Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

    Scheduled Pinned Locked Moved Cache/Proxy
    135 Posts 44 Posters 133.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      endyrx
      last edited by

      Somehow i am able to get authenticated on squid also on dansguard
      this is my squid log
      1401128431.777      0 192.168.250.70 TCP_DENIED/407 4861 GET http://www.dir.bg/my/comments/count.php? - NONE/- text/html
      1401128431.780    20 192.168.250.70 TCP_MISS/200 612 GET http://r5.dir.bg/passimg.php? bilyanastefanova DIRECT/194.145.63.27 image/gif
      1401128431.790    14 192.168.250.70 TCP_MISS/200 522 GET http://www.dir.bg/new/dirfp_weather_new.html? bilyanastefanova DIRECT/194.145.63.12 text/html
      1401128431.791    15 192.168.250.70 TCP_MISS/200 445 GET http://www.dir.bg/new/dirfp_weather_block.json? bilyanastefanova DIRECT/194.145.63.12 application/json
      1401128431.793    16 192.168.250.70 TCP_MISS/200 243 GET http://www.dir.bg/new/usd.txt bilyanastefanova DIRECT/194.145.63.12 text/plain
      1401128431.804    27 192.168.250.70 TCP_MISS/200 695 GET http://www.dir.bg/JSAJAX/get_user_info.php? bilyanastefanova DIRECT/194.145.63.12 text/plain
      1401128431.836      5 192.168.250.70 TCP_CLIENT_REFRESH_MISS/304 298 GET http://i.dir.bg/dir5/dir-new/html/img/vremeto-small/pda_20.png bilyanastefanova DIRECT/194.145.63.18 -
      1401128431.838    126 192.168.250.70 TCP_CLIENT_REFRESH_MISS/200 3656 GET http://ni.dir-i.net/esspresso/images/calendar/cells.png bilyanastefanova DIRECT/194.145.63.18 image/png
      1401128431.842    62 192.168.250.70 TCP_MISS/200 676 GET http://www.dir.bg/my/comments/count.php? bilyanastefanova DIRECT/194.145.63.12 text/html
      1401128431.966    155 192.168.250.70 TCP_MISS/200 309 GET http://smart.dir.bg/mobile_check.php? bilyanastefanova DIRECT/194.145.63.11 text/html

      and this is dansguardian log
      1401128431.388    19 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_section_novini&enc=u bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
      1401128431.388    19 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_section_novini_2&enc=u bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
      1401128431.390    23 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_corner bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
      1401128431.718    33 192.168.250.70 TCP_MISS/200 101 GET http://r5.dir.bg/utb.php?rnd=1287221401128435608&ref=http%3A//www.dir.bg/&reff= bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/javascript
      1401128431.769      4 192.168.250.70 TCP_DENIED/403 0 GET http://www.google-analytics.com/__utm.gif?utmwv=1.4&utmn=98558728&utmcs=utf-8&utmsr=1920x1080&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=13.0%20r0&utmdt=Dir.bg%20-%20%D0%91%D1%8A%D0%BB%D0%B3%D0%B0%D1%80%D1%81%D0%BA%D0%B8%D1%8F%D1%82%20%D0%98%D0%BD%D1%82%D0%B5%D1%80%D0%BD%D0%B5%D1%82%20%D0%BF%D0%BE%D1%80%D1%82%D0%B0%D0%BB!&utmhn=www.dir.bg&utmhid=1711608986&utmr=-&utmp=/&utmac=UA-436010-11&utmcc=__utma%3D95319433.1662311826.1401125196.1401125196.1401128436.2%3B%2B__utmz%3D95319433.1401125196.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)%3B%2B bilyanastefanova DEFAULT_PARENT/127.0.0.1 -
      1401128431.792    19 192.168.250.70 TCP_MISS/200 501 GET http://www.dir.bg/new/dirfp_weather_new.html?ts=0.17504705565709982 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
      1401128431.794    20 192.168.250.70 TCP_MISS/200 13 GET http://www.dir.bg/new/usd.txt bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/plain
      1401128431.806    30 192.168.250.70 TCP_MISS/200 7 GET http://www.dir.bg/JSAJAX/get_user_info.php?enc=utf-8&now=0.004187991262348867&=1401128435698 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/plain
      1401128431.843    66 192.168.250.70 TCP_MISS/200 4 GET http://www.dir.bg/my/comments/count.php?jnl_id=3&ctype_id=1&topic_id=12251378&list=all&ran=0.153130255537684&
      =1350479627602 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
      1401128431.967    157 192.168.250.70 TCP_MISS/200 79 GET http://smart.dir.bg/mobile_check.php?callback=jQuery17105069666413485266_1401128435330&url=http%3A%2F%2Fwww.dir.bg%2F&method=post&_=1401128435737 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html

      But i still can't denie connections for users who is out of my internet groupe. Everyone have an internet right now.

      1 Reply Last reply Reply Quote 0
      • F
        fedetehue
        last edited by

        @wheelz:

        I am on version 2.1 and am using it fine.  I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.

        How did you create the firewall and nat rules of steps 6 and 10? I'm on 2.1.3 and I'm stuck at that. Thanks in advance.

        1 Reply Last reply Reply Quote 0
        • F
          fedetehue
          last edited by

          10.  Services –> Firewall
            a.  Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
            b.  NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1)

          Ok, sorry for bumping this thread again, but I need help with this part. Could someone post screencaps of how would the NAT and Rules gui screen would look when you set up things on step 10? I tried to do it and I locked myself out of the webgui. I need DG to filter HTTP and HTTPS traffic.
          Thanks again to anyone that helps me with that.

          1 Reply Last reply Reply Quote 0
          • S
            sowen
            last edited by

            First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

            look at
            http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

            or google "Squidtrust"

            you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
            originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

            the short version:
            Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
            run the agent on all workstations via login scrpt/GPO
            ta-da...transparent user authentication.

            read the docs for more detail.

            1 Reply Last reply Reply Quote 0
            • D
              dig1234
              last edited by

              This is certainly easier to setup and I am impressed with your solution. However this model does not appear to have any protection from easily being spoofed by a rouge user? ie a user could claim to be someone they are not.

              @sowen:

              First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

              look at
              http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

              or google "Squidtrust"

              you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
              originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

              the short version:
              Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
              run the agent on all workstations via login scrpt/GPO
              ta-da...transparent user authentication.

              read the docs for more detail.

              1 Reply Last reply Reply Quote 0
              • S
                sowen
                last edited by

                New thread started here:
                https://forum.pfsense.org/index.php?topic=78770.0

                1 Reply Last reply Reply Quote 0
                • F
                  fedetehue
                  last edited by

                  Well, apparently http://e-sac.siteseguro.ws/ is down. Where else can I find the packages?

                  1 Reply Last reply Reply Quote 0
                  • P
                    pitoganzado
                    last edited by

                    Hi to all

                    [2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
                    checking the trust secret for domain blablabla via RPC calls succeeded

                    [2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
                    show all users

                    The problem is when i create the groups on dansguardian, they apear empty on "users" tab

                    Anyone can help me?
                    Thanks :)

                    1 Reply Last reply Reply Quote 0
                    • F
                      fedetehue
                      last edited by

                      @pitoganzado:

                      Hi to all

                      [2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
                      checking the trust secret for domain blablabla via RPC calls succeeded

                      [2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
                      show all users

                      The problem is when i create the groups on dansguardian, they apear empty on "users" tab

                      Anyone can help me?
                      Thanks :)

                      A similar thing happens to me:

                      wbinfo -t shows "checking the trust secret for domain blablabla via RPC calls succeeded"

                      but

                      wbinfo -u doesn't show anything

                      also

                      wbinfo -a username let's me authenticate

                      any ideas?

                      1 Reply Last reply Reply Quote 0
                      • F
                        fedetehue
                        last edited by

                        Ok, a few things, since no one has replied so far:

                        I'm on 2.1.4 x86

                        • One of the packages (not sure which) broke the package manager, and now i get an error "Fatal error: Call to undefined function curl_init() in /etc/inc/pfsense-utils.inc on line 1641 " when pfsense checks for updates. Also, I can't install any new packages.

                        • Not sure who mantains http://e-sac.siteseguro.ws/packages but the ldd folder is gone, for both x86 and x64, so I'm not sure where to find those files if I want to make a fresh install.

                        • wbinfo -u problem is still happening

                        1 Reply Last reply Reply Quote 0
                        • F
                          fedetehue
                          last edited by

                          Well, after doing some stuff. I joined pfsense to my domain. wbinfo works (groups and users show).

                          But now Dansguardian doesn't show any users in the Users tab.

                          php /usr/local/www/dansguardian_ldap.php shows "User list from LDAP is already the same as current group, no changes made"

                          Any ideas?

                          1 Reply Last reply Reply Quote 0
                          • D
                            damasceno
                            last edited by

                            fedetehue I have the same problem, I also have two more problems: https://forum.pfsense.org/index.php?topic=82765.0

                            Does anyone have any idea? I don't know how to solve that  :-\

                            1 Reply Last reply Reply Quote 0
                            • P
                              psob
                              last edited by

                              i'm newbie
                              PC 2.1.5-RELEASE x64, Dansguardian 2.12.0.3_2 pkg v.0.1.12

                              installed from this manual, it's work, but no automatic

                              i set Default group to banned mode, and AD group update frequency = 1m
                              after changes group's members in AD - dansguardian Users tab normaly updated
                              but Users Counter's in header tabs no refresh, and new added users blocking
                              after manualy press Save button on Users tab, Counter's refreshed and new users start working.

                              it's normal after every edit AD group, i must save dansguardian Users tab?

                              2fedetehue,
                              dansguardian_ldap.php checks 2 argv
                              try variant your chose in LDAP group name source (by field name or field description)
                              php /usr/local/www/dansguardian_ldap.php name inettest
                              php /usr/local/www/dansguardian_ldap.php description "inet-group"

                              1 Reply Last reply Reply Quote 0
                              • N
                                neophyteJJ
                                last edited by

                                Thanks for the input.

                                I have a problem in step 13.

                                Login via SSH using PuTTY, home income ADMIN pfSense Firewall?
                                Or should enter the MYADMIN@MYDOMAIN.LOCAL account?

                                Login with MYADMIN@MYDOMAIN.LOCAL not accept the password.

                                to enter with pfSense Firewall Local ADMIN if income perfectly. Running / usr / local / bin / kinit myadmin net ads join-U myadmin
                                Result:

                                myadmin@MYDOMAIN.LOCAL.'s Password:

                                When entering the password, it gives the following error:
                                kinit: krb5_get_init_creds: unable to reach any KDC in realm mydomain.local.

                                NOTE: I have a DC with mydomain.local domain and create a user myadmin

                                Who can help me validate that I like to check and validate against the server.

                                2.1.5-RELEASE (amd64)
                                built on Mon Aug 25, 2014 7:44:45 EDT
                                FreeBSD 8.3-RELEASE-p16

                                Package Name               Category Package Version
                                Dansguardian               Services 2.12.0.3_2 pkg v.0.1.12
                                Shellcmd                       Services 0.5
                                squid3-dev                       Network 3.3.10 pkg 2.2.6

                                AD Windows 2012 Server


                                Gracias por el aporte.

                                Tengo un problema, en el paso 13.

                                Ingresar vía SSH usando PuTTY, ingreso como ADMIN local del Firewall PFSENSE ?
                                O deberia ingresar con la cuenta  MYADMIN@MYDOMAIN.LOCAL ?

                                Login con MYADMIN@MYDOMAIN.LOCAL no acepta la contraseña.

                                al ingresar con ADMIN local del Firewall PFSENSE si ingreso, perfectamente. Al ejecutar /usr/local/bin/kinit myadmin net ads join -U myadmin
                                Resultado:

                                myadmin@MYDOMAIN.LOCAL.'s Password:

                                Al ingresar la Contraseña, da el siguiente error:
                                kinit: krb5_get_init_creds: unable to reach any KDC in realm MYDOMAIN.LOCAL.

                                NOTA: Tengo un DC con el dominio MYDOMAIN.LOCAL y cree un usuario myadmin

                                Quien me puede ayudar a validar que debo verificar y como para que se valide contra el servidor.

                                2.1.5-RELEASE (amd64)
                                built on Mon Aug 25 07:44:45 EDT 2014
                                FreeBSD 8.3-RELEASE-p16

                                Package Name               Category Package Version
                                Dansguardian               Services 2.12.0.3_2 pkg v.0.1.12
                                Shellcmd                       Services 0.5
                                squid3-dev                       Network 3.3.10 pkg 2.2.6

                                AD Windows 2012 Server

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tk
                                  last edited by

                                  I had similar issues and I simply replaced the hostnames with their IPs.

                                  1 Reply Last reply Reply Quote 0
                                  • X
                                    xalex1977
                                    last edited by

                                    PfSense 2.2 + squid3 + squidguard-devel integration with Active Directory
                                    works this configuration?
                                    can anyone help me?

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      you will need a samba3 or 4 compiled on freebsd to use it.

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        percyiii
                                        last edited by

                                        Ok so tried updating to 2.2
                                        my squid custom integretion

                                        http_access allow whitelist
                                        acl_uses_indirect_client on
                                        follow_x_forwarded_for allow localhost
                                        auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp
                                        auth_param ntlm children 10
                                        auth_param ntlm keep_alive on
                                        acl password proxy_auth REQUIRED
                                        http_access allow password

                                        Squid will now not start because of
                                        auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp

                                        Shared object "libcrypto.so.6" not found, required by "ntlm_auth" which was part of squid 2.5 isntall i believe..

                                        Any ideas.. I take that line out and authentication fails

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          percyiii
                                          last edited by

                                          Ok so found out that samba36;samba-devel;heimdal were uninstalled..
                                          So reinstalled samba36;samba4(this isn't samba-devel;heimdal..
                                          Had to copy smb.conf to smb4.conf
                                          but get an error when starting squid..
                                          ERROR: auth_param ntlm program /usr/local/bin/ntlm_auth: (2) No such file or directory FATAL: auth_param ntlm program /usr/local/bin/ntlm_auth: (2) No such file or directory
                                          But the directory exists..
                                          I would think passing windows username would be this difficult.. Looked at the Squidtrust article.. but didnt look as simple as let on..
                                          Not too concerned with someone spoofing the username..
                                          Just need to pass it to squid…
                                          Thx

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            alex.g 0
                                            last edited by

                                            Thanks for this thread! Now my sso is running on pfsense 2.1.
                                            But now 2.2 is out and I also would like to upgrade to 2.2. Anyone can help?
                                            I have the sam problems like percyiii. Already described in my german thread https://forum.pfsense.org/index.php?topic=86972.msg477384#msg477384 and described in the squid-forum:
                                            http://squid-web-proxy-cache.1019090.n4.nabble.com/ntlm-No-such-file-or-directory-td4669085.html

                                            Would be very nice to get help, if I can do anything to help, I would do it.

                                            Greetings Alex

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.