Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
Well, I have got dansguardian working, group loaded from server 2008 R2, however dansguardian isn't using ntlm despite the fact its enabled… at least there are no usernames showing up in the logs.
I presume there is nothing other than the proxy address to set on the clients? seems to be the same with windows xp, ie8 and corme as it is on windows 7, IE9, chrome. No usernames.+1
Also, in the Users tab, the Dansguardian group(s) isn't populated with users from my 2008R2 AD. Any thoughts on this?
I had the problem with the users not appearing in users, which also showed from errors when running
php /usr/local/www/dansguardian_ldap.phpI fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.
-
I had the problem with the users not appearing in users, which also showed from errors when running
php /usr/local/www/dansguardian_ldap.phpI fixed the issue by changing the username in DansGuardian LDAP settings to the user@domain.local format and re running the php code.
I had to do this too, I do have my users showing up in the users tab. As far as wbinfo -u, -t and -g, they all work.
Squid, doesn't show any users either.
as for /var/db/samba/winbindd_privileged I have user root, group proxy.
any more ideas? Im half wondering if its not the clients rather than the proxy. but if others are having the same issue i suspect its not going to be one of our group policies.
UPDATE:
Right, I have just wiresharked a http request and we are not getting any authorisation challange, so the proxy isn't even requesting ntlm auth. This takes us straight back to dansguardian.
I have flipped it over to identd and that works, it seems its just the ntlm auth plugin, however not all our clients have identd installed so it can leave a 5minute lag or so while it times out.
UPDATE2:
I think I may have solved it….
This works on one line now so you can ignore the following... Not sure why it didn't work before but it does now!
In the squid config -> custom settings -> integration's, its one long line. Squid doesn't seem to be reading this line (i suspect its thinking the ; is a comment??) but remove all the semi colons and but each part on a new line like this:acl_uses_indirect_client on follow_x_forwarded_for allow localhost auth_param ntlm program /usr/local/bin/ntlm_auth --use-cached-creds --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 10 auth_param ntlm keep_alive on acl password proxy_auth REQUIRED http_access allow passwordAt least now I have usernames showing up!
I'm using Windows Server 2008R2 with a 2008 domian level, mixed xp and win 7 clients.
Oh and one more tip, using the text editor in pfsense and copy / pasting text in can provide some very interesting issues, such as the hyphens changing to other characters. (though they look fine on the webpage, running vi/cat/less you can see the different encoding.
-
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.if it's auto complete, does firefox support NTLM?
-
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.This is SSO using NTLM so its automatic, taking the logged in user name for authentication. No need to enter username or password. Users in the required groups are pulled from active directory.
Of course if the machine isn't part of the domain, and the user logged in doesn't exist on the domain it will ask.if it's auto complete, does firefox support NTLM?
I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
-
I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
Not sure if this is a bug or something I did wrong in my setup..
@LokisMischief:I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
-
Cheers dig, that's good to know!
-
I can confirm that 99% of the time firefox authenticates silently with this setup without any about:config changes.
I am experiencing an issue where at random times user get hit with an authentication popup. They can just hit escape and authentication proceeds as normal, however it is causing annoyance.
Not sure if this is a bug or something I did wrong in my setup..
@LokisMischief:I believe firefox does now support NTLM, however I think it has to be enabled in about:config from memory, though I stand to be corrected here!
Usually, those pop-up requests are caused by ads/ad-media on a page that don't "inherit" the page's authentication; usually you'll then see an "error page" inside an ad area of the page. If you are blocking most ads before pages are served, you'll rarely see it.
Firefox does support NTLM. We've been using it on our domain against a MS ISA server firewall for years.
-
q1:
HI all,when I success to NTLM authencation with AD,
I try to login with a local Account instead of AD account,and access internet.
the IE will prompt me input loginWINXP SP3 + IE6 + FIREFOX20+ WIN2003 AD
my domain is jian.comI input "gdy@jian.com" or "jian\gdy" to login
it alway prompt fail to authencation.can I do something to access internet success?
q2:what's the different between kerberos and ntlm authentication? both of that are support in both win2003 and win2008?
thanks
-
I am in pfsense 2.0.2
after I runpkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
I run smbd or winbindd it wil prompt
Exec format error. Binary file not executable.
-
I am in pfsense 2.0.2
after I runpkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
I run smbd or winbindd it wil prompt
Exec format error. Binary file not executable.
The earlier answer on page 1 from Wheelz should fix this
I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it. Let me know if that works and I'll edit the original post to include that.
For the fetch commands I could not find those same files in a non-amd64 area. Perhaps marcelloc would know where the x86 version of those files could be downloaded from?[\quote]
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
Well, I can only tell you how i have done it. I have a WSUS server which downloads from windows update using port 80. in my firewall I have the WSUS machine allowed to access the internet unfiltered (using port 80) (though in theory it can use 8080 as computers are part of the domain so will authenticate too). But if your domain isn't big enough to need an wsus server then i'm not sure the best way to do that… I was toying with enabling ip and ntlm (with ip first) to allow specific computers... but not sure how that would work with a workstation vs server.
-
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
with proxy pac/wpad you can do that. You put on your script that these sites do not pass on proxy or go direct to squid port.
-
Windows update refuses to authenticate with NTLM, only kerberos. What you need to do is tell squid to allow those domains through without asking for authentication. You must place these ACLS before the authentication acls. Here is a list of the domains:
http://wiki.squid-cache.org/SquidFaq/WindowsUpdateYou would also need to whitelist in dansguardian so that it doesn't block based on the lack of authentication. (I currently am running this single-sign-on setup w/o dansguardian so I can't tell you exactly where to whitelist in dans).
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
-
Hi all, unfortunately I had to step away from this project of mine for a while (work, family… craziness). Anyway I checked in on this thread and see that it is very active so I thought I'd respond to some things.
I went to edit the original post so I could add in the x86 paths for step 13 but my edit button is gone. Anyone know why that would be?
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
I have not but I am interested to know how some of these other auth plugins work (or if they even do).
Working very good. Thank you!
Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.
Any idea?
I'm not sure what you mean on this. I was able to use https with any name/IP. If you use a different port then it won't use the proxy if firewall rules allow it. You could use a NAT port forward to make it go through the proxy but then again until MITM is implemented dansguardian can't really filter on HTTPS anyway.
Also regarding the SuppressExtendedProtection, That is interesting. I did not run into that issue on my Win 7 SP1 machines. I did not try authenticating from a server 2008 r2 machine though.
Odd, I didn't run into this… I did my testing in both Windows 7 SP1 and Windows 2008 R2 SP1.
Just wanted to say thank you so much the guide worked perfectly and only needed tweaking to download the correct packages for i386!
Has anyone got this working on a domain with 2008 function level?
No problem, I had to do the work anyway for me so I figured why not share? I used a 2008 R2 functional level in my testing.
HI,wheelz
when you complete config,and access internet.
do you have to input username and password?
or auto authentication.if it's auto complete, does firefox support NTLM?
It is auto authentication (single sign on or SSO). I used firefox during my testing so it does work. There are some tweaks you can do in the about:config as others have suggested if needed.
Can anyone think of a way to whitelist sites so access to them would not require authentication? I'm looking for a way to have windows updates etc pass through the or completely avoid the proxy.
I have tried adding the sites to both Squid and DansGuardian whitelists but it appears the requests are being passed form a system user therefore getting dumped at the authentication stage and not even hitting the whitelist / blacklist filtering stage. Any reply would be greatly appreciated because this is the last problem I need fixed before I deploy this in prod.
If you want to completely avoid the proxy for this, then I'd go with marcelloc's advice by using pac/wpad script. If you don't want to mess with the script then dig1234 method may be easier. In dansguardian you would just add the domains from his link to the ACLs -> Site Lists -> Exception List. I'm not sure if you'd also have to add it to the squid exception as well so it isn't even cached.
… I was toying with enabling ip and ntlm (with ip first) to allow specific computers... but not sure how that would work with a workstation vs server.
I really want to do this as well but I haven't had a chance to test it. For me it is for tablet/phones that cannot authenticate to AD. Please let me know the results if anyone tries this and I'll do the same.
-
Hi, First I'd like to say thanks for posting these instructions they've been a wonderful help (we probably wouldn't have anything running like this without this information)
I've not got much experience with setting up a proxy but I've followed these instructions and for 99% of the sites we visit work fine, but some don't load correctly first time.
I noticed on the squid logs that for some sites (Even ones that do seem to load correctly) squid looks like its returning status code 407, I don't know if this is normal or something to do with the problem i've been having and if I've missed something out on the setup (although I've been through it several times and everything else is working perfectly).Facebook loads okay but the squid access log shows status code 407. (I've changed the username of this user to user in these logs)
Squid access log - http://pastebin.com/Zf6Um8Kw
Dansguardian Access Log http://pastebin.com/XhJPPVU5if anyone can give me some pointers for figuring out what is causing this I'd appreciate it
-
Some additional information to the new squid package: The described way works for the new package!
@OliverH: Yes, Server 2008R2 with 2008 function level is working!
Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?
I have not but I am interested to know how some of these other auth plugins work (or if they even do).
Do you mean "ntlm_smb_lm_auth"? Did not work for me. There was some key exchange between dc and squid (so the connection was succesfully established) but no successfull authentication.
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
You created the computer account in AD before you did the join, correct? I would try a reboot as well. I haven't run into this so other than that I would just suggest rechecking that all the steps were completed and that your config files are correct.
-
I'm getting stuck on:
16. In SSH run commands to test:
a. wbinfo -t (This should return that it succeeded)
b. wbinfo -u (This should return a list of users in the domain)wbinfo -t returns checking the trust secret for domain FINFIT via RPC calls succeeded
but wbinfo -u returns no users. Still same result if i restart samba.
Any ideas?
First of all, thanks to the OP and all the others who contributed to make it work.
I ran into the same problem as well. I think that's because in my test environment, my domain name and pre-windows 2000 domain name are different.
After changing the default_domain = mydomain (to pre-windows 2000 domain name) in /etc/krb5.conf, I'm getting the user list correctly.
I hope it helps.
Cheers
