Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

endyrx

Somehow i am able to get authenticated on squid also on dansguard
this is my squid log
1401128431.777      0 192.168.250.70 TCP_DENIED/407 4861 GET http://www.dir.bg/my/comments/count.php? - NONE/- text/html
1401128431.780    20 192.168.250.70 TCP_MISS/200 612 GET http://r5.dir.bg/passimg.php? bilyanastefanova DIRECT/194.145.63.27 image/gif
1401128431.790    14 192.168.250.70 TCP_MISS/200 522 GET http://www.dir.bg/new/dirfp_weather_new.html? bilyanastefanova DIRECT/194.145.63.12 text/html
1401128431.791    15 192.168.250.70 TCP_MISS/200 445 GET http://www.dir.bg/new/dirfp_weather_block.json? bilyanastefanova DIRECT/194.145.63.12 application/json
1401128431.793    16 192.168.250.70 TCP_MISS/200 243 GET http://www.dir.bg/new/usd.txt bilyanastefanova DIRECT/194.145.63.12 text/plain
1401128431.804    27 192.168.250.70 TCP_MISS/200 695 GET http://www.dir.bg/JSAJAX/get_user_info.php? bilyanastefanova DIRECT/194.145.63.12 text/plain
1401128431.836      5 192.168.250.70 TCP_CLIENT_REFRESH_MISS/304 298 GET http://i.dir.bg/dir5/dir-new/html/img/vremeto-small/pda_20.png bilyanastefanova DIRECT/194.145.63.18 -
1401128431.838    126 192.168.250.70 TCP_CLIENT_REFRESH_MISS/200 3656 GET http://ni.dir-i.net/esspresso/images/calendar/cells.png bilyanastefanova DIRECT/194.145.63.18 image/png
1401128431.842    62 192.168.250.70 TCP_MISS/200 676 GET http://www.dir.bg/my/comments/count.php? bilyanastefanova DIRECT/194.145.63.12 text/html
1401128431.966    155 192.168.250.70 TCP_MISS/200 309 GET http://smart.dir.bg/mobile_check.php? bilyanastefanova DIRECT/194.145.63.11 text/html

and this is dansguardian log
1401128431.388    19 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_section_novini&enc=u bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.388    19 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_section_novini_2&enc=u bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.390    23 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_corner bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.718    33 192.168.250.70 TCP_MISS/200 101 GET http://r5.dir.bg/utb.php?rnd=1287221401128435608&ref=http%3A//www.dir.bg/&reff= bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/javascript
1401128431.769      4 192.168.250.70 TCP_DENIED/403 0 GET http://www.google-analytics.com/__utm.gif?utmwv=1.4&utmn=98558728&utmcs=utf-8&utmsr=1920x1080&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=13.0%20r0&utmdt=Dir.bg%20-%20%D0%91%D1%8A%D0%BB%D0%B3%D0%B0%D1%80%D1%81%D0%BA%D0%B8%D1%8F%D1%82%20%D0%98%D0%BD%D1%82%D0%B5%D1%80%D0%BD%D0%B5%D1%82%20%D0%BF%D0%BE%D1%80%D1%82%D0%B0%D0%BB!&utmhn=www.dir.bg&utmhid=1711608986&utmr=-&utmp=/&utmac=UA-436010-11&utmcc=__utma%3D95319433.1662311826.1401125196.1401125196.1401128436.2%3B%2B__utmz%3D95319433.1401125196.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)%3B%2B bilyanastefanova DEFAULT_PARENT/127.0.0.1 -
1401128431.792    19 192.168.250.70 TCP_MISS/200 501 GET http://www.dir.bg/new/dirfp_weather_new.html?ts=0.17504705565709982 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.794    20 192.168.250.70 TCP_MISS/200 13 GET http://www.dir.bg/new/usd.txt bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/plain
1401128431.806    30 192.168.250.70 TCP_MISS/200 7 GET http://www.dir.bg/JSAJAX/get_user_info.php?enc=utf-8&now=0.004187991262348867&=1401128435698 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/plain
1401128431.843    66 192.168.250.70 TCP_MISS/200 4 GET http://www.dir.bg/my/comments/count.php?jnl_id=3&ctype_id=1&topic_id=12251378&list=all&ran=0.153130255537684&=1350479627602 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.967    157 192.168.250.70 TCP_MISS/200 79 GET http://smart.dir.bg/mobile_check.php?callback=jQuery17105069666413485266_1401128435330&url=http%3A%2F%2Fwww.dir.bg%2F&method=post&_=1401128435737 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html

But i still can't denie connections for users who is out of my internet groupe. Everyone have an internet right now.

fedetehue

@wheelz:

I am on version 2.1 and am using it fine.  I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.

How did you create the firewall and nat rules of steps 6 and 10? I'm on 2.1.3 and I'm stuck at that. Thanks in advance.

fedetehue

10.  Services –> Firewall
  a.  Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
  b.  NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1)

Ok, sorry for bumping this thread again, but I need help with this part. Could someone post screencaps of how would the NAT and Rules gui screen would look when you set up things on step 10? I tried to do it and I locked myself out of the webgui. I need DG to filter HTTP and HTTPS traffic.
Thanks again to anyone that helps me with that.

sowen

First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

or google "Squidtrust"

you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.

read the docs for more detail.

dig1234

This is certainly easier to setup and I am impressed with your solution. However this model does not appear to have any protection from easily being spoofed by a rouge user? ie a user could claim to be someone they are not.

@sowen:

First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

or google "Squidtrust"

you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.

read the docs for more detail.

sowen

New thread started here:
https://forum.pfsense.org/index.php?topic=78770.0

fedetehue

Well, apparently http://e-sac.siteseguro.ws/ is down. Where else can I find the packages?

pitoganzado

Hi to all

[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
checking the trust secret for domain blablabla via RPC calls succeeded

[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
show all users

The problem is when i create the groups on dansguardian, they apear empty on "users" tab

Anyone can help me?
Thanks :)

fedetehue

@pitoganzado:

Hi to all

[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
checking the trust secret for domain blablabla via RPC calls succeeded

[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
show all users

The problem is when i create the groups on dansguardian, they apear empty on "users" tab

Anyone can help me?
Thanks :)

A similar thing happens to me:

wbinfo -t shows "checking the trust secret for domain blablabla via RPC calls succeeded"

but

wbinfo -u doesn't show anything

also

wbinfo -a username let's me authenticate

any ideas?

fedetehue

Ok, a few things, since no one has replied so far:

I'm on 2.1.4 x86

• One of the packages (not sure which) broke the package manager, and now i get an error "Fatal error: Call to undefined function curl_init() in /etc/inc/pfsense-utils.inc on line 1641 " when pfsense checks for updates. Also, I can't install any new packages.

• Not sure who mantains http://e-sac.siteseguro.ws/packages but the ldd folder is gone, for both x86 and x64, so I'm not sure where to find those files if I want to make a fresh install.

• wbinfo -u problem is still happening

fedetehue

Well, after doing some stuff. I joined pfsense to my domain. wbinfo works (groups and users show).

But now Dansguardian doesn't show any users in the Users tab.

php /usr/local/www/dansguardian_ldap.php shows "User list from LDAP is already the same as current group, no changes made"

Any ideas?

damasceno

fedetehue I have the same problem, I also have two more problems: https://forum.pfsense.org/index.php?topic=82765.0

Does anyone have any idea? I don't know how to solve that  :-\

psob

i'm newbie
PC 2.1.5-RELEASE x64, Dansguardian 2.12.0.3_2 pkg v.0.1.12

installed from this manual, it's work, but no automatic

i set Default group to banned mode, and AD group update frequency = 1m
after changes group's members in AD - dansguardian Users tab normaly updated
but Users Counter's in header tabs no refresh, and new added users blocking
after manualy press Save button on Users tab, Counter's refreshed and new users start working.

it's normal after every edit AD group, i must save dansguardian Users tab?

2fedetehue,
dansguardian_ldap.php checks 2 argv
try variant your chose in LDAP group name source (by field name or field description)
php /usr/local/www/dansguardian_ldap.php name inettest
php /usr/local/www/dansguardian_ldap.php description "inet-group"

neophyteJJ

Thanks for the input.

I have a problem in step 13.

Login via SSH using PuTTY, home income ADMIN pfSense Firewall?
Or should enter the MYADMIN@MYDOMAIN.LOCAL account?

Login with MYADMIN@MYDOMAIN.LOCAL not accept the password.

to enter with pfSense Firewall Local ADMIN if income perfectly. Running / usr / local / bin / kinit myadmin net ads join-U myadmin
Result:

myadmin@MYDOMAIN.LOCAL.'s Password:

When entering the password, it gives the following error:
kinit: krb5_get_init_creds: unable to reach any KDC in realm mydomain.local.

NOTE: I have a DC with mydomain.local domain and create a user myadmin

Who can help me validate that I like to check and validate against the server.

2.1.5-RELEASE (amd64)
built on Mon Aug 25, 2014 7:44:45 EDT
FreeBSD 8.3-RELEASE-p16

Package Name               Category Package Version
Dansguardian               Services 2.12.0.3_2 pkg v.0.1.12
Shellcmd                       Services 0.5
squid3-dev                       Network 3.3.10 pkg 2.2.6

AD Windows 2012 Server

---

Gracias por el aporte.

Tengo un problema, en el paso 13.

Ingresar vía SSH usando PuTTY, ingreso como ADMIN local del Firewall PFSENSE ?
O deberia ingresar con la cuenta  MYADMIN@MYDOMAIN.LOCAL ?

Login con MYADMIN@MYDOMAIN.LOCAL no acepta la contraseña.

al ingresar con ADMIN local del Firewall PFSENSE si ingreso, perfectamente. Al ejecutar /usr/local/bin/kinit myadmin net ads join -U myadmin
Resultado:

myadmin@MYDOMAIN.LOCAL.'s Password:

Al ingresar la Contraseña, da el siguiente error:
kinit: krb5_get_init_creds: unable to reach any KDC in realm MYDOMAIN.LOCAL.

NOTA: Tengo un DC con el dominio MYDOMAIN.LOCAL y cree un usuario myadmin

Quien me puede ayudar a validar que debo verificar y como para que se valide contra el servidor.

2.1.5-RELEASE (amd64)
built on Mon Aug 25 07:44:45 EDT 2014
FreeBSD 8.3-RELEASE-p16

Package Name               Category Package Version
Dansguardian               Services 2.12.0.3_2 pkg v.0.1.12
Shellcmd                       Services 0.5
squid3-dev                       Network 3.3.10 pkg 2.2.6

AD Windows 2012 Server

tk

I had similar issues and I simply replaced the hostnames with their IPs.

xalex1977

PfSense 2.2 + squid3 + squidguard-devel integration with Active Directory
works this configuration?
can anyone help me?

marcelloc

you will need a samba3 or 4 compiled on freebsd to use it.

percyiii

Ok so tried updating to 2.2
my squid custom integretion

http_access allow whitelist
acl_uses_indirect_client on
follow_x_forwarded_for allow localhost
auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
acl password proxy_auth REQUIRED
http_access allow password

Squid will now not start because of
auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp

Shared object "libcrypto.so.6" not found, required by "ntlm_auth" which was part of squid 2.5 isntall i believe..

Any ideas.. I take that line out and authentication fails

percyiii

Ok so found out that samba36;samba-devel;heimdal were uninstalled..
So reinstalled samba36;samba4(this isn't samba-devel;heimdal..
Had to copy smb.conf to smb4.conf
but get an error when starting squid..
ERROR: auth_param ntlm program /usr/local/bin/ntlm_auth: (2) No such file or directory FATAL: auth_param ntlm program /usr/local/bin/ntlm_auth: (2) No such file or directory
But the directory exists..
I would think passing windows username would be this difficult.. Looked at the Squidtrust article.. but didnt look as simple as let on..
Not too concerned with someone spoofing the username..
Just need to pass it to squid…
Thx

alex.g 0

Thanks for this thread! Now my sso is running on pfsense 2.1.
But now 2.2 is out and I also would like to upgrade to 2.2. Anyone can help?
I have the sam problems like percyiii. Already described in my german thread https://forum.pfsense.org/index.php?topic=86972.msg477384#msg477384 and described in the squid-forum:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ntlm-No-such-file-or-directory-td4669085.html

Would be very nice to get help, if I can do anything to help, I would do it.

Greetings Alex