Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?
We had issues at first you might try..
The option in the pfSense GUI is in Services > Proxy Server > General > Resolv dns v4 first
This worked for us.. -
Alright everything is working but when I test with a browser I get a page cannot be displayed error the first time and then after a refresh the page loads. Anybody else having this issue?
We had issues at first you might try..
The option in the pfSense GUI is in Services > Proxy Server > General > Resolv dns v4 first
This worked for us..perycii I could kiss you. That's worked perfectly.
-
Hi Guys, i got a problem when running the command wbinfo -t and -u, what could be the problem?
wbinfo -t
/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8" -
Just to report back my experience with this was that I could never completely prevent users from getting the annoying authentication popup. Most of the time silent authentication works great but randomly users get popups and sometimes many repeated popups really driving them crazy. I suspect the issue is with poorly designed NTLM protocol and browser implementation bugs. I was unable to get a working Kerberos installation on pfsense so I ended up moving Squid to a windows box. The native kerberos authentication in Squid 2.7 for Windows works flawlessly and requires no configuration. Kerberos seems to be a much better solution than NTLM for single sign on proxy authentication. If Kerberos ever comes to pfsense I would try again but at this point all my Squid's are on windows servers for this reason…
-
Hi Guys, i got a problem when running the command wbinfo -t and -u, what could be the problem?
wbinfo -t
/libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8"I haven't seen that file requirement. Double check your configuration files are set correctly. I could be wrong but I don't think it should be using ldap with the configuration I documented.
-
Just to report back my experience with this was that I could never completely prevent users from getting the annoying authentication popup. Most of the time silent authentication works great but randomly users get popups and sometimes many repeated popups really driving them crazy. I suspect the issue is with poorly designed NTLM protocol and browser implementation bugs. I was unable to get a working Kerberos installation on pfsense so I ended up moving Squid to a windows box. The native kerberos authentication in Squid 2.7 for Windows works flawlessly and requires no configuration. Kerberos seems to be a much better solution than NTLM for single sign on proxy authentication. If Kerberos ever comes to pfsense I would try again but at this point all my Squid's are on windows servers for this reason…
What clients and browsers were you using? I've tested on Windows XP/7/8 with various IE and firefox versions without getting the prompts at all.
-
Firefox/IE mostly xp some 7. Had same issue in multiple AD environments.
-
Hi,wheelz
I'd successfully to build pfsense as you show us. It's work perfectly. But I got a problem that is i can not using application such as gtalk, office 2013 to using proxy. The auth is failed and squid told me 407 denied. Is that a way to slove the problems ? -
Hi! Wheelz
First of all thanks for such a great post!! I have followed your steps but I am stuck with the below error which is not starting squid:
php: /status_services.php: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was 'FATAL: Bungled /usr/pbi/squid-i386/etc/squid/squid.conf line 97: acl_uses_indirect_client on;follow_x_forwarded_for allow localhost;auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 10;auth_param ntlm keep_alive on;acl password proxy_auth REQUIRED;http_access allow password Squid Cache (Version 3.3.8): Terminated abnormally. CPU Usage: 0.010 seconds = 0.000 user + 0.010 sys Maximum Resident Size: 31904 KB Page faults with physical i/o: 0'
What I have to achieve is this:
To pass all users through non-transparent squid proxy using wpad/ pac file authenticating transparently SSO via NTLM using Samba 4 AD Domain Controller with squidgaurd web content filtering.
ALL computers joined to a domain must authenticate to squid using SSO passing through squidgaurd web content filtering to Internet.
Please help to achieve the same.
Thanks
Harsh Kukreja
Email: harshkukreja2008@gmail.com
-
hello all.
thx for this great post.I got some questions. about groups.
I dont understand how to use multiply groups.
for example I got soc_group and nosoc_group
soc_group can go to yahoo.com
nosoc_group - can't do that.the second problem.
i defined non default group and it block users not in OU 110 and group rdp_110 it writes that user banned, but users inside this group (rdp_110) can use all sites((((and the second question.
what about reports? I need report with username - but not IP -
This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsN -
This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsNIs that you make the gtalk like application working well ? I got some problems. All browser is okay.
-
Can you provide some details on how you implemented this. In many situations SquidGuard is sufficient and easier to manage than dansguardian.
This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsN -
GREAT !
I'm really interesting with your configuration.
Could you tell us what minor changes did you make ?This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsN -
This works for SquidGaurd too with minor changes… Good Work..
I was able to configure pfSense + Squid3 + SquidGaurd3 + Active Directory with Single SignOn (SSO).
thanks
KsNHi, my friends , I found that dansguardian is not working well when many person online using dansguardian as proxy. So i switch to squidguard. But i 'm not successfully to using ldap to auth squidguard against AD. Could help me to show how you configure it ?
Thank you very much! -
Hello Community,
Many thanks to wheelz for that strange ;D and cool workarround. Its working very very well, with some corrections ;-)
First of oll:
Im working as a Sysadmin in several schools (high- and professionalschool) in South Tirol.
Such a long time ago, I am interesting in Linux/Unix products to protect my networks or also only to test some cool stuff, thats not possible f.e. with windows :P. But now i am having trouble with things that exactly this post deals with and were im now stucking just some weeks. The general problem is, that the windows firewall product (known as ISA/TMG) will no longer suported in the future. Therefore i want to try to setup somthing similar with a Linux/Unix System.
How i have allready said, this workarround is working pretty well, the only thing i need to correct is:- 12. d) smb.conf –> insert there the command: winbind cache time = 60
idmap uid = 10000 - 20000 (enable for testing)
idmap gid = 10000 - 20000 (enable for testing) - 17.) the Quote which must be inserted in the "Custom settings section" in the General tab of the Proxy is right and works, but only of you write it directly with the vi in the shell into the squid.conf (/usr/pbi/squid-i386/etc/squid/squid.conf) otherwise, some characters disappear ;-)
- 20. b.iii) the username must be in this format to work properly: username@domain.local
Now my problem: With the Microsoft ISA/TMG i can configure, that for example users(Students and Teachers, in my case), that are member of the Group "Internet" (created under Users.domain.local) can access the Internet. If they are not member of this group, they can never access the internet. Therefore i have allready written a tool (little .exe file), which with I or the teachers can put the students to this group (if they need the Inet during there lession) and after the lession the teachers put them away from the group Internet.
Now i am stucking to realize this with my pfsense box. I have googled now some weeks but I wasn't able to configure this (i just have had some nightmares about this problem and now I am at the point to go totaly insane). I tried to ad the squid_ldap_group feature (which is working with my Server 2008 R2, when i try it manualy in the shell) with the appropriate acl's (i dont now if they configured in the right way because the search results are quite confusing and are also conflicting themselves). I also tried IPFire but its always the same, im not able to configure it in this way, that when the users are member of this group, they can access to the Inet.
Maybe someone can give me a hint ore some good document were I can work further.Kind regards and merry merry Christmas to everyone!!
- 12. d) smb.conf –> insert there the command: winbind cache time = 60
-
Hi all,
first of all, thank you again for the wonderful work.I configured everything without problems on pfsense 2.0.3 and it's fine.
It works with 2.1?
Someone is using it? -
I am on version 2.1 and am using it fine. I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.
-
Loaded the upgrade because of the openssl scare..
Dans now at 2.12.0.3_2 pkg v.0.1.8
Says no file /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
So i loaded one from another box..
now says
auth_plugin_load() returned NULL pointer with config file: /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
Any ideas?
THX -
Have 3 boxes running this configuration.. Works great except… after heavy usage from 75 users.. The box goes to a crawl..
We are using
ESXI 5.1
all boxes up to date.
packages
Dansgaurdian
Shellcmd
Squid3
sarg2 of 3 have separate virtual drives for the cache,logs, and sarg... sym linked ..
the 3rd has a 40G drive..
All do the same thing.
during peak hours they get real slow...
Only way seems to work is pair two together on the domain dns..
ie two entries for proxy.here.pvt one x.x.x.x and one y.y.y.yAm going to try 2 real boxes.. but having a hard time trouble shooting the slowness...
Restarting squid seems to help...tried setting
squid cache file system to aufs seems no change
vfs.read_max=32 to vfs.read_max=128 in System -> Advanced -> Sytem Tunables no change??any ideas..