Topic: Dansguardian + NCSA-auth + Windows

[bloodshoteye]

Hi, all

When I activate Dansguardian with ncsa-auth on an updated SME 7.2 I wait more than 5 mins for Windows XP to ask for a password and user-name. Occurs with Firefox or ie6.
The XP box is properly joined to the Samba domain, and logged in. I installed Dansguardian according to the wiki, admittedly not the very latest rpm - I used the one prior to Dec 7.

In contrast, a linux (Ubuntu) box running  Firefox prompts immediately for credentials.

The forum is silent on this - would anyone hazard a guess as to what I could look for? Please ask if you need more details.

Thanks,

[Franco]

Is the client properly configured with the proxy settings? Dansguardian runs on a different port than Squid, so make sure you have the right port and not 3128 which is squid's default.

[bloodshoteye]

'sfunny, can't insert quote code? - and I can't remember the syntax (blush)

Stuntshell, I tried "Auto detect proxy server" and as another test I inserted the server's IP address and port 8080.
Both scenarios make the client wait more than 5 mins.

[raem]

ardugh

'sfunny, can't insert quote code? - and I can't remember the syntax (blush)

Click on the quote link on top right of original post
or
use the second last button called Insert Quote
or
otherwise manually write the start & finish delimiters, as follows but without spaces (only written here to allow them to be displayed here).

[ quote ]  text [ /quote ]

[bloodshoteye]

Click on the quote link on top right of original post
or
use the second last button called Insert Quote

Tried both the first time, thanks. Neither are working. Perhaps an issue with Firefox. I must try on another  PC - just had a thought. Must check to see if Dansguardian is preventing JScript code...
I've manually quoted the above - thanks for the syntax.

EDIT: Quoting issue was due to .js and .jse being blocked by Dansguardian - I had reverted to default install configs during a testing phase 

However, this does not solve my original issue - why do XP clients wait more than 5 mins before they can authenticate against Dansguardian + ncsa-auth 
All installation & configuration done according to the Wiki.

[raem]

ardugh

...why do XP clients wait more than 5 mins before they can authenticate

I can only make a guess, a firewall issue on your XP clients, more blocked file types, DNS issues with finding your server.

[bloodshoteye]

I can only make a guess, a firewall issue on your XP clients, more blocked file types, DNS issues with finding your server.

Thanks for these pointers. I made sure:
1) Windows firewall is off
2) XP is on DHCP
3) User is logged into Samba domain via XP pc
4) WAN connection is up
5) User has credentials in /etc/proxyusers
6) Server reconfigured and rebooted

Of note: Client can access web-based mail (running on same box) with no auth other than usual log in to access mail.
 
EDIT: 11:30am
Also tried auth-pam. No auth dialog form appears at all on the XP pc. After a long time a "Cache Denied" message is given:
"Sorry, you are note allowed to access http://blah.tld until you have authenticated yourself"

I'm going to systematically turn off all extension blocking in "bannedextenlist" and report back.

[raem]

ardugh

Is your sme server's IP specified as the workstations DNS server.
Is your sme server configured to be the DNS server for the network, rather than some external DNS server.

[Stefano]

2) XP is on DHCP
3) User is logged into Samba domain via XP pc

in my experience when clients are in domain, fixed ip's and expecially fixed dns (sme's ip) entry are recommended.

HTH

Ciao

Stefano

[bloodshoteye]

Is your sme server's IP specified as the workstations DNS server.

Yes

Is your sme server configured to be the DNS server for the network, rather than some external DNS server.

Yes, and set to resolve locally.

I also made sure there wasn't a strange/unwanted entry in the workstation's hosts file.

[bloodshoteye]

in my experience when clients are in domain, fixed ip's and expecially fixed dns (sme's ip) entry are recommended.

I did that via the Hostnames and addresses panel and assigned a static DHCP address.
Windows Ipconfig shows all necessary TCP details are in order.

EDIT
Strange - according to the Wiki, running
/usr/lib/squid/ncsa_auth /etc/proxyusers
should produce ERR or OK after entering a username & password
I get no response - just a flashing cursor and cannot therefor enter anything.
 

[raem]

ardugh

I don't use ncsa auth, but I think the syntax is like this.

Enter your original passwords with inverted commas around them eg
htpasswd -b /etc/proxyusers username "password"

When you test the password file do
/usr/lib/squid/ncsa_auth /etc/proxyusers
you will then see no command cursor so just type in your username & password combination on the same line
username password
press Enter
then if correct you see
OK
or if incorrect you see
ERR Wrong password
When finished testing all passwords, to exit press
Ctrl c

[bloodshoteye]

When you test the password file do
/usr/lib/squid/ncsa_auth /etc/proxyusers
you will then see no command cursor so just type in your username & password combination on the same line
username password
press Enter
then if correct you see
OK
or if incorrect you see
ERR Wrong password

Good (and thanks for the pointer, Ray) - works as advertised.
Stupidly, I was waiting to be asked a question instead of volunteering a username and password combo.

Has anyone experienced the 5 or more minutes delay I have for a login to ncsa_auth? This is very irritating, and maybe my error somewhere 
So far the advice given has not solved this.

 

[stephen noble]

ncsa does login immediately if it is configured correctly

double check
http://wiki.contribs.org/Dansguardian#Using_Ident_login

[bloodshoteye]

ncsa does login immediately if it is configured correctly

double check
http://wiki.contribs.org/Dansguardian#Using_Ident_login

Does this mean I need to use Ident login on the workstation in order for ncsa_auth to work?

[stephen noble]

no, i just had a brain explosion
ignore that suggestion

try the server IP as the proxy

as you also have a problem with pam_auth, dans is just highlighting some other problem

[raem]

ardugh

I spotted some typos in the Howto where it said nsca, but should have said ncsa.
Check that you used the correct command syntax for enabling ncsa auth.
The Howto has been revised.

[Franco]

Does this mean I need to use Ident login on the workstation in order for ncsa_auth to work?

No!

[bloodshoteye]

I spotted some typos in the Howto where it said nsca, but should have said ncsa.
Check that you used the correct command syntax for enabling ncsa auth.

I noticed that on Wednesday, and apologise for not bringing it to snoble's attention.

Here's another typo:

You can test the authentication list using the following command

/usr/lib/squid/ncsa_auth /etc/proxyusers

Then enter the username & password when asked

You will see a ERR or OK response

You will not be asked - the cursor just winks at you. That fooled me until RayMitchell pointed out (higher up this thread) the user must enter a username password combo, then he will be given an ERR or OK.

try the server IP as the proxy
as you also have a problem with pam_auth, dans is just highlighting some other problem

I tried that and all the advice so far.
Then I applied for & installed dungog-dansguardian.

Sigh, I still have a problem - and I cannot re-install this server - so I've removed and re-installed all apllicable rpms 4 times... GPL version, then dungog version, then GPL version ad nauseum.

Latest woe, using dungog software: Dans with default + 2 filter groups & Squid enabled : browsers go straight out to wherever, although I have ncsa_auth with no transparent proxy, but with port blocking.
If I set http://proxy/proxy.pac or IP:port manually: "This page cannot be displayed"

I have added my box to the exceptioniplist. If set proxy manually or via http://proxy/proxy.pac, I get "The connection to the server was reset while the page was loading"

Can someone please help? - will provide further info if wanted.
 
Update:
I've just restarted dans with dansguardian -Q and browsers requested authentication, which was accepted. The process must be dying after a time - I swear it also worked briefly much earlier on.
Why would it start, then die?

Confirmed!! - less than 5 mins later a user no longer can refresh or move on. Killing the browser and restarting it brings up a "This page cannot be displayed"
Removing proxy detail from the browser and it goes anywhere you want.

Where could I look?
.

[stephen noble]

In contrast, a linux (Ubuntu) box running  Firefox prompts immediately for credentials.

if this is so, this isn't a sme server problem

i'd unblock 80 and 3128 for now
try using pam_auth until you prove dans works on windows
install a vanilla windows

[raem]

ardugh

Have you done this step ?

config setprop squid Transparent no
expand-template /etc/squid/squid.conf
sv t /service/squid

[bloodshoteye]

Have you done this step ?

config setprop squid Transparent no
expand-template /etc/squid/squid.conf
sv t /service/squid

Yes
squid=service
    EnforceSafePorts=no
    RequireAuth=ncsa
    SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
    TCPPort=3128
    TCPProxyPort=80:3128
    Transparent=no
    TransparentPort=8080
    access=private
    status=enabled

if this is so, this isn't a sme server problem

The issue has shifted somewhat - that may have been some config error on my part.
Now it seems (ref my rather lengthy post earlier - sorry for that) that dansguardian is dying after a few minutes - I cannot imagine why.

[bloodshoteye]

Now it seems (ref my rather lengthy post earlier - sorry for that) that dansguardian is dying after a few minutes - I cannot imagine why.

I think I answered my own question by applying the recommendation  in this thread:
http://forums.contribs.org/index.php?topic=39344.0
Dansguardian isn't dying at the moment 

[bloodshoteye]

I give up, sad to say 
I've tried everything I can think of. It seems users can do what they want, never mind what I try to set.
Under the circumstances, I feel like dropping the box out of the window - spent an entire week on squid/dansguardian, day and night.

Please tell - at the moment the box has both dungog-dansguardian installed and smeserver-dansguardian installed.
Do they conflict or does dungog need the sme rpm? - So far I can't find the answer to that. It may explain the erratic behavior of all the tests I've made.

[raem]

ardugh

Did you purchase (ie pay for), the dungog dansguardian product ?

[bloodshoteye]

Did you purchase (ie pay for), the dungog dansguardian product ?

Hi RayMitchell - yes I did.

[raem]

ardugh

Then you should ONLY be installing the rpms from dungog, ie the commercial ones, and you should be getting support direct from dungog, not via these forums.

You should not be following the contribs.org wiki Howto as that is not applicable to you, but instead follow the information on the dungog website.

[bloodshoteye]

Then you should ONLY be installing the rpms from dungog, ie the commercial ones, and you should be getting support direct from dungog, not via these forums.

You should not be following the contribs.org wiki Howto as that is not applicable to you, but instead follow the information on the dungog website.

I hear what you say, however the steps (as per their instructions) are:
1) install dansguardian
2) install smeserver-dansguardian
3) install dungog-dansguardian - to quote: "this just allows you to change the config files by the panel rather than by hand
it doesn't do anything else to dansguardian"

While admittedly not all Wiki steps need be followed, it appears some do, hence my (a relative newbie) confusion and this thread - particularly as you-all are extremely knowlegable.
I have requested assistance from them and hopefully I will be able to clear up my problem soonish.
I also receive replies from this list within my time zone's working hours as opposed to AU being 8 hrs ahead of me, which has been a major factor in asking for help. I hope I haven't stepped on anyone's toes.

Thanks,