Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: gilbertonunes on May 25, 2010, 09:31:50 pm

Title: windows integrated authentication
Post by: gilbertonunes on May 25, 2010, 09:31:50 pm
Hi... How can I enable windows integrated authentication???

I mean, that my network users surf on web without ask a users/password....

It is possible???


Thanks
Title: Re: windows integrated authentication
Post by: gilbertonunes on May 26, 2010, 03:48:44 pm
Nobody?
Title: Re: windows integrated authentication
Post by: toolman1967 on May 27, 2010, 03:55:59 am
Hi... How can I enable windows integrated authentication???

I mean, that my network users surf on web without ask a users/password....

It is possible???


Thanks
What Windows software are you using?
Title: Re: windows integrated authentication
Post by: christian on May 27, 2010, 08:06:19 am
I mean, that my network users surf on web without ask a users/password....

What you are asking for is basically SSO, standing for Single sign-On.
This feature relies on potentially multiple different implementations and there is no standard or RFC .

Preliminary question is: do you really need users to authenticate while using HTTP proxy? (which would mean you need some kind of profiling with different rules).

Then SSO is quite often achived using Kerberos or Kerberos like mechanism.
Squid should be able to implement Kerberos
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos (http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)
http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ (http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/)

but I don't see anything about Kerberos in eBox., although it's the standard authentication mechanism for Windows when not implementing "pre win 2000" authentication mechaniçsm (NTLM).

All above obviously means that Samba as implemented in eBox is configured with Kerberos
https://help.ubuntu.com/community/Samba/Kerberos (https://help.ubuntu.com/community/Samba/Kerberos)

leading to the conclusion that Kerberos implementation must be one supporting LDAP as a back-end (MIT Kerberos is able to do this).
https://help.ubuntu.com/9.04/serverguide/C/kerberos-ldap.html (https://help.ubuntu.com/9.04/serverguide/C/kerberos-ldap.html)

Does it help?

Notice that once this is achieved, it could be used for other services like mail  8)
Title: Re: windows integrated authentication
Post by: jsalamero on June 02, 2010, 10:24:38 pm
It's unlikely that Kerberos will be implemented until Samba 4 (still in upstream development) is included in eBox.
Title: Re: windows integrated authentication
Post by: jquintao on June 03, 2010, 01:10:48 pm
Hi,

I'm using eBox with NTLM authentication... To do this, you need:

1) edit the file /usr/share/ebox/stubs/squid/squid.conf.mas and change de lines:

Code: [Select]
auth_param basic realm eBox HTTP proxy
auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b  ou=Users,<% $dn %>  -u uid  -h ldap://127.0.0.1:<% $ldapport %>

acl authorized  proxy_auth required

To:

Code: [Select]
#auth_param basic realm eBox HTTP proxy
#auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b  ou=Users,<% $dn %>  -u uid  -h ldap://127.0.0.1:<% $ldapport %>
auth_param ntlm program /usr/lib/squid/ntlm_auth -b -d domain.local/server_name
auth_param ntlm children 50

acl authorized  proxy_auth required

Where your domain is "domain.local" and your server_name is "server_name"... If necessary, add "server_name" in your /etc/hosts files...

- after run /etc/init.d/ebox squid restart to generate the /etc/squid.conf file and restart the squid....

2) make a logon in your windows desktop against you windows server active directory and call the Firefox or Internet Explorer with the proxy turned on...

After this 2 steps, the users can connect without inform user and password... Try if this will work for you... If it work i can send you more tips for fix the problems with logs and suggest some things to create diferent groups...

Title: Re: windows integrated authentication
Post by: peps on September 30, 2010, 12:36:37 pm
Hello.
sorry for replying to this old topic, but seems you are the only one that succeed to set up ntlm authentication with zentyal.

I done what you writed but the result is strange, the browser do not ask for credential but it do not browse.

What can be the problem? may be the domain name?

The following are my settings:
Base DN:       dc=studio,dc=local
Domain name:   studio.local
Netbios name:     Server01
Search Domain: studio.local
Hostname: Server01

This are the lines I modified:
# <EBOX> TAG_ACL #
#auth_param basic realm Zentyal HTTP proxy
#auth_param basic program /usr/lib/squid/ldap_auth -v 3 -b  ou=Users,<% $dn %> $
auth_param ntlm program /usr/lib/squid/ntlm_auth -b -d studio.local/Server01
auth_param ntlm children 50
acl authorized  proxy_auth required



whaen I restart squin I have the following error:
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/HTML/Mason/Component/Subcomponent.pm line 34.

PThanks in advantage. ;)
Title: Re: windows integrated authentication
Post by: peps on September 30, 2010, 02:27:32 pm
If I make a wireshark check I found that error:

HTTP/1.0 407 Proxy Authentication Required
Server: squid/2.7.STABLE7
Date: Thu, 30 Sep 2010 12:22:25 GMT
Content-Type: text/html
Content-Length: 1243
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Proxy-Authenticate: NTLM
X-Cache: MISS from localhost
X-Cache-Lookup: NONE from localhost:3128
Via: 1.0 localhost:3128 (squid/2.7.STABLE7)
Connection: close


please help  ???