Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
Yesterday I thought the "No such file" error is solved. But today squid was not starting because of this error. Now I tried the solution from ghosterius, and the error is gone, squid is running.
In the systemlog I see:
Jan 29 12:19:47 pfSense22 dansguardian[60493]: NTLM - Invalid message of length 42, message was: NTLMSSP
Jan 29 12:19:47 pfSense22 dansguardian[60493]: Auth plugin returned error code: -3
(I got an authentication-windows when I want to surf with the proxy, authentication not working and this errors in the log)And in /var/squid/logs/cache.log:
2015/01/29 12:36:19 kid1| ipcCreate: /usr/pbi/squid-amd64/bin/: (13) Permission denied
2015/01/29 12:36:19 kid1| WARNING: ntlmauthenticator #Hlpr0 exited -
Yesterday I thought the "No such file" error is solved. But today squid was not starting because of this error. Now I tried the solution from ghosterius, and the error is gone, squid is running.
In the systemlog I see:
Jan 29 12:19:47 pfSense22 dansguardian[60493]: NTLM - Invalid message of length 42, message was: NTLMSSP
Jan 29 12:19:47 pfSense22 dansguardian[60493]: Auth plugin returned error code: -3
(I got an authentication-windows when I want to surf with the proxy, authentication not working and this errors in the log)And in /var/squid/logs/cache.log:
2015/01/29 12:36:19 kid1| ipcCreate: /usr/pbi/squid-amd64/bin/: (13) Permission denied
2015/01/29 12:36:19 kid1| WARNING: ntlmauthenticator #Hlpr0 exitedI have exactly the same behaviour, except that the error is not the same. mine says the following in cache.log:
2015/01/29 11:13:29 kid1| WARNING: ntlmauthenticator #Hlpr0 exited
Shared object "libpopt_samba3.so" not found, required by "ntlm_auth"What permissions do you have under /usr/pbi/squid-amd64/bin ? Also, are you using pfSense on x64 or x86? Because if it is on 32bit you should adapt that directory accordingly.
-
What permissions do you have under /usr/pbi/squid-amd64/bin ?
rwxr-xr-x proxy proxy
and same for ntlm_auth in this directoryAlso, are you using pfSense on x64 or x86?
x64
-
ok, I had a silly error in my "Squid Integrations"!!!
So my error is exactly the same as written by ghosterius
WARNING: ntlmauthenticator #Hlpr0 exited
Shared object "libpopt_samba3.so" not found, required by "ntlm_auth" -
Ok, this problem is because libpopt_samba3.so and many other libs can not be found because they are in the path /usr/local/lib/samba
so you should add this path to the ldconfig-path or copy/link the libraries where they could be find. But now I have the errorShared object "libintl.so.8" not found, required by "libpopt.so.0"
And I cannot find libintl.so on my pfsense. So what I have to install to get this shared object?
Thanks in advance
Alex -
Again, dont know what the error was. Tody I find the libintl.so.8 and the other needed libraries. But still not working. In /var/squid/logs/cache.log:
ntlm_auth: error opening config file /usr/local/etc/smb4.conf. Error was No such file or directory
Which file or directory? /usr/local/etc/smb4.conf is there and is readable for others.
-
May be related to pbi pseudo jail build.
Are you trying to run net ads join and getting this error?
-
no marcelloc, the net ads join is working.
I try to go into Internet with the browser over the proxy. The the Browser ask me for username and password - but he doesnt accept and I see this line in the log.Yes I think its related to the pseudeo jail buid. But i dont know anything about this till now.
-
Did anyone else get this to work? I was able to get things working by:
- Copied all the libs to the /usr/pbi/squid-amd64/local/lib directory
- Copied the smb4.conf to the /usr/pbi/etc directory
- Added –configfile=/usr/pbi/etc/smb4.conf to the ntlm_auth parameters within the Integrations section of Proxy server service under Custom Settings
Now things are rocking out with AD just fine without prompting for a password.
-
Well;
Have pretty given up. I even tried a new install and
pkg install http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz does not work..
pkg install samba36 works but end result
kinit: krb5_init_context failed: 22
Is all I get..
Would be wonderfull if someone would rewrite this for a new install..
TIA
Percy -
I'm suffering with getting a 2.2 install running as well.
Sifting through a lot of the last few pages has at least got the warnings to go away but no actual ntlm auth occuring.
+1 for a modification of the original tutorial in a seperate thread perhaps? -
Well;
Have pretty given up. I even tried a new install and
pkg install http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz does not work..
pkg install samba36 works but end result
kinit: krb5_init_context failed: 22
Is all I get..
Would be wonderfull if someone would rewrite this for a new install..
TIA
PercyThe samba pkg you tried to download is for freebsd 8.x.
pfsense 2.2 uses freebsd 10.
-
I want to implement ldap kerberos squid authentication ! As far as i understand i wont use samba but why kdc is needed if i can use windows server kdc ?
-
Anyone?
-
I'm using it as a lab, I've created two VM on Vbox and it can view etch other, but I can't pass this part:
6. Services –> Firewall
a. Rules –> LAN tab – Create a proxy rule to allow TCP port 3128 to the LAN address for testing (will change later)
b. NAT –> Port Forward tab - Create a proxy port forward from LAN on port 3128 to the loopback adapter (127.0.0.1) for testingcould anyone show me how to do it?
-
I've also given up on this one getting back to pfSense 2.1.5. I would like to dig deeper on this one as I feel that I've been pretty close to achieving the solution but unfortunately at this time I have no time available at all to dedicate on this subject. :(
Once I have the time, if no one has found it yet, I'll redo it all again and document the changes.
-
Consegui fazer o Squid com NTLM. Funciona com o stable e com o squid 3!
https://drive.google.com/file/d/0BytRSGrf8eEXQzRvUXdNUUw2NTg/view
esse é o passo a passo.
espero que ajude
-
Consegui fazer o Squid com NTLM. Funciona com o stable e com o squid 3!
https://drive.google.com/file/d/0BytRSGrf8eEXQzRvUXdNUUw2NTg/view
esse é o passo a passo.
espero que ajude
Hey do you have an english translation for this? thanks.
-
Consegui fazer o Squid com NTLM. Funciona com o stable e com o squid 3!
https://drive.google.com/file/d/0BytRSGrf8eEXQzRvUXdNUUw2NTg/view
esse é o passo a passo.
espero que ajude
Also, does this implies Single Sign on? If not then how can i incorporate it with the set up? thanks.
-
First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.
look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/or google "Squidtrust"
you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.read the docs for more detail.
How do you make this work? I have yet to have any success.
