Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

    Scheduled Pinned Locked Moved Cache/Proxy
    135 Posts 44 Posters 133.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fedetehue
      last edited by

      @wheelz:

      I am on version 2.1 and am using it fine.  I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.

      How did you create the firewall and nat rules of steps 6 and 10? I'm on 2.1.3 and I'm stuck at that. Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • F
        fedetehue
        last edited by

        10.  Services –> Firewall
          a.  Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
          b.  NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1)

        Ok, sorry for bumping this thread again, but I need help with this part. Could someone post screencaps of how would the NAT and Rules gui screen would look when you set up things on step 10? I tried to do it and I locked myself out of the webgui. I need DG to filter HTTP and HTTPS traffic.
        Thanks again to anyone that helps me with that.

        1 Reply Last reply Reply Quote 0
        • S
          sowen
          last edited by

          First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

          look at
          http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

          or google "Squidtrust"

          you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
          originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

          the short version:
          Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
          run the agent on all workstations via login scrpt/GPO
          ta-da...transparent user authentication.

          read the docs for more detail.

          1 Reply Last reply Reply Quote 0
          • D
            dig1234
            last edited by

            This is certainly easier to setup and I am impressed with your solution. However this model does not appear to have any protection from easily being spoofed by a rouge user? ie a user could claim to be someone they are not.

            @sowen:

            First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

            look at
            http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

            or google "Squidtrust"

            you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
            originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

            the short version:
            Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
            run the agent on all workstations via login scrpt/GPO
            ta-da...transparent user authentication.

            read the docs for more detail.

            1 Reply Last reply Reply Quote 0
            • S
              sowen
              last edited by

              New thread started here:
              https://forum.pfsense.org/index.php?topic=78770.0

              1 Reply Last reply Reply Quote 0
              • F
                fedetehue
                last edited by

                Well, apparently http://e-sac.siteseguro.ws/ is down. Where else can I find the packages?

                1 Reply Last reply Reply Quote 0
                • P
                  pitoganzado
                  last edited by

                  Hi to all

                  [2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
                  checking the trust secret for domain blablabla via RPC calls succeeded

                  [2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
                  show all users

                  The problem is when i create the groups on dansguardian, they apear empty on "users" tab

                  Anyone can help me?
                  Thanks :)

                  1 Reply Last reply Reply Quote 0
                  • F
                    fedetehue
                    last edited by

                    @pitoganzado:

                    Hi to all

                    [2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
                    checking the trust secret for domain blablabla via RPC calls succeeded

                    [2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
                    show all users

                    The problem is when i create the groups on dansguardian, they apear empty on "users" tab

                    Anyone can help me?
                    Thanks :)

                    A similar thing happens to me:

                    wbinfo -t shows "checking the trust secret for domain blablabla via RPC calls succeeded"

                    but

                    wbinfo -u doesn't show anything

                    also

                    wbinfo -a username let's me authenticate

                    any ideas?

                    1 Reply Last reply Reply Quote 0
                    • F
                      fedetehue
                      last edited by

                      Ok, a few things, since no one has replied so far:

                      I'm on 2.1.4 x86

                      • One of the packages (not sure which) broke the package manager, and now i get an error "Fatal error: Call to undefined function curl_init() in /etc/inc/pfsense-utils.inc on line 1641 " when pfsense checks for updates. Also, I can't install any new packages.

                      • Not sure who mantains http://e-sac.siteseguro.ws/packages but the ldd folder is gone, for both x86 and x64, so I'm not sure where to find those files if I want to make a fresh install.

                      • wbinfo -u problem is still happening

                      1 Reply Last reply Reply Quote 0
                      • F
                        fedetehue
                        last edited by

                        Well, after doing some stuff. I joined pfsense to my domain. wbinfo works (groups and users show).

                        But now Dansguardian doesn't show any users in the Users tab.

                        php /usr/local/www/dansguardian_ldap.php shows "User list from LDAP is already the same as current group, no changes made"

                        Any ideas?

                        1 Reply Last reply Reply Quote 0
                        • D
                          damasceno
                          last edited by

                          fedetehue I have the same problem, I also have two more problems: https://forum.pfsense.org/index.php?topic=82765.0

                          Does anyone have any idea? I don't know how to solve that  :-\

                          1 Reply Last reply Reply Quote 0
                          • P
                            psob
                            last edited by

                            i'm newbie
                            PC 2.1.5-RELEASE x64, Dansguardian 2.12.0.3_2 pkg v.0.1.12

                            installed from this manual, it's work, but no automatic

                            i set Default group to banned mode, and AD group update frequency = 1m
                            after changes group's members in AD - dansguardian Users tab normaly updated
                            but Users Counter's in header tabs no refresh, and new added users blocking
                            after manualy press Save button on Users tab, Counter's refreshed and new users start working.

                            it's normal after every edit AD group, i must save dansguardian Users tab?

                            2fedetehue,
                            dansguardian_ldap.php checks 2 argv
                            try variant your chose in LDAP group name source (by field name or field description)
                            php /usr/local/www/dansguardian_ldap.php name inettest
                            php /usr/local/www/dansguardian_ldap.php description "inet-group"

                            1 Reply Last reply Reply Quote 0
                            • N
                              neophyteJJ
                              last edited by

                              Thanks for the input.

                              I have a problem in step 13.

                              Login via SSH using PuTTY, home income ADMIN pfSense Firewall?
                              Or should enter the MYADMIN@MYDOMAIN.LOCAL account?

                              Login with MYADMIN@MYDOMAIN.LOCAL not accept the password.

                              to enter with pfSense Firewall Local ADMIN if income perfectly. Running / usr / local / bin / kinit myadmin net ads join-U myadmin
                              Result:

                              myadmin@MYDOMAIN.LOCAL.'s Password:

                              When entering the password, it gives the following error:
                              kinit: krb5_get_init_creds: unable to reach any KDC in realm mydomain.local.

                              NOTE: I have a DC with mydomain.local domain and create a user myadmin

                              Who can help me validate that I like to check and validate against the server.

                              2.1.5-RELEASE (amd64)
                              built on Mon Aug 25, 2014 7:44:45 EDT
                              FreeBSD 8.3-RELEASE-p16

                              Package Name               Category Package Version
                              Dansguardian               Services 2.12.0.3_2 pkg v.0.1.12
                              Shellcmd                       Services 0.5
                              squid3-dev                       Network 3.3.10 pkg 2.2.6

                              AD Windows 2012 Server


                              Gracias por el aporte.

                              Tengo un problema, en el paso 13.

                              Ingresar vía SSH usando PuTTY, ingreso como ADMIN local del Firewall PFSENSE ?
                              O deberia ingresar con la cuenta  MYADMIN@MYDOMAIN.LOCAL ?

                              Login con MYADMIN@MYDOMAIN.LOCAL no acepta la contraseña.

                              al ingresar con ADMIN local del Firewall PFSENSE si ingreso, perfectamente. Al ejecutar /usr/local/bin/kinit myadmin net ads join -U myadmin
                              Resultado:

                              myadmin@MYDOMAIN.LOCAL.'s Password:

                              Al ingresar la Contraseña, da el siguiente error:
                              kinit: krb5_get_init_creds: unable to reach any KDC in realm MYDOMAIN.LOCAL.

                              NOTA: Tengo un DC con el dominio MYDOMAIN.LOCAL y cree un usuario myadmin

                              Quien me puede ayudar a validar que debo verificar y como para que se valide contra el servidor.

                              2.1.5-RELEASE (amd64)
                              built on Mon Aug 25 07:44:45 EDT 2014
                              FreeBSD 8.3-RELEASE-p16

                              Package Name               Category Package Version
                              Dansguardian               Services 2.12.0.3_2 pkg v.0.1.12
                              Shellcmd                       Services 0.5
                              squid3-dev                       Network 3.3.10 pkg 2.2.6

                              AD Windows 2012 Server

                              1 Reply Last reply Reply Quote 0
                              • T
                                tk
                                last edited by

                                I had similar issues and I simply replaced the hostnames with their IPs.

                                1 Reply Last reply Reply Quote 0
                                • X
                                  xalex1977
                                  last edited by

                                  PfSense 2.2 + squid3 + squidguard-devel integration with Active Directory
                                  works this configuration?
                                  can anyone help me?

                                  1 Reply Last reply Reply Quote 0
                                  • marcellocM
                                    marcelloc
                                    last edited by

                                    you will need a samba3 or 4 compiled on freebsd to use it.

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      percyiii
                                      last edited by

                                      Ok so tried updating to 2.2
                                      my squid custom integretion

                                      http_access allow whitelist
                                      acl_uses_indirect_client on
                                      follow_x_forwarded_for allow localhost
                                      auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp
                                      auth_param ntlm children 10
                                      auth_param ntlm keep_alive on
                                      acl password proxy_auth REQUIRED
                                      http_access allow password

                                      Squid will now not start because of
                                      auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp

                                      Shared object "libcrypto.so.6" not found, required by "ntlm_auth" which was part of squid 2.5 isntall i believe..

                                      Any ideas.. I take that line out and authentication fails

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        percyiii
                                        last edited by

                                        Ok so found out that samba36;samba-devel;heimdal were uninstalled..
                                        So reinstalled samba36;samba4(this isn't samba-devel;heimdal..
                                        Had to copy smb.conf to smb4.conf
                                        but get an error when starting squid..
                                        ERROR: auth_param ntlm program /usr/local/bin/ntlm_auth: (2) No such file or directory FATAL: auth_param ntlm program /usr/local/bin/ntlm_auth: (2) No such file or directory
                                        But the directory exists..
                                        I would think passing windows username would be this difficult.. Looked at the Squidtrust article.. but didnt look as simple as let on..
                                        Not too concerned with someone spoofing the username..
                                        Just need to pass it to squid…
                                        Thx

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          alex.g 0
                                          last edited by

                                          Thanks for this thread! Now my sso is running on pfsense 2.1.
                                          But now 2.2 is out and I also would like to upgrade to 2.2. Anyone can help?
                                          I have the sam problems like percyiii. Already described in my german thread https://forum.pfsense.org/index.php?topic=86972.msg477384#msg477384 and described in the squid-forum:
                                          http://squid-web-proxy-cache.1019090.n4.nabble.com/ntlm-No-such-file-or-directory-td4669085.html

                                          Would be very nice to get help, if I can do anything to help, I would do it.

                                          Greetings Alex

                                          1 Reply Last reply Reply Quote 0
                                          • marcellocM
                                            marcelloc
                                            last edited by

                                            On 2.2, try install packages from freebsd repo using  pkg install instead of pkg_add from my repo.

                                            Samba 3 does not have ad options compiled but samba4 may have.

                                            Treinamentos de Elite: http://sys-squad.com

                                            Help a community developer! ;D

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.