tag:blogger.com,1999:blog-7244050044653877066.post7211934757168601536..comments2023-09-24T07:30:11.144-05:00Comments on Rosin Core Solder: DansGuardian Content Filtering with AD IntegrationZackhttp://www.blogger.com/profile/08596417822566273838noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-7244050044653877066.post-69663979275163638002014-09-18T17:20:24.369-05:002014-09-18T17:20:24.369-05:00Squidblacklist.org is the worlds leading publisher...Squidblacklist.org is the worlds leading publisher of native acl <br />blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as many other filtering platforms. Including SquidGuard,DansGuardian, and ufDBGuard, as well as pfSense and more. <br /><br />There is room for better blacklists, we intend to fill that gap.<br /><br /><br />It would be our pleasure to serve you.<br /><br />Signed,<br /><br />Benjamin E. Nichols<br />http://www.squidblacklist.orgSquidblacklisthttps://www.blogger.com/profile/01046760868071404091noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-77124275363174602792013-09-29T21:06:14.732-05:002013-09-29T21:06:14.732-05:00Hi,
Thanks for your guide, I am not able to see t...Hi,<br /><br />Thanks for your guide, I am not able to see the client usernames on squid log as well as on dansguradian logs, How can I see the usernames, Still my users are able to browse the internetPearlhttps://www.blogger.com/profile/10161137732748813161noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-4477055850308177022010-07-12T08:18:43.356-05:002010-07-12T08:18:43.356-05:00hello.
it's necessary to start 2 instances of ...hello.<br />it's necessary to start 2 instances of squid? if yes. how?jrhttps://www.blogger.com/profile/04181376641725402091noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-4085609789309583322010-03-29T06:45:45.080-05:002010-03-29T06:45:45.080-05:00Uncomment line 59.
Uncomment lines 204 and 205.
Ad...<b><br />Uncomment line 59.<br />Uncomment lines 204 and 205.<br />Add the following lines before line 217<br /></b><br /><br />in my new samba.conf thos lines are empty :|<br /><br />Can anyone list the contet of those lines?banutitohttps://www.blogger.com/profile/05123463522718728588noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-43012293029181640792010-03-19T13:39:38.381-05:002010-03-19T13:39:38.381-05:00We've found that squid is somethimes fetching ...We've found that squid is somethimes fetching web content directly, bypassing Dansguardian.<br /><br />if you put these two lines at the end of your /etc/squid/squid.conf file<br /><br /><b><br />#Always allow traffic from Dansguardian<br />always_direct allow localhost<br />#Block all other traffic<br />never_direct allow all<br /></b><br /><br />This worked awesome down here. Hope this helps you guys!Christianhttps://www.blogger.com/profile/07036678614807573522noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-56788309036867392922010-03-13T16:27:14.028-06:002010-03-13T16:27:14.028-06:00Rene, I've been mulling this over, and unfortu...Rene, I've been mulling this over, and unfortunately I don't have any good answers for you.<br /><br />Thankfully, I work in an environment where kids aren't constantly trying to scam the system... :-)<br /><br />The reason that it passes through is because of the nature of the SSL (HTTPS) tunnel - technically Dans has no right to interfere with the transmission of presumably sensitive information. <br /><br />You could block all HTTPS traffic, although that won't be very popular. There are certainly many legit uses. Another option might be to block HTTPS traffic to certain sites, such as Facebook. It's just a hunch, but I doubt that blocking based on IP/protocol would be as daunting as first thought since MOST garbage sites won't have taken spent the money to buy a dedicated IP address and the SSL certificate. It would mainly be your bigger players like Facebook, MySpace, LinkedIn and possibly Playboy, etc (for the porn side).<br /><br />I've heard of dedicated boxes that sit on the network perimeter and actually inspect the SSL traffic, but I'm not aware of any way to do that with Dans. I've never actually seen one of these boxes either, so I don't know if there are drawbacks or gotchyas.<br /><br /><br />Let me know if you find anything - it is a curious problem.Zackhttps://www.blogger.com/profile/08596417822566273838noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-17623355727322161852010-03-11T19:20:30.738-06:002010-03-11T19:20:30.738-06:00Hi Zack,
Everything is working fine now. I want ...Hi Zack,<br /><br />Everything is working fine now. I want to thanks you a lot for this tutorial. It's the only one that I found that deliver a real working method to authenticate against AD with Squid/Dans.<br /><br />I only have now a little problem and I was wondering if you have a hint for me. Students have found that if they replace http with https, they can bypass the proxy and open sites that are baned. Example, we baned http://www.facebook.com, but if they enter with: https://www.facebook.com, it pass thru...<br /><br />I searched on google but did'nt found anything valuable...<br /><br />Thanks a lot!<br /><br />ReneRenehttps://www.blogger.com/profile/04275123922964425765noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-29096518716945862152010-02-15T12:52:50.478-06:002010-02-15T12:52:50.478-06:00I don't remember having to do anything specifi...I don't remember having to do anything specific for the proxy, but we have added a number of sites to our Intranet list to automatically pass authentications through to that.<br /><br />Go into Tools - Internet Options - Security tab, click on Local Intranet, click on Sites. I believe that that Automatically detect local intranet sites should be checked. Then click on the Advanced button. Add your proxy server's name in here (http://proxy.acme.local/).<br /><br />That's the only thing I can think of. We have a fairly elaborate script that config's IE, so it's possible that something is setup in there.<br /><br /><br />Another thing to check, do your client's have the root domain name setup in their TCP/IP config or the DHCP server? It seems like IE uses this root domain (acme.local) to determine which serves are in the "Local Intranet".Zackhttps://www.blogger.com/profile/08596417822566273838noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-75744979632659498282010-02-15T12:29:15.225-06:002010-02-15T12:29:15.225-06:00Hi Zack,
I found my problem with AD, it was a typ...Hi Zack,<br /><br />I found my problem with AD, it was a typo on my domain name in the realm section.<br /><br />This corrected, the authentication work ok with all tests, but on a workstation, IE alway's ask for a user name/password. I looked back at my squid config and everything is as your's (it's a cut/paste from your's) the only difference is "acl our_networks src 10.116.12.0/23" to fit with our network.<br /><br />Have you a hit for me to troubleshoot that? I looked at log files but nothing revelant there...<br /><br />Thanks a lot!<br /><br />Rene TheriaultRenehttps://www.blogger.com/profile/04275123922964425765noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-56035974604274645132010-02-12T22:46:13.120-06:002010-02-12T22:46:13.120-06:00Ok,Thanks for the response,
One thing i like to di...Ok,Thanks for the response,<br />One thing i like to discuss with u that i am trying to sync AD with 389 directory Server,<br /> User sync-king is working properly but password sync-king is not working.<br /> After some google search i found that i have to install a cert from a CA to both 389 Directory Server & AD and also have to use password sync utility,<br /> So far i did the same but still not working,<br /> Can u please come up with a tutorial for this it will be very helpfull to me .Unknownhttps://www.blogger.com/profile/16227296976841512890noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-26383043619917327602010-02-09T20:18:41.479-06:002010-02-09T20:18:41.479-06:00Indranil, sorry I missed your second post...
I ca...Indranil, sorry I missed your second post...<br /><br />I can't think of a way to show a logon-prompt based on the user's domain group, since you would have had to already authenticate them in order to know if they were in the group that should be authenticated (catch-22).<br /><br />As for blocking https traffic, I can't say that I've ever tried it, but I <i>think</i> that the Samba ACL's would allow you to configure http and https traffic independently. You could also just block port 443 outbound at the firewall from your proxy server.Zackhttps://www.blogger.com/profile/08596417822566273838noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-30458789337680890012010-02-09T20:14:57.895-06:002010-02-09T20:14:57.895-06:00Rene, my first thought was that the machine didn&#...Rene, my first thought was that the machine didn't successfully register with the Active Directory, but you indicated that it does show in your Computers OU.<br /><br />I guess I would be inclined to delete the machine from AD, and then re-join the Linux machine just to make sure. I've forgotten the "official" answer, but I like to give my AD at least 10 minutes between changes to be sure it replicates to all of my DC's.<br /><br />Make sure that the account that you used to join the domain has the rights to do so. If in doubt, use the domain Administrator account.<br /><br />A few other things to check: make sure your DNS is configured correctly in /etc/resolv.conf, and that your search domain is set correctly. Try restarting the Samba daemon and/or rebooting the Linux box..Zackhttps://www.blogger.com/profile/08596417822566273838noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-36317991928387804402010-02-09T19:45:52.829-06:002010-02-09T19:45:52.829-06:00Hi,
Thanks for this tutorial, it's exactly wh...Hi,<br /><br />Thanks for this tutorial, it's exactly what I was searching for and could find it anywhere...<br /><br />I have a little problem with the AD authentication. I was able to join domain with "net ads join –U Administrator". I look in my AD and my machine is there so it's registered qith AD. But when I do "wbinfo –t, -u or -g" it do nothing. When I try to configure a workstation, it keep asking for a username/password and it don't work.<br /><br />Do you have any hint for me to troobleshoot the AD connexion?<br /><br />Thanks!<br /><br />ReneRenehttps://www.blogger.com/profile/04275123922964425765noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-68076291457294384832010-02-05T18:28:19.682-06:002010-02-05T18:28:19.682-06:00Once again thanks for your quick response,
I mean...Once again thanks for your quick response,<br /> I mean to say that, my client want to see a browser popup asking for AD:-username/password based on group.<br /> Another requirment is any way possible to block https connection through dansguardain,Client donot want that one can open gmail by https://gmail.com<br /><br /> As per your article i did the current setup and and its working fine.Thank you for the fine article its realy helps a lot newbie like me.<br /><br /> By the way my gtalk id is indranil.i83@gmail.com can i have you chat id?Unknownhttps://www.blogger.com/profile/16227296976841512890noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-45451228484661693582010-01-30T08:44:47.783-06:002010-01-30T08:44:47.783-06:00I guess I'm not clear on what you're tryin...I guess I'm not clear on what you're trying to accomplish. As far as the proxy server is concerned, Internet Explorer automatically passes the credentials through, so there's nothing to force.Zackhttps://www.blogger.com/profile/08596417822566273838noreply@blogger.comtag:blogger.com,1999:blog-7244050044653877066.post-37553968335533447172010-01-28T14:40:55.679-06:002010-01-28T14:40:55.679-06:00This is WonderFul tutorials.Thank you very much.Ev...This is WonderFul tutorials.Thank you very much.Everything is working here fine.<br /><br />Can u give a tips for the following scenario.<br /><br />Is there a way to force user to provide username and password after joining the user xp client to AD domain.<br /><br />Any suggestion will be helpfull,<br />email:debian2k7@gmail.comUnknownhttps://www.blogger.com/profile/16227296976841512890noreply@blogger.com