Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

friskee

I'm getting stuck on:

16.    In SSH run commands to test:
  a.  wbinfo -t  (This should return that it succeeded)
  b.  wbinfo -u  (This should return a list of users in the domain)

wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded

but wbinfo -u returns no users. Still same result if i restart samba.

Any ideas?

wheelz

@friskee:

I'm getting stuck on:

16.     In SSH run commands to test:
   a.   wbinfo -t   (This should return that it succeeded)
  b.   wbinfo -u   (This should return a list of users in the domain)

wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded

but wbinfo -u returns no users. Still same result if i restart samba.

Any ideas?

You created the computer account in AD before you did the join, correct?  I would try a reboot as well.  I haven't run into this so other than that I would just suggest rechecking that all the steps were completed and that your config files are correct.

user151

@friskee:

I'm getting stuck on:

16.     In SSH run commands to test:
  a.   wbinfo -t   (This should return that it succeeded)
 b.   wbinfo -u   (This should return a list of users in the domain)

wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded

but wbinfo -u returns no users. Still same result if i restart samba.

Any ideas?

First of all, thanks to the OP and all the others who contributed to make it work.

I ran into the same problem as well. I think that's because in my test environment, my domain name and pre-windows 2000 domain name are different.

After changing the default_domain = mydomain (to pre-windows 2000 domain name) in /etc/krb5.conf, I'm getting the user list correctly.

I hope it helps.

Cheers

percyiii

@OliverH:

Can anyone think of a way to whitelist sites so access to them would not require authentication?  I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.

I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage.  Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.

If you want to completely avoid the proxy for this, then I'd go with marcelloc's advice by using pac/wpad script.  If you don't want to mess with the script then dig1234 method may be easier.  In dansguardian you would just add the domains from his link to the ACLs -> Site Lists -> Exception List.  I'm not sure if you'd also have to add it to the squid exception as well so it isn't even cached.

We have tried using execptions in Dans and Squid.. to no avial… At least for like Outlook Icloud and Hotmail hooks.. Hotmail fails and Icloud asks for authentication?? Any ideas?

dig1234

At the top of your custom integrations box add the following: http_access allow whitelist;

The problem is the squid whitelist is allowed  after the Custom Integration settings so the authentication kicks in before the whitelist, that line forces it to allow first.

friskee

Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?

percyiii

@dig1234:

At the top of your custom integrations box add the following: http_access allow whitelist;

The problem is the squid whitelist is allowed  after the Custom Integration settings so the authentication kicks in before the whitelist, that line forces it to allow first.

Thanks…......................... That worked perfectly..

percyiii

@friskee:

Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?

We had issues at first you might try..
The option in the pfSense GUI is in Services > Proxy Server > General > Resolv dns v4 first
This worked for us..

friskee

@percyiii:

@friskee:

Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?

We had issues at first you might try..
The option in the pfSense GUI is in Services > Proxy Server > General > Resolv dns v4 first
This worked for us..

perycii I could kiss you. That's worked perfectly.

dennisv

Hi Guys, i got a problem when running the command wbinfo -t and -u, what could be the problem?

wbinfo -t
/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8"

dig1234

Just to report back my experience with this was that I could never completely prevent users from getting the annoying authentication popup. Most of the time silent authentication works great but randomly users get popups and sometimes many repeated popups really driving them crazy. I suspect the issue is with poorly designed NTLM protocol and browser implementation bugs. I was unable to get a working Kerberos installation on pfsense so I ended up moving Squid to a windows box. The native kerberos authentication in Squid 2.7 for Windows works flawlessly and requires no configuration. Kerberos seems to be a much better solution than NTLM for single sign on proxy authentication. If Kerberos ever comes to pfsense I would try again but at this point all my Squid's are on windows servers for this reason…

wheelz

@dennisv:

Hi Guys, i got a problem when running the command wbinfo -t and -u, what could be the problem?

wbinfo -t
/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8"

I haven't seen that file requirement.  Double check your configuration files are set correctly.  I could be wrong but I don't think it should be using ldap with the configuration I documented.

wheelz

@dig1234:

Just to report back my experience with this was that I could never completely prevent users from getting the annoying authentication popup. Most of the time silent authentication works great but randomly users get popups and sometimes many repeated popups really driving them crazy. I suspect the issue is with poorly designed NTLM protocol and browser implementation bugs. I was unable to get a working Kerberos installation on pfsense so I ended up moving Squid to a windows box. The native kerberos authentication in Squid 2.7 for Windows works flawlessly and requires no configuration. Kerberos seems to be a much better solution than NTLM for single sign on proxy authentication. If Kerberos ever comes to pfsense I would try again but at this point all my Squid's are on windows servers for this reason…

What clients and browsers were you using?  I've tested on Windows XP/7/8 with various IE and firefox versions without getting the prompts at all.

dig1234

Firefox/IE mostly xp some 7. Had same issue in multiple AD environments.

echowings

Hi,wheelz
I'd successfully to build pfsense as you show us. It's work perfectly. But I got a problem that is i can not using application such as gtalk, office 2013  to using proxy. The auth is failed and squid told me 407 denied. Is that a way to slove the problems ?

harshkukreja

Hi! Wheelz

First of all thanks for such a great post!! I have followed your steps but I am stuck with the below error which is not starting squid:

php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was 'FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 97: acl_uses_indirect_client on;follow_x_forwarded_for allow localhost;auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 10;auth_param ntlm keep_alive on;acl password proxy_auth REQUIRED;http_access allow password Squid Cache (Version 3.3.8): Terminated abnormally. CPU Usage: 0.010 seconds = 0.000 user + 0.010 sys Maximum Resident Size: 31904 KB Page faults with physical i/o: 0'

What I have to achieve is this:

To pass all users through non-transparent squid proxy using wpad/ pac file authenticating transparently SSO via NTLM using Samba 4 AD Domain Controller with squidgaurd web content filtering.

ALL computers joined to a domain must authenticate to squid using SSO passing through squidgaurd web content filtering to Internet.

Please help to achieve the same.

Thanks

Harsh Kukreja

Email: harshkukreja2008@gmail.com

sm1ly

hello all.
thx for this great post.

I got some questions. about groups.
I dont understand how to use multiply groups.
for example I got soc_group and nosoc_group
soc_group can go to yahoo.com
nosoc_group - can't do that.

the second problem.
i defined non default group  and it block users not in OU 110 and group rdp_110 it writes that user banned, but users inside this group (rdp_110) can use all sites((((

and the second question.
what about reports? I need report with username - but not IP

khushal

This works for SquidGaurd too with minor changes… Good Work..

I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).

thanks
KsN

echowings

@khushal:

This works for SquidGaurd too with minor changes… Good Work..

I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).

thanks
KsN

Is that you make the gtalk like application working well ? I got some problems. All browser is okay.

dig1234

Can you provide some details on how you implemented this. In many situations SquidGuard is sufficient and easier to manage than dansguardian.

@khushal:

This works for SquidGaurd too with minor changes… Good Work..

I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).

thanks
KsN