http-proxy SSO (single sign on) zentyal 3.0 - problem

[Sam Graf]

Luck! Please keep us posted!

[txsastre]

Luck! Please keep us posted!

Thanks !, gonna try first with an small office, 10 users more or less.

[quimguito]

Hello i'm having the same problem with zentyal as a aditional domain controler of a windowos 2008 r2 AD,
if i enable SSO in proxy th IE keeps asking for a password and rejects it.

Any news inthis subjetc?

[thorsten]

OK, I need help, too, please:

I do not get SSO on http-proxy to work. From the Zentyal point - I installed / enabled the proxy using SSO, on the client side (Windows 7 / Firefox or IE), the computer itself joined the domain and a valid user is logged in (me).

Setting up the proxy in FF gives a cache access error (deny). OK, if I now switch the proxy to non SSO - mode on the Zentyal side (keeping the same proxy server settings in the FF client) the brower asks me for user name / password. After correct entry I can browse the internet as expected, group rules and filters as defined in squid are applied as expected. Consequently, proxy settings in FF are correct and squid proxy works, aren´t they?

IE behaves differnt with the same settings: It allway opens the password box (regardless if SSO is turned on or not) but correct entry allows browsing just if SSO is turned off. If turned on, IE does not accept my user name and password.

Now using SSH, I signed on the Zentyal server and created a ticket for the user by

Code: [Select]

kinit

Code: [Select]

klistEverything seems to be fine.

So what is my error, what do I do wrong???

Thanks and best regards
Thorsten

[jbahillo]

Make sure that:

DNS SRV entries for kerberos exist and point to the right IP and port
Workstation is time synced (less than 1 minute skew)  with the server

[thorsten]

How do I do that, where can I find the required info?
THX
Thorsten

[jbahillo]

Hello :

I first would check with a dig SRV _kerberos._tcp.your.domain.lan. You should check the same with a nslookup search of the same kind (you will find several resources on the net on how to perform a SRV request with nslookup) from the workstations.


Finally check date /time running "date" both in server and in workstation at the same time, and compare the clock skew, as I have said it is mandatory that it is less than one minute. If needed in the net you will find thousands of resources on how to sync a workstation time/date with an NTP server (zentyal for instance) , depending on the OS your workstation is using

[thorsten]

Hi,

Time: Windows client uses Zentyal NTP server for regular update, time difference is < 1 sec

On the Zentyal server:

dig SRV _kerberos._tcp.ebbinghaus.dyndns.org

; <<>> DiG 9.8.1-P1 <<>> SRV _kerberos._tcp.ebbinghaus.dyndns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56688
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;_kerberos._tcp.ebbinghaus.dyndns.org. IN SRV

;; ANSWER SECTION:
_kerberos._tcp.ebbinghaus.dyndns.org. 900 IN SRV 0 100 88 ebb-s01.ebbinghaus.dyndns.org.

;; AUTHORITY SECTION:
ebbinghaus.dyndns.org.  900     IN      NS      ebb-s01.ebbinghaus.dyndns.org.

;; ADDITIONAL SECTION:
ebb-s01.ebbinghaus.dyndns.org. 259200 IN A      172.17.0.100
ebb-s01.ebbinghaus.dyndns.org. 900 IN   AAAA    ::1

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul  7 14:59:25 2013
;; MSG SIZE  rcvd: 161

On the windows client (CMD):

> nslookup
Server:  Ebb-S01.ebbinghaus.dyndns.org
Address:  172.17.0.100

Nicht autorisierende Antwort:
Name:    nslookup.dyndns.org
Address:  174.103.214.119

Is this correct?

Thanks,
Thorsten

[jbahillo]

Are you using nslookup.dyndns.org as the dns for the server? That DNS answers to a public IP...does not sound too good for me...

Moreover in the nslookup I can't see that you are looking for SRV records, just A ones...

[thorsten]

Sorry,

I did not know how to use the nslookup command on windows, so forgett about nslookup.dyndns.org - this is not correct.
The output on the windows client is:

C:\>nslookup -type=SRV _ldap._tcp.ebbinghaus.dyndns
.org
Server:  Ebb-S01.ebbinghaus.dyndns.org
Address:  172.17.0.100

_ldap._tcp.ebbinghaus.dyndns.org        SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = ebb-s01.ebbinghaus.dyndns.org
ebbinghaus.dyndns.org   nameserver = ebb-s01.ebbinghaus.dyndns.org
ebb-s01.ebbinghaus.dyndns.org   internet address = 172.17.0.100
ebb-s01.ebbinghaus.dyndns.org   AAAA IPv6 address = ::1

C:\>

Thanks
Thorsten

[jbahillo]

And for Kerberos instead of LDAP?

[thorsten]

C:\>nslookup -type=SRV _kerberos._tcp.ebbinghaus.dyndns.org
Server:  Ebb-S01.ebbinghaus.dyndns.org
Address:  172.17.0.100

_kerberos._tcp.ebbinghaus.dyndns.org    SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = ebb-s01.ebbinghaus.dyndns.org
ebbinghaus.dyndns.org   nameserver = ebb-s01.ebbinghaus.dyndns.org
ebb-s01.ebbinghaus.dyndns.org   internet address = 172.17.0.100
ebb-s01.ebbinghaus.dyndns.org   AAAA IPv6 address = ::1

[jbahillo]

This seems to be ok, nevertheless I would take care about that caps

Ebb-S01.ebbinghaus.dyndns.org
vs
ebb-s01.ebbinghaus.dyndns.org


as kerberos is case sensitive (just in case)

[thorsten]

OK,

where do I need to change what?

Firefox proxy seems to be OK, as proxy requestes are processed.
srv hostname is the same in both cases (client / server)

Just the client output reads (first line, Server:) "Ebb-S01.ebbinghaus.dyndns.org", can this be changed?

THX
Thorsten

[jbahillo]

Could you please show your browser proxy settings?