Author Topic: http-proxy SSO (single sign on) zentyal 3.0 - problem  (Read 21907 times)

Sam Graf

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #30 on: November 05, 2012, 01:59:06 pm »
If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug.

Does this mean that the proxy's SSO will not work if Zentyal is not a PDC?

christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #31 on: November 05, 2012, 02:02:49 pm »
Now that I understand that 2 Kerberos servers run in parallel, I wonder whenever this could have introduced some unexpected behaviour  ::)

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #32 on: November 09, 2012, 09:11:53 am »
If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug.

Does this mean that the proxy's SSO will not work if Zentyal is not a PDC?

I think so, you need something to authenticate the users (ldap, active directory...)

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #33 on: November 09, 2012, 09:16:03 am »
Hello,

 have reviewed the code and I see that we made a mistake: we allow to have both checked kerberos authorization AND transparent mode.

They don't work together. Maybe it is your problem?.

In that case disable transparent mode in Zentyal. In the windows client log in within the domain, configure the browser to use the zentyal proxy and try again. If yo are using a linux client follow this instructions: http://trac.zentyal.org/wiki/Documentation/HTTPProxyKerberosWithLinux

If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug. We will review the process with the windows client shortly.

Thanks for review this feature, that's what I supposed that there was a bug there.

please keep us informed about this modification. I'm waiting for this working as expected to put a zentyal as a proxy on the production LAN and make a "lot of fun" to my users  ;D

Thank you

christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #34 on: November 09, 2012, 10:26:47 am »
If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug.

Does this mean that the proxy's SSO will not work if Zentyal is not a PDC?

I think so, you need something to authenticate the users (ldap, active directory...)

 :o sure but why Windows DC ? can't you, e.g. authenticate against, as you wrote LDAP (no DC here) or even Kerberos server (again no DC here).
I really would like Zentyal to clarify their strategy here. Do they expect design to be Microsoft centric only (in such case authentication will be against DC emulation only) or is it something more flexible ?

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #35 on: November 09, 2012, 08:10:53 pm »
:o sure but why Windows DC ? can't you, e.g. authenticate against, as you wrote LDAP (no DC here) or even Kerberos server (again no DC here).
I really would like Zentyal to clarify their strategy here. Do they expect design to be Microsoft centric only (in such case authentication will be against DC emulation only) or is it something more flexible ?

nice question, but it was to be answered by Zentyal stuff :/

Sam Graf

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #36 on: November 09, 2012, 10:25:34 pm »
I think so, you need something to authenticate the users (ldap, active directory...)

In that case, do you think it would be a good idea for Zentyal to expose the proxy's SSO feature only in the case where Zentyal is a PDC? It seems to me too confusing the way it is for those of us who may not have Zentyal set up for file sharing/domain control, but maybe I'm just not understanding something.

I'd be glad to make that suggestion to the developers if that makes sense.

christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #37 on: November 09, 2012, 11:56:05 pm »
Sam, as far as I'm concerned, I would vote "against" what you suggest.
I do understand your willingness to make things as simple as possible but as a result your approach will end up to "Kerberos for Microsoft users only".

Either this is your strategy that is to go for Microsoft world only and in such case it makes sense or you can accept that other "non Microsoft" IT landscape exist and then I don't understand why you would suggest not to let them using Kerberos server.

Things are today confusing because Microsoft DC brings all services together and most of people think that SS is linked to DC, which is wrong. You proposal will just reinforce this misunderstanding, at least as I perceive it  ;)

Sam Graf

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #38 on: November 10, 2012, 12:10:15 am »
Sorry, I probably wasn't clear. :-[

If the proxy's SSO feature works by design only when Zentyal is a PDC, it seems to me that the UI shouldn't provide users who are not using Zentyal as a domain controller the proxy's SSO option. I was suggesting that maybe the option should be hidden in that case.

I would prefer that the proxy's SSO feature works even if Zentyal isn't being used as a PDC. But the developmenrs seem to be saying that that's not how it's supposed to work, so if that's the case, don't even give me the option to enable a feature that isn't going to work. It just confuses me. That kind of idea. :)


christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #39 on: November 10, 2012, 12:27:52 am »
OK, clearer. I misunderstood your point.
I would like someone from Zentyal team to react and tell us what their solution is supposed to provide.
From technical standpoint, the is no reason to have SSO only if file sharing is activated. Zentyal brings Kerberos server qnd stores in standard LDAP server everything all the Kerberos stuff.
Thus if your client (Windows or Ubuntu) implements Kerberos authentication, I don't see why this should not work.
Again, please Zentyal team, add your inputs here  :)
« Last Edit: November 10, 2012, 12:30:11 am by christian »

Sam Graf

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #40 on: November 10, 2012, 07:37:07 pm »
Again, please Zentyal team, add your inputs here  :)

+1

txsastre

  • Zen Monk
  • **
  • Posts: 75
  • Karma: +4/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #41 on: November 13, 2012, 08:46:46 am »
hi there, just a word.

The solution PDC + SSO, is not working though the ticket said that it was a "configuration error" I reinstalled it from scratch and still does not work.

PDC Zentyal  -> Windows XP -> SSO Proxy Kerberos enabled (not work)


christian

  • Guest
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #42 on: November 13, 2012, 09:30:02 am »
Although I didn't try myself, it's confirmed to work from at least one guy from French section.
One question here: is user you are testing member of admin group ?

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #43 on: November 13, 2012, 10:10:11 am »
Quote
If the proxy's SSO feature works by design only when Zentyal is a PDC, it seems to me that the UI shouldn't provide users who are not using Zentyal as a domain controller the proxy's SSO option. I was suggesting that maybe the option should be hidden in that case.

No, but if you have PDC you have already the needed kerberos ticket. So this makes windows login straightforward. But PDC is not required for example, you can log in Linux with this commands: http://trac.zentyal.org/wiki/Documentation/HTTPProxyKerberosWithLinux and there is not PDC involved.

Samuel (our kerberos/samba expert) told me that  the equivalent Windows clients don't work as expected so we cannot give Windows equivalent of this procedure

Javier Amor Garcia

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1225
  • Karma: +12/-0
    • View Profile
Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
« Reply #44 on: November 13, 2012, 10:16:55 am »
As for the 'admin group' bug we will look it shortly.