Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!

wheelz

I spent quite a bit of time working on this and so I thought I'd share a step by step on how I got this working as I've seen a lot of people ask about it.  Thanks to marcelloc for all the help.  Much of the information I've pieced together from http://forum.pfsense.org/index.php/topic,43786.0.html and http://forum.pfsense.org/index.php/topic,47532.msg250366.html#msg250366 (after translating it) along with a LOT of trial and error.

This is a work in progress and there may be improvements to the steps I have to make it more secure or simpler.  I welcome any suggestions.  I just documented the steps in outline form and it does require being familiar with pfsense.  Also I highly recommend getting this set up individually before syncing with pfsync in a CARP scenario.  Also I really needed the squid3 features so I replaced the version included in the dansguardian package.  Here are the steps:

1. Install Dansguardian and Shellcmd (you’ll need this later) packages
2. Log in via SSH and run “pkg_delete -f squid-2.7.9_3”
3. Install Squid 3 package
4. Services –> Proxy
   a. General tab
   i. Squid General Settings Section –> Proxy interface = loopback
   ii. Logging Settings Section
5. Enabled logging = checked
6. Log rotate = <set days="">3. Visible hostname = <hostname>4. Administrator email = <admin email="">5. Disable X–Forward = checked
7. Disable VIA = checked
8. Suppress Squid Version = checked
   b. ACLs tab –> Squid Access Control Lists section – add the subnet of a test client to Allowed subnets (only needed during squid testing)
9. Status –> Services – Restart squid
10. Services –> Firewall
    a. Rules –> LAN tab – Create a proxy rule to allow TCP port 3128 to the LAN address for testing (will change later)
    b. NAT –> Port Forward tab - Create a proxy port forward from LAN on port 3128 to the loopback adapter (127.0.0.1) for testing
11. Configure a client to use <server name="">port 3128 and test squid access – once squid is confirmed working, continue on
12. Disable NAT/Firewall rules that were just created (port 3128) as it is no longer needed (but you can then enable later for troubleshooting)
13. Services –> Dansguardian
    a. Daemon tab
    i. Check Enable Dansguardian
    ii. Listen Interface(s) = loopback
    iii. Parent Proxy Settings section
14. Proxy IP = 127.0.0.1
15. Proxy Port = 3128
    b. General tab
    i. Config settings section –> Auth Plugins = none (for testing)
    ii. Misc settings section –> Misc Options – select forwardedfor (off)
    c. Report and log tab –> Logging section –> Log file format = Squid log file format
16. Services –> Firewall
    a. Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
    b. NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1)
17. Status –> Services – Restart squid and dansguardian
18. Change the test client to port 8080 and test dansguardian  – once it is confirmed working, continue on
19. Connect via SSH and enter the shell.  Then run the following commands to install Samba and Kerberos support:

pkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/samba36-3.6.3.tbz
pkg_add http://e-sac.siteseguro.ws/packages/amd64/8/All/heimdal-1.4_1.tbz
cd /usr/local/lib
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/pfsense/8/amd64/All/ldd/libroken.so.10

12. Edit/Create the following files using Diagnostics –> Edit file (or your favorite text editor in an SSH session).  The below examples assumes the following:  AD domain is “mydomain.local” with DCs “mydc1” and “mydc2”, pfsense hostname is “pfproxy01”, LAN interface is “e1000g0”, and an AD account with permissions to join a computer to the domain is “myadmin”.  Where you see these values, change them to match your environment. (note you need to match all CAPS where shown – important!!)
    a. /etc/krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log
[libdefaults]
default_realm = MYDOMAIN.LOCAL.
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
default_tkt_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
preferred_enctypes = DES–CBC–CRC DES–CBC–MD5 RC4–HMAC
[realms]
MYDOMAIN.LOCAL = {
kdc = mydc1.mydomain.local.:88
kdc = mydc2.mydomain.local.:88
admin_server = mydc1.mydomain.local.:749
default_domain = mydomain.
}
[domain_realm]
.mydomain. = MYDOMAIN.LOCAL.
mydomain. = MYDOMAIN.LOCAL.
[kdc]
profile = /var/heimdal/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

b.   /var/heimdal/kdc.conf:

[kdcdfefaults]
acl_file = /var/heimdal/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/heimdal/kadm5.keytab
v4_mode = noreauth
[libdefaults]
default_realm = MYDOMAIN.
[realms]
MYDOMAIN. = {
master_key_type = des–cbc–crc
supported_enctypes = des3–hmac–sha1:normal arcfourhmac:
normal des–hmac–sha1:normal des–cbc–md5:normal des–cbc–crc:normal
des–cbc–crc:v4 des–cbc–crc:afs3
}

c.   /var/heimdal/kadm5.acl:

*/*Administrator@MYDOMAIN.LOCAL *

d. /usr/local/etc/smb.conf:

[global]
interfaces = e1000g0
bind interfaces only = yes
netbios name = PFPROXY01
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = Domain Proxy Server
encrypt passwords = yes
security = ADS
password server = *
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
dns proxy = No
ldap ssl = no
; idmap uid = 10000–20000
; idmap gid = 10000–20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
; winbind separator =
client use spnego = yes
client ntlmv2 auth = yes
cups options = raw

e. /etc/rc.conf.local:

samba_enable="YES"
winbindd_enable="YES"

13. In SSH run the following commands, entering the myadmin account password where prompted:

/usr/local/bin/kinit myadmin@MYDOMAIN.LOCAL
net ads join -U myadmin@MYDOMAIN.LOCAL
/usr/local/etc/rc.d/samba restart
chgrp proxy /var/db/samba/winbindd_privileged

14. Services –> Shellcmd
    a. Add “mkdir /var/run/samba” of type shellcmd
    b. Add “/usr/local/etc/rc.d/samba start” of type shellcmd
15. Reboot
16. In SSH run commands to test:
    a. wbinfo -t (This should return that it succeeded)
    b. wbinfo -u (This should return a list of users in the domain)
17. Services –> Proxy
    a. General tab –> Custom settings section – Copy/Paste the following into Integrations:

acl_uses_indirect_client on;follow_x_forwarded_for allow localhost;auth_param ntlm program /usr/local/bin/ntlm_auth –use-cached-creds --helper-protocol=squid-2.5-ntlmssp;auth_param ntlm children 10;auth_param ntlm keep_alive on;acl password proxy_auth REQUIRED;http_access allow password

18. Create a service account in Active Directory (in this example I’ve used “ldapsvc01” in “myservices” OU)
19. Create Groups in Active Directory
20. Services –> Dansguardian
    a. General Tab -> Config settings section –> Auth Plugins = Proxy-Ntlm
    b. LDAP Tab – Add New
    i. Hostname = mydc1.mydomain.local
    ii. Domain = dc=mydomain,dc=local
    iii. Username = cn=ldapsvc01,ou=myservices
    iv. Password = <enter it="">v. Mask = USER
    c. Groups Tab – Create groups with the exact same name as the groups created in Active Directory (avoid special characters for the name and display names of both users and groups)
    i. Setup filter settings as desired
    ii. LDAP section – Select LDAP server created previously and set desired update frequency
21. Users Tab will now update the pfsense groups automatically based on the AD groups – you can run this command at SSH for troubleshooting:

php /usr/local/www/dansguardian_ldap.php

22. Configure a client to use pfproxy01.mydomain.local port 8080 and test – You can use the following command in an SSH session to check the access logs in real time for the user name to show up:

tail -f /var/log/dansguardian/access.log

Let me know if you see anything that should be corrected.</enter></server></admin></hostname></set>

marcelloc

Great 22 easy steps to get it working :D

I'll link it to portuguese tutorial you used as reference.

Thanks wheelz!

wheelz

Please let me know if anyone else is able to get multiple auth plugins to work.  In my particular scenario I'd like it to use NTLM or IP, and then allow access for unauthenticated through the default filtering.

joako

Are you sure samba is absolutely needed? I know there are dependencies for winbind requires certain samba libraries and depending how it's packaged it could mean that you do need to install the complete Samba suite, but there should be no need to actually run the Samba daemon. I know I have working SSO on Linux webservers without SMB service even installed.

marcelloc

IIRC, Without samba, you will configure kerberos auth, not ntlm.

Only ie, Firefox and chrome on windows supports kerberos "transparent" auth.

dig1234

Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!

wheelz

@dig1234:

Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!

I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it.  Let me know if that works and I'll edit the original post to include that.

For the fetch commands I could not find those same files in a non-amd64 area.  Perhaps marcelloc would know where the x86 version of those files could be downloaded from?

dig1234

Yep that worked for all the url's, fetch as well. Continuing on now!

@wheelz:

@dig1234:

Great looking guide, will let you know my results. I'm stuck on pkg_add. The package urls look like they are 64 bit specific, are there equivalent url's I could substitute for i386 (nanobsd)? Thanks!

I believe for the pkg_add you can replace "http://e-sac.siteseguro.ws/packages/amd64/8/All/" with "http://e-sac.siteseguro.ws/packages/8/All/" but I have not tired it.  Let me know if that works and I'll edit the original post to include that.

For the fetch commands I could not find those same files in a non-amd64 area.  Perhaps marcelloc would know where the x86 version of those files could be downloaded from?

dig1234

Getting following error after reboot:
wbinfo -t
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the trust secret for domain (null) via RPC calls failed
failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not check secret

dig1234

Ok I got wbinfo working, samba service wasn't starting. Needed to add one more shellcmd:
mkdir /var/db/samba

dig1234

It's pretty cool, it works very smooth to seamlessly authenticated dansguardian groups.
For some reason though on every reboot I have to do:
chgrp proxy /var/db/samba/winbindd_privileged
and restart squid
Otherwise authentication fails, any idea why that's happening? I suppose I could just add shellcmd's for this but not sure if that's the correct solution?

Thanks again for a great howto!

dig1234

I was able to get it working reliably on reboot, This is what my shellcmd lines look like:
mkdir /var/run/samba
mkdir /var/db/samba/winbindd_privileged
/usr/bin/chgrp proxy /var/db/samba/winbindd_privileged
chmod 0750 /var/db/samba/winbindd_privileged
/usr/local/etc/rc.d/samba start

wheelz

Strange that I did not run into this but thanks for posting as this will help anyone else that does.

dig1234

I'm pretty sure the issue is related to the fact that I'm running nanoBSD on CF card. I just did the install on another system that's on a HDD and did not have to add those extra lines.
One more not is that if you are doing this install on nanoBSD you need to mount the card in Read/Write before making those file changes, see this thread:
http://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write

toomeek

How did You solved issue with not starting Squid3 daemon?
Mar 25 00:06:37 check_reload_status: Syncing firewall
Mar 25 00:06:37 check_reload_status: Reloading filter
Mar 25 00:07:15 squid[60713]: Squid Parent: child process 61160 exited due to signal 15 with status 0
Mar 25 00:07:15 squid[60713]: Exiting due to unexpected forced shutdown
Mar 25 00:07:17 squid[34206]: Squid Parent: child process 34441 started
Mar 25 00:08:09 squid[60554]: Squid Parent: child process 60691 started
Mar 25 00:08:19 squid[765]: Squid Parent: child process 1120 started
Mar 25 00:08:32 squid[5630]: Squid Parent: child process 6099 started
My version:
2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6
Packages:
Dansguardian 2.12.0.3 pkg v.0.1.7_3
squid3 3.1.20 pkg 2.0.6

I'm on step 12. Upgrading to 2.0.2 to see if it helps.
UPDATE: Yep, upgrade to 2.0.2-RELEASE i386 solved the issue. Squid is starting, all packages were reinstalled during update.

UPDATE2. Correct download links for i386:

pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz
cd /usr/local/lib
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libasn1.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libgssapi.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libheimntlm.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libhx509.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libkrb5.so.10
fetch http://e-sac.siteseguro.ws/packages/8/All//ldd/libroken.so.10

However:

[2.0.2-RELEASE][admin@somesite.com]/root(8): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz… Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done.
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1
pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed!
Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done.
pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed

This is because of 2.0.1 -> 2.0.2 upgrade, so again:
pkg_delete -f squid-2.7.9_3

After some fight with dependencies..
Samba3 package now doesn't include ADS support due the portability problems
with Kerberos5 libraries on different installations. You need to compile the
port yourself to get this functionality.

So far I was able to create working proxy on port 8080, visible to sites like http://www.whatismyip.com/ but no luck with AD.

dig1234

Has anyone tried this with the NEGOTIATE plug-in for ntlm/kerberos?

gdy1039

I try to do like this tip  for a month of Sundays., but not success.
I found now squid have integrate some many auth plugin
for example:basic_ldap_auth、ntlm_fake_auth 、 ntlm_smb_lm_auth and negotiate_kerberos_auth
now I can auth though basic_ldap_auth in squid, it's very easy.
just one line auth config, and 4 line relate config.

so I can't understand that  still use so many many third part lib，and so many many config

I am in pfsense 2.0.2 + dansguardian + squid 3+win2003 AD

I know how to use basic auth in squid,but don't know how to wok in dansguardian.
I try to add a ldap in dansguardian,then add a group name's "Administrator". I can't add a group like "domain user",but most of my account is in that AD group.
then run the command

php /usr/local/www/dansguardian_ldap.php

it return a error

Warning:ldap_bind(): Unable to bind to server: invalid credentials in /usr/local/www/dansguardian_ldap.php on line 65

volkans80

Working very good. Thank you!

Did anyone tried https://ip:port ? I allowed this and it is logged as exception but it is not working.

Any idea?

LokisMischief

Did anyone manage to get samba and heimdal installed? I get the same version conflicts with some of the dependencies.

[2.0.3-RELEASE][admin@fw01.us.local]/root(1): pkg_add http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/samba36-3.6.3.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/pkg-config-0.25_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/talloc-2.0.7.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/libexecinfo-1.1_3.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/tdb-1.2.9,1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/db41-4.1.25_4.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/openldap-sasl-client-2.4.26.tbz... Done.
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.31_1
pkg_add: package 'openldap-sasl-client-2.4.26' conflicts with openldap-client-2.4.33_1
pkg_add: please use pkg_delete first to remove conflicting package(s) or -f to force installation
pkg_add: pkg_add of dependency 'openldap-sasl-client-2.4.26' failed!
Fetching http://e-sac.siteseguro.ws/packages/8/All/popt-1.16.tbz... Done.
pkg_add: warning: package 'popt-1.16' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed

[2.0.3-RELEASE][admin@fw01.us.local]/root(34): pkg_add http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz
Fetching http://e-sac.siteseguro.ws/packages/8/All/heimdal-1.4_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/8/All/sqlite3-3.7.9_1.tbz... Done.
pkg_add: warning: package 'heimdal-1.4_1' requires 'libiconv-1.13.1_1', but 'libiconv-1.14' is installed

Not sure where to go from here, I can try removing the newer packages but that then means removing squid again.
Or force install the prerequisites for samba but not sure what that may break.

dig1234

I used -f to force install. It installed fine and two weeks later still running smooth..

@LokisMischief:

Or force install the prerequisites for samba but not sure what that may break.