Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!



  • I spent quite a bit of time working on this and so I thought I'd share a step by step on how I got this working as I've seen a lot of people ask about it.  Thanks to marcelloc for all the help.  Much of the information I've pieced together from http://forum.pfsense.org/index.php/topic,43786.0.html and http://forum.pfsense.org/index.php/topic,47532.msg250366.html#msg250366 (after translating it) along with a LOT of trial and error.

    This is a work in progress and there may be improvements to the steps I have to make it more secure or simpler.  I welcome any suggestions.  I just documented the steps in outline form and it does require being familiar with pfsense.  Also I highly recommend getting this set up individually before syncing with pfsync in a CARP scenario.  Also I really needed the squid3 features so I replaced the version included in the dansguardian package.  Here are the steps:

    1. Install Dansguardian and Shellcmd (you’ll need this later) packages
    2. Log in via SSH and run “pkg_delete -f squid-2.7.9_3”
    3. Install Squid 3 package
    4. Services –> Proxy
      a. General tab
      i. Squid General Settings Section –> Proxy interface = loopback
      ii. Logging Settings Section
    5. Enabled logging = checked
    6. Log rotate = <set days="">3. Visible hostname = <hostname>4. Administrator email = <admin email="">5. Disable X–Forward = checked
    7. Disable VIA = checked
    8. Suppress Squid Version = checked
      b. ACLs tab –> Squid Access Control Lists section – add the subnet of a test client to Allowed subnets (only needed during squid testing)
    9. Status –> Services – Restart squid
    10. Services –> Firewall
      a. Rules –> LAN tab – Create a proxy rule to allow TCP port 3128 to the LAN address for testing (will change later)
      b. NAT –> Port Forward tab - Create a proxy port forward from LAN on port 3128 to the loopback adapter (127.0.0.1) for testing
    11. Configure a client to use <server name="">port 3128 and test squid access – once squid is confirmed working, continue on
    12. Disable NAT/Firewall rules that were just created (port 3128) as it is no longer needed (but you can then enable later for troubleshooting)
    13. Services –> Dansguardian
      a. Daemon tab
      i. Check Enable Dansguardian
      ii. Listen Interface(s) = loopback
      iii. Parent Proxy Settings section
    14. Proxy IP = 127.0.0.1
    15. Proxy Port = 3128
      b. General tab
      i. Config settings section –> Auth Plugins = none (for testing)
      ii. Misc settings section –> Misc Options – select forwardedfor (off)
      c. Report and log tab –> Logging section –> Log file format = Squid log file format
    16. Services –> Firewall
      a. Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
      b. NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1)
    17. Status –> Services – Restart squid and dansguardian
    18. Change the test client to port 8080 and test dansguardian  – once it is confirmed working, continue on
    19. Connect via SSH and enter the shell.  Then run the following commands to install Samba and Kerberos support:

    pkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
    pkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/heimdal-1.4_1.tbz
    cd /usr/local/lib
    fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
    fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
    fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10
    fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
    fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
    fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10

    1. Edit/Create the following files using Diagnostics –> Edit file (or your favorite text editor in an SSH session).  The below examples assumes the following:  AD domain is “mydomain.local” with DCs “mydc1” and “mydc2”, pfsense hostname is “pfproxy01”, LAN interface is “e1000g0”, and an AD account with permissions to join a computer to the domain is “myadmin”.  Where you see these values, change them to match your environment. (note you need to match all CAPS where shown – important!!)
      a. /etc/krb5.conf:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/ksadmind.log
    [libdefaults]
    default_realm = MYDOMAIN.LOCAL.
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes
    default_tgs_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
    default_tkt_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
    preferred_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
    [realms]
    MYDOMAIN.LOCAL = {
    kdc = mydc1.mydomain.local.:88
    kdc = mydc2.mydomain.local.:88
    admin_server = mydc1.mydomain.local.:749
    default_domain = mydomain.
    }
    [domain_realm]
    .mydomain. = MYDOMAIN.LOCAL.
    mydomain. = MYDOMAIN.LOCAL.
    [kdc]
    profile = /var/heimdal/kdc.conf
    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }

    b.   /var/heimdal/kdc.conf:

    [kdcdfefaults]
    acl_file = /var/heimdal/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/heimdal/kadm5.keytab
    v4_mode = noreauth
    [libdefaults]
    default_realm = MYDOMAIN.
    [realms]
    MYDOMAIN. = {
    master_key_type = des–cbc–crc
    supported_enctypes = des3–hmac–sha1:normal arcfourhmac:
    normal des–hmac–sha1:normal des–cbc–md5:normal des–cbc–crc:normal
    des–cbc–crc:v4 des–cbc–crc:afs3
    }

    c.   /var/heimdal/kadm5.acl:

    */*Administrator@MYDOMAIN.LOCAL *

    d. /usr/local/etc/smb.conf:

    [global]
    interfaces = e1000g0
    bind interfaces only = yes
    netbios name = PFPROXY01
    workgroup = MYDOMAIN
    realm = MYDOMAIN.LOCAL
    server string = Domain Proxy Server
    encrypt passwords = yes
    security = ADS
    password server = *
    log level = 3
    log file = /var/log/samba/%m.log
    max log size = 50
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    printcap name = /etc/printcap
    preferred master = No
    dns proxy = No
    ldap ssl = no
    ; idmap uid = 10000–20000
    ; idmap gid = 10000–20000
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    ; winbind separator =
    client use spnego = yes
    client ntlmv2 auth = yes
    cups options = raw

    e. /etc/rc.conf.local:

    samba_enable="YES"
    winbindd_enable="YES"

    1. In SSH run the following commands, entering the myadmin account password where prompted:

    /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL
    net ads join -U myadmin@MYDOMAIN.LOCAL
    /usr/local/etc/rc.d/samba restart
    chgrp proxy /var/db/samba/winbindd_privileged

    1. Services –> Shellcmd
      a. Add “mkdir /var/run/samba” of type shellcmd
      b. Add “/usr/local/etc/rc.d/samba start” of type shellcmd
    2. Reboot
    3. In SSH run commands to test:
      a. wbinfo -t (This should return that it succeeded)
      b. wbinfo -u (This should return a list of users in the domain)
    4. Services –> Proxy
      a. General tab –> Custom settings section – Copy/Paste the following into Integrations:

    acl_uses_indirect_client on;follow_x_forwarded_for allow localhost;auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 10;auth_param ntlm keep_alive on;acl password proxy_auth REQUIRED;http_access allow password

    1. Create a service account in Active Directory (in this example I’ve used “ldapsvc01” in “myservices” OU)
    2. Create Groups in Active Directory
    3. Services –> Dansguardian
      a. General Tab -> Config settings section –> Auth Plugins = Proxy-Ntlm
      b. LDAP Tab – Add New
      i. Hostname = mydc1.mydomain.local
      ii. Domain = dc=mydomain,dc=local
      iii. Username = cn=ldapsvc01,ou=myservices
      iv. Password = <enter it="">v. Mask = USER
      c. Groups Tab – Create groups with the exact same name as the groups created in Active Directory (avoid special characters for the name and display names of both users and groups)
      i. Setup filter settings as desired
      ii. LDAP section – Select LDAP server created previously and set desired update frequency
    4. Users Tab will now update the pfsense groups automatically based on the AD groups – you can run this command at SSH for troubleshooting:

    php /usr/local/www/dansguardian_ldap.php

    1. Configure a client to use pfproxy01.mydomain.local port 8080 and test – You can use the following command in an SSH session to check the access logs in real time for the user name to show up:

    tail -f /var/log/dansguardian/access.log

    Let me know if you see anything that should be corrected.</enter></server></admin></hostname></set>



  • Great 22 easy steps to get it working :D

    I'll link it to portuguese tutorial you used as reference.

    Thanks wheelz!



  • Please let me know if anyone else is able to get multiple auth plugins to work.  In my particular scenario I'd like it to use NTLM or IP, and then allow access for unauthenticated through the default filtering.



  • Are you sure samba is absolutely needed? I know there are dependencies for winbind requires certain samba libraries and depending how it's packaged it could mean that you do need to install the complete Samba suite, but there should be no need to actually run the Samba daemon. I know I have working SSO on Linux webservers without SMB service even installed.



  • IIRC, Without samba, you will configure kerberos auth, not ntlm.

    Only ie, Firefox and chrome on windows supports kerberos "transparent" auth.



  • Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!



  • @dig1234:

    Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!

    I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it.  Let me know if that works and I'll edit the original post to include that.

    For the fetch commands I could not find those same files in a non-amd64 area.  Perhaps marcelloc would know where the x86 version of those files could be downloaded from?



  • Yep that worked for all the url's, fetch as well. Continuing on now!

    @wheelz:

    @dig1234:

    Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!

    I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it.  Let me know if that works and I'll edit the original post to include that.

    For the fetch commands I could not find those same files in a non-amd64 area.  Perhaps marcelloc would know where the x86 version of those files could be downloaded from?



  • Getting following error after reboot:
    wbinfo -t
    could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
    could not obtain winbind domain name!
    checking the trust secret for domain (null) via RPC calls failed
    failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
    Could not check secret



  • Ok I got wbinfo working, samba service wasn't starting. Needed to add one more shellcmd:
    mkdir /var/db/samba



  • It's pretty cool, it works very smooth to seamlessly authenticated dansguardian groups.
    For some reason though on every reboot I have to do:
    chgrp proxy /var/db/samba/winbindd_privileged
    and restart squid
    Otherwise authentication fails, any idea why that's happening? I suppose I could just add shellcmd's for this but not sure if that's the correct solution?

    Thanks again for a great howto!



  • I was able to get it working reliably on reboot, This is what my shellcmd lines look like:
    mkdir /var/run/samba
    mkdir /var/db/samba/winbindd_privileged
    /usr/bin/chgrp proxy /var/db/samba/winbindd_privileged
    chmod 0750 /var/db/samba/winbindd_privileged
    /usr/local/etc/rc.d/samba start



  • Strange that I did not run into this but thanks for posting as this will help anyone else that does.



  • I'm pretty sure the issue is related to the fact that I'm running nanoBSD on CF card. I just did the install on another system that's on a HDD and did not have to add those extra lines.
    One more not is that if you are doing this install on nanoBSD you need to mount the card in Read/Write before making those file changes, see this thread:
    http://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write



  • How did You solved issue with not starting Squid3 daemon?
    Mar 25 00:06:37 check_reload_status: Syncing firewall
    Mar 25 00:06:37 check_reload_status: Reloading filter
    Mar 25 00:07:15 squid[60713]: Squid Parent: child process 61160 exited due to signal 15 with status 0
    Mar 25 00:07:15 squid[60713]: Exiting due to unexpected forced shutdown
    Mar 25 00:07:17 squid[34206]: Squid Parent: child process 34441 started
    Mar 25 00:08:09 squid[60554]: Squid Parent: child process 60691 started
    Mar 25 00:08:19 squid[765]: Squid Parent: child process 1120 started
    Mar 25 00:08:32 squid[5630]: Squid Parent: child process 6099 started

    My version:
    2.0.1-RELEASE (i386)
    built on Mon Dec 12 17:53:52 EST 2011
    FreeBSD 8.1-RELEASE-p6

    Packages:
    Dansguardian 2.12.0.3 pkg v.0.1.7_3
    squid3 3.1.20 pkg 2.0.6

    I'm on step 12. Upgrading to 2.0.2 to see if it helps.
    UPDATE: Yep, upgrade to 2.0.2-RELEASE i386 solved the issue. Squid is starting, all packages were reinstalled during update.

    UPDATE2. Correct download links for i386:

    pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
    pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz
    cd /usr/local/lib
    fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libasn1.so.10
    fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libgssapi.so.10
    fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libheimntlm.so.10
    fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libhx509.so.10
    fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libkrb5.so.10
    fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libroken.so.10

    However:

    [2.0.2-RELEASE][admin@somesite.com]/root(8): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
    Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz… Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done.
    pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1
    pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1
    pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
    pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed!
    Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done.
    pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed

    This is because of 2.0.1 -> 2.0.2 upgrade, so again:
    pkg_delete -f squid-2.7.9_3

    After some fight with dependencies..
    Samba3 package now doesn't include ADS support due the portability problems
    with Kerberos5 libraries on different installations. You need to compile the
    port yourself to get this functionality.

    So far I was able to create working proxy on port 8080, visible to sites like http://www.whatismyip.com/ but no luck with AD.




  • Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?



  • I try to do like this tip  for a month of Sundays., but not success.
    I found now squid have integrate some many auth plugin
    for example:basic_ldap_auth、ntlm_fake_auth 、 ntlm_smb_lm_auth and negotiate_kerberos_auth
    now I can auth though basic_ldap_auth in squid, it's very easy.
    just one line auth config, and 4 line relate config.

    so I can't understand that  still use so many many third part lib,and so many many config

    I am in pfsense 2.0.2 + dansguardian + squid 3+win2003 AD

    I know how to use basic auth in squid,but don't know how to wok in dansguardian.
    I try to add a ldap in dansguardian,then add a group name's "Administrator". I can't add a group like "domain user",but most of my account is in that AD group.
    then run the command

    php /usr/local/www/dansguardian_ldap.php
    

    it return a error

    Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65
    


  • Working very good. Thank you!

    Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.

    Any idea?



  • Did anyone manage to get samba and heimdal installed? I get the same version conflicts with some of the dependencies.

    
    [2.0.3-RELEASE][admin@fw01.us.local]/root(1): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
    Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done.
    pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1
    pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1
    pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
    pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed!
    Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done.
    pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed
    
    
    [2.0.3-RELEASE][admin@fw01.us.local]/root(34): pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz
    Fetching http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz... Done.
    Fetching http://e-sac.siteseguro.ws/packages/8/All/sqlite3-3.7.9_1.tbz... Done.
    pkg_add: warning: package 'heimdal-1.4_1' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed
    
    

    Not sure where to go from here, I can try removing the newer packages but that then means removing squid again.
    Or force install the prerequisites for samba but not sure what that may break.



  • I used -f to force install. It installed fine and two weeks later still running smooth..

    @LokisMischief:

    Or force install the prerequisites for samba but not sure what that may break.



  • @dig1234:

    I used -f to force install. It installed fine and two weeks later still running smooth..

    Or force install the prerequisites for samba but not sure what that may break.

    Well, this is what i did, however you do get a message stating:

    ===============================================================================
    Samba3 *package* now doesn't include ADS support due the portability problems
    with Kerberos5 libraries on different installations. You need to compile the
    port yourself to get this functionality.
    
    For additional hints and directions, please, look into the README.FreeBSD file.
    ===============================================================================
    
    

    I believe ADS is required for authenticating against a domain?

    I guess I need to build a system for compiling the port…  :-\



  • @LokisMischief:

    I believe ADS is required for authenticating against a domain?

    I guess I need to build a system for compiling the port…  :-\

    Nope, I got that message too but after following the instructs here, I have working NTLM silent authentication. No need to compile anything.



  • well giving it a go then!

    Though I have got as far as authenticating the fw on the dc but getting kerberos failures with an admins username & password.

    edit

    Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.



  • @LokisMischief:

    http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.

    did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.



  • Also regarding the SuppressExtendedProtection, That is interesting.  I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.

    @LokisMischief:

    Well thats fun… I can get server 2008 r2 to accept the authentication from the fw (had to change the SuppressExtendedProtection setting http://support.microsoft.com/kb/976918?wa=wsignin1.0), but kinit still claims the password is incorrect.



  • Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!

    Has anyone got this working on a domain with 2008 function level?



  • @OliverH:

    Has anyone got this working on a domain with 2008 function level?

    Thats what im working on now, presumably you tried it on a 2003 domain?

    @dig1234:

    did you try entering your username as user@DOMAIN.LOCAL or other variations. I don't remember which one worked but I did run into an issue with that.

    Well, admin@domain.local I get password incorrect (even though it says auth successful on the 2008 server security log). admin (with no @) defaults to admin.domain.local. and gives the same error. admin@domain throws a  unable to reach any KDC in realm.
    So the username format is correct. Just going to try a tcpdump or so.

    EDIT:

    Finally got the FW to join the domain… it turned out I had an old GPO set on the DC's that wouldnt let the fw join.

    EDIT2:

    Well, I have got to the end of wheelz steps, finally, however after a reboot winbind seems to have dropped out.. (or screwed up)
    when I run wbinfo -t I get success, however if I run wbinfo -u or -g I get nothing.

    Seems dansguardian_ldap.php wont connect either (suspect its due to wbinfo.)

    EDIT3:

    wbinfo fixed, restarted samba. seems wbind may have come up before the nic was ready...

    I had to add user@domain.local for the username in the Dansguardian LDAP tab, it wouldnt accept the user cn=ldapquery,ou=users



  • hi, I am in pfense2.02+squid3+dansguardian

    I just add this line below,then the squid is work with basic auth in pfsense, and authen by win2003AD

    when client access web, input AD login in password correct, then they cant pass.

    auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -R -b "dc=jian,dc=com" -D "cn=squid,cn=Users,dc=jian,dc=com" -w "Admin@8888" -f sAMAccountName=%s -h jxad.jian.com
    auth_param basic children 5
    auth_param basic realm jianxun.com
    auth_param basic credentialsttl 60 minute

    acl ldap-auth proxy_auth REQUIRED

    http_access allow ldap-auth
    http_access allow localhost

    And finally deny all other access to this proxy

    http_access deny all

    and then I chose "Proxy-basic" authentication in dansguardian.
    refer you tips stip step 18 to 21,
    then the add a ldap like this

    hostname=jian.com
    dc=jian,dc=com
    cn=squid,ou=Users
    password=Admin@8888
    mask=User

    the squid account is ou=users,group=users(bulid in)

    make a group in dansguardian name "users"

    after I do this,the users won't update the user's list

    if you know why please tell me,thanks.



  • Hi all,

    I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL

    Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.

    The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?

    thanks,
    Jeroen



  • @jbrandligt:

    Hi all,

    I'm running pfsense 2.0.3 and now I'm stuk at step 13: /usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL

    Getting the following error: /usr/local/bin/kinit: Exec format error. Binary file not executable.

    The file kinit is executable though (-r-xr-xr-x ). Could this be because i'm on 2.0.3?

    thanks,
    Jeroen

    Never mind, installed amd64 instead of i386 packages…. (face palm)



  • Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
    I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.



  • @LokisMischief:

    Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
    I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

    +1

    Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?



  • A few thoughts:
    -What do the squid logs show?
    -Did you check group ownership of /var/db/samba/winbindd_privileged
    -What do  wbinfo -t and  wbinfo -u show?

    @jbrandligt:

    @LokisMischief:

    Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
    I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

    +1

    Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?



  • @jbrandligt:

    @LokisMischief:

    Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
    I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.

    +1

    Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?

    I had the problem with the users not appearing in users, which also showed from errors when running

    php /usr/local/www/dansguardian_ldap.php
    

    I fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.



  • @OliverH:

    I had the problem with the users not appearing in users, which also showed from errors when running

    php /usr/local/www/dansguardian_ldap.php
    

    I fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.

    I had to do this too, I do have my users showing up in the users tab. As far as wbinfo -u, -t and -g, they all work.

    Squid, doesn't show any users either.

    as for /var/db/samba/winbindd_privileged I have user root, group proxy.

    any more ideas? Im half wondering if its not the clients rather than the proxy. but if others are having the same issue i suspect its not going to be one of our group policies.

    UPDATE:

    Right, I have just wiresharked a http request and we are not getting any authorisation challange, so the proxy isn't even requesting ntlm auth. This takes us straight back to dansguardian.

    I have flipped it over to identd and that works, it seems its just the ntlm auth plugin, however not all our clients have identd installed so it can leave a 5minute lag or so while it times out.

    UPDATE2:

    I think I may have solved it….

    This works on one line now so you can ignore the following... Not sure why it didn't work before but it does now!
    In the squid config -> custom settings -> integration's, its one long line. Squid doesn't seem to be reading this line (i suspect its thinking the ; is a comment??) but remove all the semi colons and but each part on a new line like this:

    acl_uses_indirect_client on
    follow_x_forwarded_for allow localhost
    auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 10
    auth_param ntlm keep_alive on
    acl password proxy_auth REQUIRED
    http_access allow password
    

    At least now I have usernames showing up!

    I'm using Windows Server 2008R2 with a 2008 domian level, mixed xp and win 7 clients.

    Oh and one more tip, using the text editor in pfsense and copy / pasting text in can provide some very interesting issues, such as the hyphens changing to other characters. (though they look fine on the webpage, running vi/cat/less you can see the different encoding.



  • HI,wheelz
    when you complete config,and access internet.
    do you have to input username and password?
    or auto authentication.

    if it's auto complete, does firefox support NTLM?



  • @gdy1039:

    HI,wheelz
    when you complete config,and access internet.
    do you have to input username and password?
    or auto authentication.

    This is SSO using NTLM so its automatic, taking the logged in user name for authentication. No need to enter username or password. Users in the required groups are pulled from active directory.
    Of course if the machine isn't part of the domain, and the user logged in doesn't exist on the domain it will ask.

    @gdy1039:

    if it's auto complete, does firefox support NTLM?

    I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!



  • I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
    I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
    Not sure if this is a bug or something I did wrong in my setup..
    @LokisMischief:

    I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!



  • Cheers dig, that's good to know!



  • @dig1234:

    I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
    I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
    Not sure if this is a bug or something I did wrong in my setup..
    @LokisMischief:

    I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!

    Usually, those pop-up requests are caused by ads/ad-media on a page that don't "inherit" the page's authentication; usually you'll then see an "error page" inside an ad area of the page. If you are blocking most ads before pages are served, you'll rarely see it.

    Firefox does support NTLM. We've been using it on our domain against a MS ISA server firewall for years.