documented.
-
Just to report back my experience with this was that I could never completely prevent users from getting the annoying authentication popup. Most of the time silent authentication works great but randomly users get popups and sometimes many repeated popups really driving them crazy. I suspect the issue is with poorly designed NTLM protocol and browser implementation bugs. I was unable to get a working Kerberos installation on pfsense so I ended up moving Squid to a windows box. The native kerberos authentication in Squid 2.7 for Windows works flawlessly and requires no configuration. Kerberos seems to be a much better solution than NTLM for single sign on proxy authentication. If Kerberos ever comes to pfsense I would try again but at this point all my Squid's are on windows servers for this reason…
What clients and browsers were you using? I've tested on Windows XP/7/8 with various IE and firefox versions without getting the prompts at all.
-
Firefox/IE mostly xp some 7. Had same issue in multiple AD environments.
-
Hi,wheelz
I'd successfully to build pfsense as you show us. It's work perfectly. But I got a problem that is i can not using application such as gtalk, office 2013 to using proxy. The auth is failed and squid told me 407 denied. Is that a way to slove the problems ?
