Dansguardian package for 2.0
-
-
strange, dansguardian wont start when I reboot the box.. But i can manually start it. I looked around in my log and I see reloads itself a few times on startup… I can confirm it started during the boot process but then it dies... When I manually start it, it stays running.
-
I am trying to install Dansguardian into PFsense It says on boot up that it started, however in services it reported it has stopped. When I go into the webgui for the settings it has the icapserver address in the contentscannertimeout field. Below is the log. I corrected the dansguardian configuation file to read the default of 60 seconds, however the web gui field will not reflect the change. On reboot the icapserver address is back in the .conf file.
Mar 29 13:54:10 root: /usr/local/etc/rc.d/dansguardian: WARNING: failed to start dansguardian
Mar 29 13:54:10 dansguardian[666]: Error parsing the dansguardian.conf file or other DansGuardian configuration files
Mar 29 13:54:10 dansguardian[666]: Config problem; check allowed values for contentscannertimeout
Mar 29 13:47:06 root: /usr/local/etc/rc.d/dansguardian: WARNING: failed to start dansguardian
Mar 29 13:47:06 dansguardian[15796]: Error parsing the dansguardian.conf file or other DansGuardian configuration files
Mar 29 13:47:06 dansguardian[15796]: Config problem; check allowed values for contentscannertimeout -
FiscoKid,
What field gui and config options are wrong?
-
strange, dansguardian wont start when I reboot the box.. But i can manually start it. I looked around in my log and I see reloads itself a few times on startup… I can confirm it started during the boot process but then it dies... When I manually start it, it stays running.
i made a quick rc.d script to start dansguardian on startup..
-
I get this error if i want to use Dansguardian :
dansguardian[723]: Error connecting to proxy
Squid is installed and running … Any help ?
-
dansguardian[723]: Error connecting to proxy
Are you listening squid on loopback and configured dansguardian with 127.0.0.1 on port 3128?
-
i made a quick rc.d script to start dansguardian on startup..
You did a second startup or changed current script?
Can you check if dansguardian default rc script is on the same folder and what permission it has?
-
i made a quick rc.d script to start dansguardian on startup..
You did a second startup or changed current script?
Can you check if dansguardian default rc script is on the same folder and what permission it has?
I didn't change the 'dansguardian' script, permissions are 755. I created 'dansguardian.sh' which basically run's '/usr/local/sbin/dansguardian -Q'
-
I didn't change the 'dansguardian' script, permissions are 755. I created 'dansguardian.sh' which basically run's '/usr/local/sbin/dansguardian -Q'
Ok. I'll do some tests and/or logs to see what is happening.
-
dansguardian[723]: Error connecting to proxy
Are you listening squid on loopback and configured dansguardian with 127.0.0.1 on port 3128?
Yes, Squid and Dansguardian interfaces are LAN/Loopback, Dansguardian is configured with 127.0.0.1:3128. Squid is running without problems.
-
wheelz,
some checks:
-
Make sure pfsense machine name isn't the same name as any user on your active directory
-
perform a kinit/klist to make sure you have kerberos comunication do active directory before net ads join
-
Pay attention on . and UPPERCASES of kerberos config files, follow exactly what is on squid howto.
att,
Marcello CoutinhoOK, so now I am getting closer. After much trial and error I was able to get it to join the domain. Also now I have wbinfo showing the trust is successful and it can pull users and groups from the domain. I did the chgrp command, set up the group policy setting for NTLM on Win 7 etc, and added:
acl all src 0.0.0.0/0.0.0.0;auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 30;auth_param ntlm keep_alive on;acl AuthorizedUsers proxy_auth REQUIRED;http_access allow AuthorizedUsers
to the custom options. Now it mentions removing the "cache_effective_group" setting is squid.conf but how do you do that properly? I did it manually, but I imagine that will get overridden on the next boot. Even with that and restarting the services I don't get the user names showing in the access.log. What am I missing or what should my next steps be?
-
-
One more note… It does look like the user name is showing up in the squid access log. So it is the dansguardian that isn't picking it up. Any ideas on that? Thanks!
-
to the custom options. Now it mentions removing the "cache_effective_group" setting is squid.conf but how do you do that properly? I did it manually, but I imagine that will get overridden on the next boot. Even with that and restarting the services I don't get the user names showing in the access.log. What am I missing or what should my next steps be?
if you dont mind hand editing files… edit /usr/local/pkg/squid.inc. Search for 'cache_effective_group' then either remove that line or add comment it out, by adding '# ' in front. Without the quotes tho... They will create the squid.conf file without 'cache_effective_group' on reboots/and restarts
-
One more note… It does look like the user name is showing up in the squid access log. So it is the dansguardian that isn't picking it up. Any ideas on that? Thanks!
Did you selected ntlm_auth on dansguardian conf?
-
Yep, that is enabled. I even found your comment on the bug log: http://sourceforge.net/support/tracker.php?aid=3462549 in my research as I was looking at multiple authplugins (would be good to be able to enable/disable multiple and order them in the package GUI once the bug is fixed - is this bug fixed?).
For now though just trying to get ntlm working. You were able to get this working correct? Seems as I have everything working up until dansguardian tries to "sniff" the user information… and I'm kind of stuck. :(
-
I have sucessfull reports with squid on a Linux machine. This is the first feedback with samba on pfsense.
I'm having issues with multiplugin patch but I'm not sure if It's a squid3 issue or just the patch. I'm still working on it.
-
If I get it working I'll share the whole process I did to get everything working. Perhaps some day it could be integrated into this package (or an additional package).
I did see this:
DansGuardian (but not recent versions of Squid) does not support encrypted Kerberos auth. Even if you correctly configure Squid, Samba, and IE to exchange and validate encrypted Kerberos credentials, DansGuardian will not be able to extract usernames.
This restriction does not apply to the Squid “LDAP” helper, as it handles un-encrypted Kerberos credentials in such a way that the exchange between the Broswer and Squid appears to be BASIC authentication.
on http://contentfilter.futuragts.com/wiki/doku.php?id=using_ntlm_for_user_identification
Could this be the cause of it not working? I know there was some kerberos configs in the steps I followed. If so, any ideas on work arounds?
-
you may want to try just the samba config options and no kerberos.
-
Hmm…. I see a few other articles about this kind of setup (like http://www.petespcs.co.uk/petespcs/2011/10/dans-guardian-and-ntlm-from-active-directory/ - debian, but still…) and they mention using kerberos. This seems to indicate that other have this working. I'm wondering if it has to do with that multiple authplugin bug... I'll see what I can dig up.
