Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
10. Services –> Firewall
a. Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
b. NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1)Ok, sorry for bumping this thread again, but I need help with this part. Could someone post screencaps of how would the NAT and Rules gui screen would look when you set up things on step 10? I tried to do it and I locked myself out of the webgui. I need DG to filter HTTP and HTTPS traffic.
Thanks again to anyone that helps me with that. -
First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.
look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/or google "Squidtrust"
you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.read the docs for more detail.
-
This is certainly easier to setup and I am impressed with your solution. However this model does not appear to have any protection from easily being spoofed by a rouge user? ie a user could claim to be someone they are not.
First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.
look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/or google "Squidtrust"
you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.read the docs for more detail.
-
New thread started here:
https://forum.pfsense.org/index.php?topic=78770.0 -
Well, apparently http://e-sac.siteseguro.ws/ is down. Where else can I find the packages?
-
Hi to all
[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
checking the trust secret for domain blablabla via RPC calls succeeded[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
show all usersThe problem is when i create the groups on dansguardian, they apear empty on "users" tab
Anyone can help me?
Thanks :) -
Hi to all
[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
checking the trust secret for domain blablabla via RPC calls succeeded[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
show all usersThe problem is when i create the groups on dansguardian, they apear empty on "users" tab
Anyone can help me?
Thanks :)A similar thing happens to me:
wbinfo -t shows "checking the trust secret for domain blablabla via RPC calls succeeded"
but
wbinfo -u doesn't show anything
also
wbinfo -a username let's me authenticate
any ideas?
-
Ok, a few things, since no one has replied so far:
I'm on 2.1.4 x86
-
One of the packages (not sure which) broke the package manager, and now i get an error "Fatal error: Call to undefined function curl_init() in /etc/inc/pfsense-utils.inc on line 1641 " when pfsense checks for updates. Also, I can't install any new packages.
-
Not sure who mantains http://e-sac.siteseguro.ws/packages but the ldd folder is gone, for both x86 and x64, so I'm not sure where to find those files if I want to make a fresh install.
-
wbinfo -u problem is still happening
-
-
Well, after doing some stuff. I joined pfsense to my domain. wbinfo works (groups and users show).
But now Dansguardian doesn't show any users in the Users tab.
php /usr/local/www/dansguardian_ldap.php shows "User list from LDAP is already the same as current group, no changes made"
Any ideas?
-
fedetehue I have the same problem, I also have two more problems: https://forum.pfsense.org/index.php?topic=82765.0
Does anyone have any idea? I don't know how to solve that :-\
-
i'm newbie
PC 2.1.5-RELEASE x64, Dansguardian 2.12.0.3_2 pkg v.0.1.12installed from this manual, it's work, but no automatic
i set Default group to banned mode, and AD group update frequency = 1m
after changes group's members in AD - dansguardian Users tab normaly updated
but Users Counter's in header tabs no refresh, and new added users blocking
after manualy press Save button on Users tab, Counter's refreshed and new users start working.it's normal after every edit AD group, i must save dansguardian Users tab?
2fedetehue,
dansguardian_ldap.php checks 2 argv
try variant your chose in LDAP group name source (by field name or field description)
php /usr/local/www/dansguardian_ldap.php name inettest
php /usr/local/www/dansguardian_ldap.php description "inet-group" -
Thanks for the input.
I have a problem in step 13.
Login via SSH using PuTTY, home income ADMIN pfSense Firewall?
Or should enter the MYADMIN@MYDOMAIN.LOCAL account?Login with MYADMIN@MYDOMAIN.LOCAL not accept the password.
to enter with pfSense Firewall Local ADMIN if income perfectly. Running / usr / local / bin / kinit myadmin net ads join-U myadmin
Result:myadmin@MYDOMAIN.LOCAL.'s Password:
When entering the password, it gives the following error:
kinit: krb5_get_init_creds: unable to reach any KDC in realm mydomain.local.NOTE: I have a DC with mydomain.local domain and create a user myadmin
Who can help me validate that I like to check and validate against the server.
2.1.5-RELEASE (amd64)
built on Mon Aug 25, 2014 7:44:45 EDT
FreeBSD 8.3-RELEASE-p16Package Name Category Package Version
Dansguardian Services 2.12.0.3_2 pkg v.0.1.12
Shellcmd Services 0.5
squid3-dev Network 3.3.10 pkg 2.2.6AD Windows 2012 Server
Gracias por el aporte.
Tengo un problema, en el paso 13.
Ingresar vía SSH usando PuTTY, ingreso como ADMIN local del Firewall PFSENSE ?
O deberia ingresar con la cuenta MYADMIN@MYDOMAIN.LOCAL ?Login con MYADMIN@MYDOMAIN.LOCAL no acepta la contraseña.
al ingresar con ADMIN local del Firewall PFSENSE si ingreso, perfectamente. Al ejecutar /usr/local/bin/kinit myadmin net ads join -U myadmin
Resultado:myadmin@MYDOMAIN.LOCAL.'s Password:
Al ingresar la Contraseña, da el siguiente error:
kinit: krb5_get_init_creds: unable to reach any KDC in realm MYDOMAIN.LOCAL.NOTA: Tengo un DC con el dominio MYDOMAIN.LOCAL y cree un usuario myadmin
Quien me puede ayudar a validar que debo verificar y como para que se valide contra el servidor.
2.1.5-RELEASE (amd64)
built on Mon Aug 25 07:44:45 EDT 2014
FreeBSD 8.3-RELEASE-p16Package Name Category Package Version
Dansguardian Services 2.12.0.3_2 pkg v.0.1.12
Shellcmd Services 0.5
squid3-dev Network 3.3.10 pkg 2.2.6AD Windows 2012 Server
-
I had similar issues and I simply replaced the hostnames with their IPs.
-
PfSense 2.2 + squid3 + squidguard-devel integration with Active Directory
works this configuration?
can anyone help me? -
you will need a samba3 or 4 compiled on freebsd to use it.
-
Ok so tried updating to 2.2
my squid custom integretionhttp_access allow whitelist
acl_uses_indirect_client on
follow_x_forwarded_for allow localhost
auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
acl password proxy_auth REQUIRED
http_access allow passwordSquid will now not start because of
auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmsspShared object "libcrypto.so.6" not found, required by "ntlm_auth" which was part of squid 2.5 isntall i believe..
Any ideas.. I take that line out and authentication fails
-
Ok so found out that samba36;samba-devel;heimdal were uninstalled..
So reinstalled samba36;samba4(this isn't samba-devel;heimdal..
Had to copy smb.conf to smb4.conf
but get an error when starting squid..
ERROR: auth_param ntlm program /usr/local/bin/ntlm_auth: (2) No such file or directory FATAL: auth_param ntlm program /usr/local/bin/ntlm_auth: (2) No such file or directory
But the directory exists..
I would think passing windows username would be this difficult.. Looked at the Squidtrust article.. but didnt look as simple as let on..
Not too concerned with someone spoofing the username..
Just need to pass it to squid…
Thx -
Thanks for this thread! Now my sso is running on pfsense 2.1.
But now 2.2 is out and I also would like to upgrade to 2.2. Anyone can help?
I have the sam problems like percyiii. Already described in my german thread https://forum.pfsense.org/index.php?topic=86972.msg477384#msg477384 and described in the squid-forum:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ntlm-No-such-file-or-directory-td4669085.htmlWould be very nice to get help, if I can do anything to help, I would do it.
Greetings Alex
-
On 2.2, try install packages from freebsd repo using pkg install instead of pkg_add from my repo.
Samba 3 does not have ad options compiled but samba4 may have.
-
Ok, it looks not so bad.
Have done the complete procedure on pfsense 2.2 but with "pkg install samba4" and "pkg install heimdal".
Somewhere I had to use samba4 insted of samba.
The squid Problem with " /usr/local/bin/ntlm_auth: (2) No such file or directory" is gone. squid is running.
The Ldap-Informations about groupmembers are working. Also wbinfo -u and wbinfo -g working correct.But I don't see the domain username in the dansguardian-log. So I think sso is not functional in the moment. But one step further today.
Will have a look tomorrow again.
