Squid + Authentication Method : NT Domain

exa_gon

When I configure this authentication methed Squid hang with that error :

pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was '2016/06/15 15:52:08| ERROR: Authentication helper program /usr/local/libexec/squid/basic_msnt_auth: (2) No such file or directory FATAL: Authentication helper program /usr/local/libexec/squid/basic_msnt_auth: (2) No such file or directory Squid Cache (Version 3.5.19): Terminated abnormally. CPU Usage: 0.025 seconds = 0.013 user + 0.013 sys Maximum Resident Size: 45664 KB Page faults with physical i/o: 0'

And the file does not exist in that directory.
Someone have tried that configuration ?

thanks in advance!

AWeidner

I'm trying at the moment. Seems that at least NT Domain and LDAP auth are not working properly at the moment. The 'basic_msnt_auth' helper does not exist in the filesystem.

Setting up LDAP auth via the Web Interface, pfsense adds a colon to the IP address of the LDAP server when writing the configuration file ' /usr/local/etc/squid/squid.conf'.

auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 2 -b OU=Verwaltungsstruktur,DC=abcdefghij123 -D xxxxxxxxx -w xxxxxxxxxxxxx -f "sAMAccountName=%s" -u  -P 192.168.XXX.XXX:

The colon is added when using the FQDN instead of an IP address for the LDAP server, too

Removing the colon in squid.conf results in a working LDAP configuration, but any change to the config via the web interface breaks it again.

I'm using 2.3.2-RELEASE-p1 (amd64) on an APU2C4 at the moment.

doktornotor

This should use basic_msnt_multi_domain_auth instead. Pretty sure it also is missing bunch of perl dependencies. When you take a package written for Squid 3.3.x and use it for Squid 3.5.x, things break.

Pull requests go to https://github.com/pfsense/FreeBSD-ports/tree/devel/www/pfSense-pkg-squid

Good luck.

AWeidner

@doktornotor:

This should use basic_msnt_multi_domain_auth instead. Pretty sure it also is missing bunch of perl dependencies. […]

It does  ::)

Can't locate Authen/Smb.pm in @INC (you may need to install the Authen::Smb module) \
 (@INC contains: /usr/local/lib/perl5/site_perl/mach/5.20 /usr/local/lib/perl5/site_perl \
/usr/local/lib/perl5/5.20/mach /usr/local/lib/perl5/5.20 /usr/local/lib/perl5/site_perl/5.20 \
 /usr/local/lib/perl5/site_perl/5.20/mach .) at /usr/local/libexec/squid/basic_msnt_multi_domain_auth line 103\. \
BEGIN failed--compilation aborted at /usr/local/libexec/squid/basic_msnt_multi_domain_auth line 103.

doktornotor

https://redmine.pfsense.org/issues/7017

As for your trailing : for LDAP, that's just PHP being retarded. If you don't have a port set, then set it and it will go away. See https://github.com/pfsense/FreeBSD-ports/pull/232

doktornotor

LDAP/RADIUS should work with 0.4.26.

NT Domain auth is gone with 0.4.29.