http-proxy SSO (single sign on) zentyal 3.0 - problem

[Sam Graf]

It might be better to have everything in one topic. On the other hand, we have two very different test cases going on, one where Zentyal is a PDC and client machines are successfully joining the domain, another where Zentyal is not a PDC and/or a machine is not joining a domain. So maybe these are two different topics. If I understood better how the proxy's SSO was supposed to work, we might be able to get down to one test case, and then for sure one topic.

[christian]

I'll be prone to merge because this is really the same question from same user.
I also think (am I wrong here) that Kerberos authentication is not dependent on PDC (while the opposite is not true).

Back on technical discussion: the point here is that I suppose there is something wrong with DansGuardian sandwich design (you know this DG embedded between 2 Squid slices in order to support Kerberos  )
There is quite a lot of discussion around in this forum about:
- Proxy not supporting both SSO and group based profiling
- why 2 squid servers

that are all linked, for what I believe, to this "sandwich" design. I'm expecting Zentyal to provide some technical explanation because I don't want to make the reverse-engineering myself. To lazy and fade-up 

More details (but no answer) here.

[christian]

BTW, despite my laziness, I'm currently looking at DansGuardian and Squid conf and can't find any lookup for LDAP group membership... 
I wonder how this may work. But as I'm not Dansguardian specialist (I know SquidGuard much better) I need to learn a bit more 

[Sam Graf]

There is quite a lot of discussion around in this forum about:
- Proxy not supporting both SSO and group based profiling
- why 2 squid servers

that are all linked, for what I believe, to this "sandwich" design.

Unfortunately DansGuardian is blocking access to the link you provided . I have to have a look later.

What is the difference in the authentication mechanisms between SSO authentication and "regular" authentication, when SSO is not enabled? The former seems broke, while the later works.

[christian]

I suppose (although I didn't try) that both are working but when SSO is enabled, then you can't set up any group based profiling.
The main difference is that DansGuardian does NOT support Kerberos. Because of this, it requires specific implementation with one proxy (Squid) before DS and one other after.
The "front-end" proxy will handle Kerberos auth and also provide revert back to back auth when client does not support Kerberos.

[christian]

hum    looking further, secondary Squid proxy is not used to implement sandwich but cache peer.
I still don't understand why. I'm investigating

[Sam Graf]

Thank you for your help in sorting out the proxy's operation, christian!

[christian]

does transparent proxy with 3.0 work? I suppose the answer is yes but I can't see any DNAT rule in iptables while Squid is configured with "intercept" directive. Is there something I'm missing?

[Sam Graf]

I'm now away from the office and my test machine but working from memory. But I can say for sure that yes, transparent proxy works. I have tested the captive portal (which seems also to be broke when it comes to user groups--coincidence?) using only transparent proxy.

[christian]

Discussing similar issue in the French section, it looks like group based access control (with SSO) works but might be tricky if user is also member of group that is not authorized. I try to investigate this further in French section and will publish my feedback and understanding here.

[Sam Graf]

Interesting. My test machine isn't here or I'd experiment with that idea. Thank you for keeping us informed on the French forum discussion.

[christian]

We do progress on this (well not me because I don't have the right environment yet but this French guy made a pretty good test-bed and study)
Current conclusion is that if user is member of "domain admin" group, then HTTP proxy rules do not apply anymore... 

[Sam Graf]

If I'm understanding correctly, the work in the French forum is providing a clue in the case where Zentyal is a PDC, correct? Is this a fixable situation?

[Javier Amor Garcia]

Hello,

 have reviewed the code and I see that we made a mistake: we allow to have both checked kerberos authorization AND transparent mode.

They don't work together. Maybe it is your problem?.

In that case disable transparent mode in Zentyal. In the windows client log in within the domain, configure the browser to use the zentyal proxy and try again. If yo are using a linux client follow this instructions: http://trac.zentyal.org/wiki/Documentation/HTTPProxyKerberosWithLinux

If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug. We will review the process with the windows client shortly.

[Javier Amor Garcia]

Sorry Christian, I misread your post, we will look  also to the group membership you report