[K12OSN] Censornet help
Dimitri Yioulos
dyioulos at firstbhph.com
Wed Apr 26 15:58:23 UTC 2006
On Wednesday April 26 2006 11:19 am, Brian Chivers wrote:
> Dimitri Yioulos wrote:
> > On Wednesday April 26 2006 10:56 am, Brian Chivers wrote:
> >> Dimitri Yioulos wrote:
> >>> On Wednesday April 26 2006 9:34 am, Edward Holcroft wrote:
> >>>> Dimitri
> >>>>
> >>>> I am using the latest Censornet in the way you describe in diagram
> >>>> one.
> >>>>
> >>>>> In the Censornet Web site, under Support, there's a section called
> >>>>> Network
> >>>>> Diagrams. I'm trying to set up the second of the schemes, Standard
> >>>>> Bridge
> >>>>> Mode. The write-up states:
> >>>>>
> >>>>> "This is the most common form of Bridged CensorNet design. Note
> >>>>> that we never
> >>>>> recommend the use of Bridge Mode unless you have your own firewall
> >>>>> to protect
> >>>>> your perimeter. Although the CensorNet still has two network cards,
> >>>>> connected
> >>>>> in a similar fashion to the Basic Router Mode option, it only has
> >>>>> one IP
> >>>>> address, purely for administration purposes. The firewall shown in
> >>>>> the diagram will have an internal address on the same subnet as the
> >>>>> rest of the
> >>>>> local LAN."
> >>>>>
> >>>>> So, just as in the diagram, I've tried this:
> >>>>>
> >>>>> internet
> >>>>>
> >>>>> router
> >>>>>
> >>>>> firewall--------DMZ
> >>>>>
> >>>>> Censornet
> >>>>>
> >>>>> Switch
> >>>>>
> >>>>> LAN
> >>>>
> >>>> This is good.
> >>>>
> >>>>> I'm able to get both user and workstation data from our AD server
> >>>>> into Censornet. I'm able to reach the Censornet Web admin gui from
> >>>>> my workstation. I'm able to ping both my workstation and an outside
> >>>>> site from
> >>>>> the Censornet box. I've set up the correct address and port in Web
> >>>>> browser
> >>>>> proxy settings. Depending on how I wire the Censornet box to the
> >>>>> firewall
> >>>>> and/or LAN, at worst I'm continually prompted for a uname and pw.
> >>>>
> >>>> This is a feature, not a problem and is exactly what is supposed to
> >>>> happen with Censornet. It sounds like you have everything working
> >>>> just right.
> >>>>
> >>>>> At best,
> >>>>> I'll get a Censornet "Authentication Failed" message.
> >>>>
> >>>> If, for example, you don't have the correct proxy settings (or if a
> >>>> user deliberately tries to bypass the proxy) you encounter this
> >>>> message - once again exactly what should happen.
> >>>>
> >>>>> As to this last, there's obviously an authentication problem.
> >>>>> Remember, I can
> >>>>> see both isers and workstations in the Censornet Web gui. All the
> >>>>> proper
> >>>>> access permissions are set for both. But, I have no idea whether
> >>>>> it's an
> >>>>> iptables issue or a Censornet issue. A perusal of the logs on both
> >>>>> systems
> >>>>
> >>>> It sounds like you want the Windows user to automagically be logged
> >>>> in as the Internet user, but that's not the way Censornet works. You
> >>>> have to log in to the web independently, even if you have already
> >>>> logged into Windows and authenticated against your domain (is sounds
> >>>> like you're running windows on the desktop here right?). This is how
> >>>> Censornet logs access. In other words Censornet is not a transparent
> >>>> proxy that makes use of the user authentication login details - it a
> >>>> separate and self-contained logging and authentication system. The
> >>>> fact that it imports the user accounts from your AD is merely a
> >>>> convenience so that you don't have to recreate them all manually. It
> >>>> also means that one user can login to the Windows PC and another can
> >>>> log into the Internet on the same PC oat one time - it is is the
> >>>> username that logs onto the Internet that will be tracked and logged
> >>>> in the Censornet Webalizer, not the Windows AD authenticated user.
> >>>>
> >>>> Hope this helps
> >>>> ed
> >>>
> >>> Understood on the authentication mechanism. Now, this is the curious
> >>> part - if, after entering my uname and pw (once, or a few times,
> >>> doesn't matter), then cancelling the login, I get the Censornet
> >>> "Authentication Failed" error message. SO, I am communicating with
> >>> Censornet, but not being authenticated.
> >>>
> >>> As you know, Censornet isn't difficult to configure, nor are there a
> >>> lot of configuration settings to make. But, just for fun, I
> >>> reinstalled Censornet, to make sure I didn't futz anything up the first
> >>> go-round. No luck, same issues.
> >>>
> >>> And, our AD server is also our system's time server. I mad sure that I
> >>> configured Censornet to use it to sync the time. Both are at the same
> >>> time. I think, though, that that's important mainly for user and
> >>> workstation discovery.
> >>>
> >>> Dimitri
> >>
> >> You can test the authentication via the CLI, not sure how but do a
> >> search for "PAM" on the censornet forums and you should find something.
> >>
> >> Brian
> >
> > You're right. It's "/usr/local/squid/libexec/pam_auth -1". When I enter
> > my uname and pw, I get an "ERR" return instead of OK. The FAQ mentions
> > says this about it:
> >
> > "If you get an OK response, then all is well. If you get an ERR response,
> > then there is something wrong, but its got nothing to do with the clock
> > (and probably nothing to do with the CN either)."
> >
> > Hmmm. What, then?
> >
> > Dimitri
>
> Can you ping the AD ok, I added our PDC to the /etc/hosts file manually, I
> think I had to do it to /etc/hosts.tmpl as well to make it survive after a
> reboot.
>
> Perhaps try that also anything on the AD logs ??
>
> Brian
>
Thanks to all for taking me through all the logical steps.
Brian, I can, indeed, ping the AD. /etc/hosts reads fine. Nothing in AD
logs.
I think we're running out of steps :-(
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the K12OSN
mailing list