Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
q1:
HI all,when I success to NTLM authencation with AD,
I try to login with a local Account instead of AD account,and access internet.
the IE will prompt me input loginWINXP SP3 + IE6 + FIREFOX20+ WIN2003 AD
my domain is jian.comI input "gdy@jian.com" or "jian\gdy" to login
it alway prompt fail to authencation.can I do something to access internet success?
q2:what's the different between kerberos and ntlm authentication? both of that are support in both win2003 and win2008?
thanks
-
I am in pfsense 2.0.2
after I runpkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
I run smbd or winbindd it wil prompt
Exec format error. Binary file not executable.
-
I am in pfsense 2.0.2
after I runpkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
I run smbd or winbindd it wil prompt
Exec format error. Binary file not executable.
The earlier answer on page 1 from Wheelz should fix this
I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it. Let me know if that works and I'll edit the original post to include that.
For the fetch commands I could not find those same files in a non-amd64 area. Perhaps marcelloc would know where the x86 version of those files could be downloaded from?[\quote]
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
Well, I can only tell you how i have done it. I have a WSUS server which downloads from windows update using port 80. in my firewall I have the WSUS machine allowed to access the internet unfiltered (using port 80) (though in theory it can use 8080 as computers are part of the domain so will authenticate too). But if your domain isn't big enough to need an wsus server then i'm not sure the best way to do that… I was toying with enabling ip and ntlm (with ip first) to allow specific computers... but not sure how that would work with a workstation vs server.
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
with proxy pac/wpad you can do that. You put on your script that these sites do not pass on proxy or go direct to squid port.
-
Windows update refuses to authenticate with NTLM, only kerberos. What you need to do is tell squid to allow those domains through without asking for authentication. You must place these ACLS before the authentication acls. Here is a list of the domains:
http://wiki.squid-cache.org/SquidFaq/WindowsUpdateYou would also need to whitelist in dansguardian so that it doesn't block based on the lack of authentication. (I currently am running this single-sign-on setup w/o dansguardian so I can't tell you exactly where to whitelist in dans).
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
-
Hi all, unfortunately I had to step away from this project of mine for a while (work, family… craziness). Anyway I checked in on this thread and see that it is very active so I thought I'd respond to some things.
I went to edit the original post so I could add in the x86 paths for step 13 but my edit button is gone. Anyone know why that would be?
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
I have not but I am interested to know how some of these other auth plugins work (or if they even do).
Working very good. Thank you!
Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.
Any idea?
I'm not sure what you mean on this. I was able to use https with any name/IP. If you use a different port then it won't use the proxy if firewall rules allow it. You could use a NAT port forward to make it go through the proxy but then again until MITM is implemented dansguardian can't really filter on HTTPS anyway.
Also regarding the SuppressExtendedProtection, That is interesting. I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.
Odd, I didn't run into this… I did my testing in both Windows 7 SP1 and Windows 2008 R2 SP1.
Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!
Has anyone got this working on a domain with 2008 function level?
No problem, I had to do the work anyway for me so I figured why not share? I used a 2008 R2 functional level in my testing.
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.if it's auto complete, does firefox support NTLM?
It is auto authentication (single sign on or SSO). I used firefox during my testing so it does work. There are some tweaks you can do in the about:config as others have suggested if needed.
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
If you want to completely avoid the proxy for this, then I'd go with marcelloc's advice by using pac/wpad script. If you don't want to mess with the script then dig1234 method may be easier. In dansguardian you would just add the domains from his link to the ACLs -> Site Lists -> Exception List. I'm not sure if you'd also have to add it to the squid exception as well so it isn't even cached.
… I was toying with enabling ip and ntlm (with ip first) to allow specific computers... but not sure how that would work with a workstation vs server.
I really want to do this as well but I haven't had a chance to test it. For me it is for tablet/phones that cannot authenticate to AD. Please let me know the results if anyone tries this and I'll do the same.
-
Hi, First I'd like to say thanks for posting these instructions they've been a wonderful help (we probably wouldn't have anything running like this without this information)
I've not got much experience with setting up a proxy but I've followed these instructions and for 99% of the sites we visit work fine, but some don't load correctly first time.
I noticed on the squid logs that for some sites (Even ones that do seem to load correctly) squid looks like its returning status code 407, I don't know if this is normal or something to do with the problem i've been having and if I've missed something out on the setup (although I've been through it several times and everything else is working perfectly).Facebook loads okay but the squid access log shows status code 407. (I've changed the username of this user to user in these logs)
Squid access log - http://pastebin.com/Zf6Um8Kw
Dansguardian Access Log http://pastebin.com/XhJPPVU5if anyone can give me some pointers for figuring out what is causing this I'd appreciate it
-
Some additional information to the new squid package: The described way works for the new package!
@OliverH: Yes, Server 2008R2 with 2008 function level is working!
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
I have not but I am interested to know how some of these other auth plugins work (or if they even do).
Do you mean "ntlm_smb_lm_auth"? Did not work for me. There was some key exchange between dc and squid (so the connection was succesfully established) but no successfull authentication.
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
You created the computer account in AD before you did the join, correct? I would try a reboot as well. I haven't run into this so other than that I would just suggest rechecking that all the steps were completed and that your config files are correct.
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
First of all, thanks to the OP and all the others who contributed to make it work.
I ran into the same problem as well. I think that's because in my test environment, my domain name and pre-windows 2000 domain name are different.
After changing the default_domain = mydomain (to pre-windows 2000 domain name) in /etc/krb5.conf, I'm getting the user list correctly.
I hope it helps.
Cheers
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
If you want to completely avoid the proxy for this, then I'd go with marcelloc's advice by using pac/wpad script. If you don't want to mess with the script then dig1234 method may be easier. In dansguardian you would just add the domains from his link to the ACLs -> Site Lists -> Exception List. I'm not sure if you'd also have to add it to the squid exception as well so it isn't even cached.
We have tried using execptions in Dans and Squid.. to no avial… At least for like Outlook Icloud and Hotmail hooks.. Hotmail fails and Icloud asks for authentication?? Any ideas?
-
At the top of your custom integrations box add the following: http_access allow whitelist;
The problem is the squid whitelist is allowed after the Custom Integration settings so the authentication kicks in before the whitelist, that line forces it to allow first.
-
Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?
-
At the top of your custom integrations box add the following: http_access allow whitelist;
The problem is the squid whitelist is allowed after the Custom Integration settings so the authentication kicks in before the whitelist, that line forces it to allow first.
Thanks…......................... That worked perfectly..
-
Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?
We had issues at first you might try..
The option in the pfSense GUI is in Services > Proxy Server > General > Resolv dns v4 first
This worked for us.. -
Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?
We had issues at first you might try..
The option in the pfSense GUI is in Services > Proxy Server > General > Resolv dns v4 first
This worked for us..perycii I could kiss you. That's worked perfectly.
-
Hi Guys, i got a problem when running the command wbinfo -t and -u, what could be the problem?
wbinfo -t
/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8" -
Just to report back my experience with this was that I could never completely prevent users from getting the annoying authentication popup. Most of the time silent authentication works great but randomly users get popups and sometimes many repeated popups really driving them crazy. I suspect the issue is with poorly designed NTLM protocol and browser implementation bugs. I was unable to get a working Kerberos installation on pfsense so I ended up moving Squid to a windows box. The native kerberos authentication in Squid 2.7 for Windows works flawlessly and requires no configuration. Kerberos seems to be a much better solution than NTLM for single sign on proxy authentication. If Kerberos ever comes to pfsense I would try again but at this point all my Squid's are on windows servers for this reason…
-
Hi Guys, i got a problem when running the command wbinfo -t and -u, what could be the problem?
wbinfo -t
/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8"I haven't seen that file requirement. Double check your configuration files are set correctly. I could be wrong but I don't think it should be using ldap with the configuration I documented.
-
Just to report back my experience with this was that I could never completely prevent users from getting the annoying authentication popup. Most of the time silent authentication works great but randomly users get popups and sometimes many repeated popups really driving them crazy. I suspect the issue is with poorly designed NTLM protocol and browser implementation bugs. I was unable to get a working Kerberos installation on pfsense so I ended up moving Squid to a windows box. The native kerberos authentication in Squid 2.7 for Windows works flawlessly and requires no configuration. Kerberos seems to be a much better solution than NTLM for single sign on proxy authentication. If Kerberos ever comes to pfsense I would try again but at this point all my Squid's are on windows servers for this reason…
What clients and browsers were you using? I've tested on Windows XP/7/8 with various IE and firefox versions without getting the prompts at all.
-
Firefox/IE mostly xp some 7. Had same issue in multiple AD environments.
-
Hi,wheelz
I'd successfully to build pfsense as you show us. It's work perfectly. But I got a problem that is i can not using application such as gtalk, office 2013 to using proxy. The auth is failed and squid told me 407 denied. Is that a way to slove the problems ? -
Hi! Wheelz
First of all thanks for such a great post!! I have followed your steps but I am stuck with the below error which is not starting squid:
php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was 'FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 97: acl_uses_indirect_client on;follow_x_forwarded_for allow localhost;auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 10;auth_param ntlm keep_alive on;acl password proxy_auth REQUIRED;http_access allow password Squid Cache (Version 3.3.8): Terminated abnormally. CPU Usage: 0.010 seconds = 0.000 user + 0.010 sys Maximum Resident Size: 31904 KB Page faults with physical i/o: 0'
What I have to achieve is this:
To pass all users through non-transparent squid proxy using wpad/ pac file authenticating transparently SSO via NTLM using Samba 4 AD Domain Controller with squidgaurd web content filtering.
ALL computers joined to a domain must authenticate to squid using SSO passing through squidgaurd web content filtering to Internet.
Please help to achieve the same.
Thanks
Harsh Kukreja
Email: harshkukreja2008@gmail.com
-
hello all.
thx for this great post.I got some questions. about groups.
I dont understand how to use multiply groups.
for example I got soc_group and nosoc_group
soc_group can go to yahoo.com
nosoc_group - can't do that.the second problem.
i defined non default group and it block users not in OU 110 and group rdp_110 it writes that user banned, but users inside this group (rdp_110) can use all sites((((and the second question.
what about reports? I need report with username - but not IP -
This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsN -
This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsNIs that you make the gtalk like application working well ? I got some problems. All browser is okay.
-
Can you provide some details on how you implemented this. In many situations SquidGuard is sufficient and easier to manage than dansguardian.
This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsN -
GREAT !
I'm really interesting with your configuration.
Could you tell us what minor changes did you make ?This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsN -
This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsNHi, my friends , I found that dansguardian is not working well when many person online using dansguardian as proxy. So i switch to squidguard. But i 'm not successfully to using ldap to auth squidguard against AD. Could help me to show how you configure it ?
Thank you very much! -
Hello Community,
Many thanks to wheelz for that strange ;D and cool workarround. Its working very very well, with some corrections ;-)
First of oll:
Im working as a Sysadmin in several schools (high- and professionalschool) in South Tirol.
Such a long time ago, I am interesting in Linux/Unix products to protect my networks or also only to test some cool stuff, thats not possible f.e. with windows :P. But now i am having trouble with things that exactly this post deals with and were im now stucking just some weeks. The general problem is, that the windows firewall product (known as ISA/TMG) will no longer suported in the future. Therefore i want to try to setup somthing similar with a Linux/Unix System.
How i have allready said, this workarround is working pretty well, the only thing i need to correct is:- 12. d) smb.conf –> insert there the command: winbind cache time = 60
idmap uid = 10000 - 20000 (enable for testing)
idmap gid = 10000 - 20000 (enable for testing) - 17.) the Quote which must be inserted in the "Custom settings section" in the General tab of the Proxy is right and works, but only of you write it directly with the vi in the shell into the squid.conf (/usr/pbi/squid-i386/etc/squid/squid.conf) otherwise, some characters disappear ;-)
- 20. b.iii) the username must be in this format to work properly: username@domain.local
Now my problem: With the Microsoft ISA/TMG i can configure, that for example users(Students and Teachers, in my case), that are member of the Group "Internet" (created under Users.domain.local) can access the Internet. If they are not member of this group, they can never access the internet. Therefore i have allready written a tool (little .exe file), which with I or the teachers can put the students to this group (if they need the Inet during there lession) and after the lession the teachers put them away from the group Internet.
Now i am stucking to realize this with my pfsense box. I have googled now some weeks but I wasn't able to configure this (i just have had some nightmares about this problem and now I am at the point to go totaly insane). I tried to ad the squid_ldap_group feature (which is working with my Server 2008 R2, when i try it manualy in the shell) with the appropriate acl's (i dont now if they configured in the right way because the search results are quite confusing and are also conflicting themselves). I also tried IPFire but its always the same, im not able to configure it in this way, that when the users are member of this group, they can access to the Inet.
Maybe someone can give me a hint ore some good document were I can work further.Kind regards and merry merry Christmas to everyone!!
- 12. d) smb.conf –> insert there the command: winbind cache time = 60
-
Hi all,
first of all, thank you again for the wonderful work.I configured everything without problems on pfsense 2.0.3 and it's fine.
It works with 2.1?
Someone is using it? -
I am on version 2.1 and am using it fine. I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.
-
Loaded the upgrade because of the openssl scare..
Dans now at 2.12.0.3_2 pkg v.0.1.8
Says no file /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
So i loaded one from another box..
now says
auth_plugin_load() returned NULL pointer with config file: /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
Any ideas?
THX -
Have 3 boxes running this configuration.. Works great except… after heavy usage from 75 users.. The box goes to a crawl..
We are using
ESXI 5.1
all boxes up to date.
packages
Dansgaurdian
Shellcmd
Squid3
sarg2 of 3 have separate virtual drives for the cache,logs, and sarg... sym linked ..
the 3rd has a 40G drive..
All do the same thing.
during peak hours they get real slow...
Only way seems to work is pair two together on the domain dns..
ie two entries for proxy.here.pvt one x.x.x.x and one y.y.y.yAm going to try 2 real boxes.. but having a hard time trouble shooting the slowness...
Restarting squid seems to help...tried setting
squid cache file system to aufs seems no change
vfs.read_max=32 to vfs.read_max=128 in System -> Advanced -> Sytem Tunables no change??any ideas..
-
Look for squid tweak on freebsd and set it on system tunable.
What max client value are you using on dansguardian?
-
Look for squid tweak on freebsd and set it on system tunable.
What max client value are you using on dansguardian?
Ok this may be it.. But where is the max client value set? In the GUI.. Is this the Min/Max children?
-
Look for squid tweak on freebsd and set it on system tunable.
What max client value are you using on dansguardian?
Ok this may be it.. But where is the max client value set? In the GUI.. Is this the Min/Max children?
Ok I had the client IP's default which should be 0 So I set it to 0 I also set min maxchildren 32/180 the spare to 8/64 and age set to 10000 will see if that helps…
THX for heading me in a better direction..