Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

ghosterius

@alex.g:

Yesterday I thought the "No such file" error is solved. But today squid was not starting because of this error. Now I tried the solution from ghosterius, and the error is gone, squid is running.
In the systemlog I see:
Jan 29 12:19:47 pfSense22 dansguardian[60493]: NTLM - Invalid message of length 42, message was: NTLMSSP
Jan 29 12:19:47 pfSense22 dansguardian[60493]: Auth plugin returned error code: -3
(I got an authentication-windows when I want to surf with the proxy, authentication not working and this errors in the log)

And in /var/squid/logs/cache.log:
2015/01/29 12:36:19 kid1| ipcCreate: /usr/pbi/squid-amd64/bin/: (13) Permission denied
2015/01/29 12:36:19 kid1| WARNING: ntlmauthenticator #Hlpr0 exited

I have exactly the same behaviour, except that the error is not the same. mine says the following in cache.log:
2015/01/29 11:13:29 kid1| WARNING: ntlmauthenticator #Hlpr0 exited
Shared object "libpopt_samba3.so" not found, required by "ntlm_auth"

What permissions do you have under /usr/pbi/squid-amd64/bin ? Also, are you using pfSense on x64 or x86? Because if it is on 32bit you should adapt that directory accordingly.

alex.g 0

What permissions do you have under /usr/pbi/squid-amd64/bin ?

rwxr-xr-x proxy proxy
and same for ntlm_auth in this directory

Also, are you using pfSense on x64 or x86?

x64

alex.g 0

ok, I had a silly error in my "Squid Integrations"!!!
So my error is exactly the same as written by ghosterius
WARNING: ntlmauthenticator #Hlpr0 exited
Shared object "libpopt_samba3.so" not found, required by "ntlm_auth"

alex.g 0

Ok, this problem is because libpopt_samba3.so and many other libs can not be found because they are in the path /usr/local/lib/samba
so you should add this path to the ldconfig-path or copy/link the libraries where they could be find. But now I have the error

Shared object "libintl.so.8" not found, required by "libpopt.so.0"

And I cannot find libintl.so on my pfsense. So what I have to install to get this shared object?

Thanks in advance
Alex

alex.g 0

Again, dont know what the error was. Tody I find the libintl.so.8 and the other needed libraries. But still not working. In /var/squid/logs/cache.log:

ntlm_auth: error opening config file /usr/local/etc/smb4.conf. Error was No such file or directory

Which file or directory? /usr/local/etc/smb4.conf is there and is readable for others.

marcelloc

May be related to pbi pseudo jail build.

Are you trying to run net ads join and getting this error?

alex.g 0

no marcelloc, the net ads join is working.
I try to go into Internet with the browser over the proxy. The the Browser ask me for username and password - but he doesnt accept and I see this line in the log.

Yes I think its related to the pseudeo jail buid. But i dont know anything about this till now.

inthisidrown

Did anyone else get this to work?  I was able to get things working by:

• Copied all the libs to the /usr/pbi/squid-amd64/local/lib directory
• Copied the smb4.conf to the /usr/pbi/etc directory
• Added –configfile=/usr/pbi/etc/smb4.conf to the ntlm_auth parameters within the Integrations section of Proxy server service under Custom Settings

Now things are rocking out with AD just fine without prompting for a password.

percyiii

Well;
Have pretty given up. I even tried a new install and
pkg install http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz does not work..
pkg install samba36 works but end result
kinit: krb5_init_context failed: 22
Is all I get..
Would be wonderfull if someone would rewrite this for a new install..
TIA
Percy

tk

I'm suffering with getting a 2.2 install running as well.
Sifting through a lot of the last few pages has at least got the warnings to go away but no actual ntlm auth occuring.
+1 for a modification of the original tutorial in a seperate thread perhaps?

marcelloc

@percyiii:

Well;
Have pretty given up. I even tried a new install and
pkg install http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz does not work..
pkg install samba36 works but end result
kinit: krb5_init_context failed: 22
Is all I get..
Would be wonderfull if someone would rewrite this for a new install..
TIA
Percy

The samba pkg you tried to download is for freebsd 8.x.

pfsense 2.2 uses freebsd 10.

alxbob

I want to implement ldap kerberos squid authentication ! As far as i understand i wont use samba but why kdc is needed if i can use windows server kdc ?

alxbob

Anyone?

eduardogd

I'm using it as a lab, I've created two VM on Vbox and it can view etch other, but I can't pass this part:

6.  Services –> Firewall
  a.  Rules –> LAN tab – Create a proxy rule to allow TCP port 3128 to the LAN address for testing (will change later)
  b.  NAT –> Port Forward tab - Create a proxy port forward from LAN on port 3128 to the loopback adapter (127.0.0.1) for testing

could anyone show me how to do it?

ghosterius

I've also given up on this one getting back to pfSense 2.1.5. I would like to dig deeper on this one as I feel that I've been pretty close to achieving the solution but unfortunately at this time I have no time available at all to dedicate on this subject. :(

Once I have the time, if no one has found it yet, I'll redo it all again and document the changes.

atilaloise

Consegui fazer o Squid com NTLM. Funciona com o stable e com o squid 3!

https://drive.google.com/file/d/0BytRSGrf8eEXQzRvUXdNUUw2NTg/view

esse é o passo a passo.

espero que ajude

gdsnytech

@atilaloise:

Consegui fazer o Squid com NTLM. Funciona com o stable e com o squid 3!

https://drive.google.com/file/d/0BytRSGrf8eEXQzRvUXdNUUw2NTg/view

esse é o passo a passo.

espero que ajude

Hey do you have an english translation for this? thanks.

gdsnytech

@atilaloise:

Consegui fazer o Squid com NTLM. Funciona com o stable e com o squid 3!

https://drive.google.com/file/d/0BytRSGrf8eEXQzRvUXdNUUw2NTg/view

esse é o passo a passo.

espero que ajude

Also, does this implies Single Sign on? If not then how can i incorporate it with the set up? thanks.

gdsnytech

@sowen:

First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.

look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

or google "Squidtrust"

you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.

the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.

read the docs for more detail.

How do you make this work? I have yet to have any success.

sowen

What's not working or what can't you get working ??

The client (SquidTrustIII) or the squid helper (perl script) side of things ??