Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: txsastre on September 14, 2012, 11:40:55 am

Title: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on September 14, 2012, 11:40:55 am
Hi there, I'm testing zentyal 3.0 final

I'm testing http-proxy, and everything I tried work fine, except the SSO, when I activate it, it does not work as it should, in fact it does not uses any ACL, only the "any" that is set to "deny", so they cannot navigate anywhere.

The client machines were Win XP, logged to the zentyal domain.

Do I need to install anything else on the server or client desktops ?

thank you.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on September 15, 2012, 09:22:31 pm
Maybe you can help me understand how this is supposed to work, txsastre.

The proxy is not transparent. I don't have Samba installed so there is no domain. (And even if I did have Samba installed, I am testing 3.0 from a Windows 7 Starter netbook so could not join a domain anyway.)

I can authenticate fine (over and over, of course) and browse according the the access rules fine until I activate SSO. At that point I cannot authenticate at all, and that is the end of the road.

This seems to me not how it ought to work, but my ignorance could be the problem. :-[
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on September 17, 2012, 08:49:23 am
Maybe you can help me understand how this is supposed to work, txsastre.

The proxy is not transparent. I don't have Samba installed so there is no domain. (And even if I did have Samba installed, I am testing 3.0 from a Windows 7 Starter netbook so could not join a domain anyway.)

I can authenticate fine (over and over, of course) and browse according the the access rules fine until I activate SSO. At that point I cannot authenticate at all, and that is the end of the road.

This seems to me not how it ought to work, but my ignorance could be the problem. :-[

Hi Sam.

Well my test is slightly different, because I've created an domain, so my windows XP machines are in it. So when they start and log in the domain, I thought that the SSO should "catch"  user and password credentials so when I open the navigator (firefox, iexplorer) my user should have access to where I set in the proxy configurations.  But it does not work, as I can see in the proxy log, there is no "user" only a "-" (and sometimes, nothing at all). And that's how I suppose the SSO should work, maybe I am wrong after all.

It only works if I disable the SSO option in the proxy, but, I have to write again user and password when the navigator opens.

By the way I think that if you use SSO and then try to connect with an machine or user that is not in the domain, I think that it should use the last rule in the proxy settings or maybe you can add a rule for "guests". But that's only my guess.

Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on September 17, 2012, 09:28:14 am
If I understand well your explanation, it looks like there is not "link" between authentication and authorization.
BTW I'm going to discuss this during the summit: the right sequence, following IAA logic, is to Identify, Authenticate then Authorize. This supposes that authorization back-end is able to maintain relationship establish at authentication step. When everything is done in LDAP, this is pretty easy (one single protocol, one single repository) but with Kerberos, it requires to pay extra attention.
Perhaps Zentyal dev team could explain to us what they do here  ???
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on September 17, 2012, 01:59:48 pm
Thanks for the perspective, txsastre. There is at least one ticket (http://trac.zentyal.org/ticket/5097) describing the problem (in the case of a domain-attached computer), so I'm sure things will get cleared up eventually. The possibility that a machine must join the domain for the proxy to work as hoped (with SSO) concerns me, especially in the case where the file sharing module is not needed or wanted.

Sounds like an interesting discussion, christian. It's good that there are members of the community who have an in-depth understanding of such things. :)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on September 17, 2012, 02:09:08 pm
Ok, I've read the ticket and is exactly what's happening.

I will keep an eye on it. Hope it gets solved soon.

Thanks !
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on September 17, 2012, 02:26:56 pm
I'm matching what Sam describes: no domain (I don't like the idea of having shared files on server acting as internet gateway) but proxy. I could obviously deploy another internal Zentyal server for file sharing (BTW, I also would like this server to be my MDA if I'm obliged to maintain 2 Zentyal servers) but with such design, I don't understand yet how all this stuff is going to interact, especially regarding authentication (Kerberos) and authorization (LDAP).

If goal is "only" to replace Win server, then current design makes sense, however not all users want to have their infrastructure designed like if done by MCSE  :P
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on October 27, 2012, 02:22:26 am
See that the ticket (http://trac.zentyal.org/ticket/5097) is closed and that the fix was pending the release of an updated proxy module. Just updated to HTTP Proxy 3.0.1 and am not yet able to use SSO at all. The only way I can authenticate from a Windows 7 machine is with the proxy's SSO feature disabled.

Perhaps I'm missing something?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on October 29, 2012, 09:15:52 am
hi there. I've have updated to 3.0.1 and the same results :( also added the problem to the ticket. And asked to re-open it.

http://trac.zentyal.org/ticket/5097#comment:7
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on October 29, 2012, 01:23:12 pm
...the same results...

So your scenario is still Windows XP machines joined to the domain and proxy SSO is not yet not working? Since I'm uncertain if the developers intend for the proxy SSO feature to work in conjunction with Samba, I'm not sure how to properly test the feature.

In my case, Samba isn't installed so there is no domain. Further, my Windows test machine is running Windows 7 Starter (a netbook) so can't join a domain. It may be that the proxy's SSO feature simply can't work under my test setup.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on October 30, 2012, 09:16:47 am
yes, my scenario is very simple.

1 server zentyal Domain, and a few XP client in this domain.

When I log into de domain, I can see the shared folders and only access to where I have permissions, but when I open the browser (configured to user the proxy and SSO enabled) it does not work.

I have only 3 rules, 1 users, 1 admins

When I disable SSO, when I open the navigator it ask me for an user / password and it works ok. but when I enable SSO, it does not work, it always shows me an error "access denied to cache"

so, if I see the log file I can see that there is no user name given, so I can assume the proxy does not know who is trying to access, so it denies everything.

Data                              Amfitrió                       Usuari      Adreça URL     ...
2012-10-30 09:22:50    192.168.200.230        -         http://safebrowsing.clients.google.com/s...
Title: SSO proxy, how does it works ?
Post by: txsastre on November 02, 2012, 02:23:55 pm
Hi there.

I've been testing a lot the proxy and I think that it should work, it does not work.

as I've explaided here
http://forum.zentyal.org/index.php/topic,12010.msg52630.html#msg52630

domain samba, and machines XP properly configured, assigned groups to the proxy and enabled SSO in proxy.

Once the users are login in the domain, the proxy always deny me "access to object http://www.google.es/search? denied without permission". When I look the log, I can see that there is no user trying to access, only a "-" where it should be the user.

If I disable the SSO it asks me user and name and it works, and also I can see it in the log

Should it be working as I expecting, or maybe is not designed this way ?

Thank you.
Title: Re: SSO proxy, how does it works ?
Post by: christian on November 02, 2012, 02:30:52 pm
but why do you create new topic to discuss further the existing one  ::)
Title: Re: SSO proxy, how does it works ?
Post by: txsastre on November 02, 2012, 02:58:39 pm
ok, my fault

You can merge/delete it if you want.

but the question is still the same.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 02, 2012, 02:59:57 pm
It would be nice to have some definitive clarification on how the Zentyal feature set is intended to work.


I understand completely the potential validity of a tracker comment like "I close this since it seems to be a configuration/operation problem," but if there is confusion out here about how the feature is supposed to work, the effectiveness of a bug hunt is reduced. So a little clarification would make it more likely that our expectations of the feature are correct, helping us to decide if Zentyal's very reproducible behavior in this case is a feature or a bug.
Title: Re: SSO proxy, how does it works ?
Post by: Sam Graf on November 02, 2012, 03:08:29 pm
It might be better to have everything in one topic. On the other hand, we have two very different test cases going on, one where Zentyal is a PDC and client machines are successfully joining the domain, another where Zentyal is not a PDC and/or a machine is not joining a domain. So maybe these are two different topics. If I understood better how the proxy's SSO was supposed to work, we might be able to get down to one test case, and then for sure one topic.
Title: Re: SSO proxy, how does it works ?
Post by: christian on November 02, 2012, 03:21:50 pm
I'll be prone to merge because this is really the same question from same user.
I also think (am I wrong here) that Kerberos authentication is not dependent on PDC (while the opposite is not true).

Back on technical discussion: the point here is that I suppose there is something wrong with DansGuardian sandwich design (you know this DG embedded between 2 Squid slices in order to support Kerberos  ;))
There is quite a lot of discussion around in this forum about:
- Proxy not supporting both SSO and group based profiling
- why 2 squid servers

that are all linked, for what I believe, to this "sandwich" design. I'm expecting Zentyal to provide some technical explanation because I don't want to make the reverse-engineering myself. To lazy and fade-up  :-[

More details (but no answer) here (http://contentfilter.futuragts.com/wiki/doku.php?id=user_identification_methods&DokuWiki=899035c71284a30c5ce2398b9d6648ab).
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 02, 2012, 03:34:37 pm
BTW, despite my laziness, I'm currently looking at DansGuardian and Squid conf and can't find any lookup for LDAP group membership...  ::)
I wonder how this may work. But as I'm not Dansguardian specialist (I know SquidGuard much better) I need to learn a bit more  :-[
Title: Re: SSO proxy, how does it works ?
Post by: Sam Graf on November 02, 2012, 03:41:18 pm
There is quite a lot of discussion around in this forum about:
- Proxy not supporting both SSO and group based profiling
- why 2 squid servers

that are all linked, for what I believe, to this "sandwich" design.

Unfortunately DansGuardian is blocking access to the link you provided ;D . I have to have a look later.

What is the difference in the authentication mechanisms between SSO authentication and "regular" authentication, when SSO is not enabled? The former seems broke, while the later works.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 02, 2012, 03:44:31 pm
I suppose (although I didn't try) that both are working but when SSO is enabled, then you can't set up any group based profiling.
The main difference is that DansGuardian does NOT support Kerberos. Because of this, it requires specific implementation with one proxy (Squid) before DS and one other after.
The "front-end" proxy will handle Kerberos auth and also provide revert back to back auth when client does not support Kerberos.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 02, 2012, 05:55:26 pm
hum  :-[  looking further, secondary Squid proxy is not used to implement sandwich but cache peer.
I still don't understand why. I'm investigating
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 02, 2012, 06:41:37 pm
Thank you for your help in sorting out the proxy's operation, christian!
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 02, 2012, 06:56:49 pm
does transparent proxy with 3.0 work? I suppose the answer is yes but I can't see any DNAT rule in iptables while Squid is configured with "intercept" directive. Is there something I'm missing?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 02, 2012, 08:26:51 pm
I'm now away from the office and my test machine but working from memory. But I can say for sure that yes, transparent proxy works. I have tested the captive portal (which seems also to be broke when it comes to user groups--coincidence?) using only transparent proxy.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 03, 2012, 12:24:33 pm
Discussing similar issue in the French section, it looks like group based access control (with SSO) works but might be tricky if user is also member of group that is not authorized. I try to investigate this further in French section and will publish my feedback and understanding here.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 03, 2012, 03:28:51 pm
Interesting. My test machine isn't here or I'd experiment with that idea. Thank you for keeping us informed on the French forum discussion.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 03, 2012, 03:41:49 pm
We do progress on this (well not me because I don't have the right environment yet but this French guy made a pretty good test-bed and study)
Current conclusion is that if user is member of "domain admin" group, then HTTP proxy rules do not apply anymore...  ???
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 04, 2012, 06:42:07 pm
If I'm understanding correctly, the work in the French forum is providing a clue in the case where Zentyal is a PDC, correct? Is this a fixable situation?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Javier Amor Garcia on November 05, 2012, 09:07:11 am
Hello,

 have reviewed the code and I see that we made a mistake: we allow to have both checked kerberos authorization AND transparent mode.

They don't work together. Maybe it is your problem?.

In that case disable transparent mode in Zentyal. In the windows client log in within the domain, configure the browser to use the zentyal proxy and try again. If yo are using a linux client follow this instructions: http://trac.zentyal.org/wiki/Documentation/HTTPProxyKerberosWithLinux

If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug. We will review the process with the windows client shortly.

Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Javier Amor Garcia on November 05, 2012, 09:30:19 am
Sorry Christian, I misread your post, we will look  also to the group membership you report
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 05, 2012, 01:59:06 pm
If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug.

Does this mean that the proxy's SSO will not work if Zentyal is not a PDC?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 05, 2012, 02:02:49 pm
Now that I understand that 2 Kerberos servers run in parallel, I wonder whenever this could have introduced some unexpected behaviour  ::)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on November 09, 2012, 09:11:53 am
If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug.

Does this mean that the proxy's SSO will not work if Zentyal is not a PDC?

I think so, you need something to authenticate the users (ldap, active directory...)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on November 09, 2012, 09:16:03 am
Hello,

 have reviewed the code and I see that we made a mistake: we allow to have both checked kerberos authorization AND transparent mode.

They don't work together. Maybe it is your problem?.

In that case disable transparent mode in Zentyal. In the windows client log in within the domain, configure the browser to use the zentyal proxy and try again. If yo are using a linux client follow this instructions: http://trac.zentyal.org/wiki/Documentation/HTTPProxyKerberosWithLinux

If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug. We will review the process with the windows client shortly.

Thanks for review this feature, that's what I supposed that there was a bug there.

please keep us informed about this modification. I'm waiting for this working as expected to put a zentyal as a proxy on the production LAN and make a "lot of fun" to my users  ;D

Thank you
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 09, 2012, 10:26:47 am
If you are not using transparent proxy and your have correctly logged in the domain, there can be a bug.

Does this mean that the proxy's SSO will not work if Zentyal is not a PDC?

I think so, you need something to authenticate the users (ldap, active directory...)

 :o sure but why Windows DC ? can't you, e.g. authenticate against, as you wrote LDAP (no DC here) or even Kerberos server (again no DC here).
I really would like Zentyal to clarify their strategy here. Do they expect design to be Microsoft centric only (in such case authentication will be against DC emulation only) or is it something more flexible ?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on November 09, 2012, 08:10:53 pm
:o sure but why Windows DC ? can't you, e.g. authenticate against, as you wrote LDAP (no DC here) or even Kerberos server (again no DC here).
I really would like Zentyal to clarify their strategy here. Do they expect design to be Microsoft centric only (in such case authentication will be against DC emulation only) or is it something more flexible ?

nice question, but it was to be answered by Zentyal stuff :/
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 09, 2012, 10:25:34 pm
I think so, you need something to authenticate the users (ldap, active directory...)

In that case, do you think it would be a good idea for Zentyal to expose the proxy's SSO feature only in the case where Zentyal is a PDC? It seems to me too confusing the way it is for those of us who may not have Zentyal set up for file sharing/domain control, but maybe I'm just not understanding something.

I'd be glad to make that suggestion to the developers if that makes sense.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 09, 2012, 11:56:05 pm
Sam, as far as I'm concerned, I would vote "against" what you suggest.
I do understand your willingness to make things as simple as possible but as a result your approach will end up to "Kerberos for Microsoft users only".

Either this is your strategy that is to go for Microsoft world only and in such case it makes sense or you can accept that other "non Microsoft" IT landscape exist and then I don't understand why you would suggest not to let them using Kerberos server.

Things are today confusing because Microsoft DC brings all services together and most of people think that SS is linked to DC, which is wrong. You proposal will just reinforce this misunderstanding, at least as I perceive it  ;)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 10, 2012, 12:10:15 am
Sorry, I probably wasn't clear. :-[

If the proxy's SSO feature works by design only when Zentyal is a PDC, it seems to me that the UI shouldn't provide users who are not using Zentyal as a domain controller the proxy's SSO option. I was suggesting that maybe the option should be hidden in that case.

I would prefer that the proxy's SSO feature works even if Zentyal isn't being used as a PDC. But the developmenrs seem to be saying that that's not how it's supposed to work, so if that's the case, don't even give me the option to enable a feature that isn't going to work. It just confuses me. That kind of idea. :)

Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 10, 2012, 12:27:52 am
OK, clearer. I misunderstood your point.
I would like someone from Zentyal team to react and tell us what their solution is supposed to provide.
From technical standpoint, the is no reason to have SSO only if file sharing is activated. Zentyal brings Kerberos server qnd stores in standard LDAP server everything all the Kerberos stuff.
Thus if your client (Windows or Ubuntu) implements Kerberos authentication, I don't see why this should not work.
Again, please Zentyal team, add your inputs here  :)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 10, 2012, 07:37:07 pm
Again, please Zentyal team, add your inputs here  :)

+1
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on November 13, 2012, 08:46:46 am
hi there, just a word.

The solution PDC + SSO, is not working though the ticket said that it was a "configuration error" I reinstalled it from scratch and still does not work.

PDC Zentyal  -> Windows XP -> SSO Proxy Kerberos enabled (not work)

Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 13, 2012, 09:30:02 am
Although I didn't try myself, it's confirmed to work from at least one guy from French section.
One question here: is user you are testing member of admin group ?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Javier Amor Garcia on November 13, 2012, 10:10:11 am
Quote
If the proxy's SSO feature works by design only when Zentyal is a PDC, it seems to me that the UI shouldn't provide users who are not using Zentyal as a domain controller the proxy's SSO option. I was suggesting that maybe the option should be hidden in that case.

No, but if you have PDC you have already the needed kerberos ticket. So this makes windows login straightforward. But PDC is not required for example, you can log in Linux with this commands: http://trac.zentyal.org/wiki/Documentation/HTTPProxyKerberosWithLinux and there is not PDC involved.

Samuel (our kerberos/samba expert) told me that  the equivalent Windows clients don't work as expected so we cannot give Windows equivalent of this procedure
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Javier Amor Garcia on November 13, 2012, 10:16:55 am
As for the 'admin group' bug we will look it shortly.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on November 13, 2012, 01:57:47 pm
No...
Very helpful information. Thank you!
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Javier Amor Garcia on November 13, 2012, 04:59:25 pm
Hello,

we have checked and we could use kerberos with the 'Domain admin' group members. We have used Microsoft Explorer 8 (version 6 does not work in any case for kerberos).

Check that:
- the proxy is not in mode transparent
- the client specifies the proxy with its full qualified domain name, with IP it will not work
- clocks are synchronized
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 13, 2012, 05:29:21 pm
This so called "admin group membership" issue is not confirmed by Christophe, however, he solved his problem reinstalling Zentyal with different domain name. Testing further, I think he was able to reproduce this issue reinstalling with previous domain name. I'll come back to him in order to confirm and I'll let you know.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on November 20, 2012, 12:59:04 pm
Cristian : about adms group.

If created a lot of users and groups combinations, none of them works as expected.

Javier Amor
- the client specifies the proxy with its full qualified domain name, with IP it will not work

I didn't know that, I've changed it (zentyal-domain.lan) but still same problems.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 20, 2012, 01:20:22 pm
"zentyal-domain.lan" doesn't look like FQDN but domain name  ::)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on November 20, 2012, 01:27:23 pm
that's the name
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 20, 2012, 02:28:05 pm
No this is not the name... or at least what you show is not the evidence that the name is correct.
And if name is correct, there is something really weird or I'm totally puzzled  :o

Based on LDAP settings you show, name you are supposed to set in proxy conf is zentyal.zentyal-domain.lan and not zentyal-domain.lan

I also wonder if you file sharing service work as expected: Netbios name doesn't match hostname, so Netbios over TCP doesn't work, does it?

This is really strange and I'm like in a dream today.
- This is the second thread which is tightly linked to misunderstanding between host, domain and FQDN
- I already saw in the past this "zentyal-domain.lan" domain naming with "zentyal" as hostname and similar confusion but as far as I remember, this was with another forum member.

I'm very tempted to launch a poll and make some stats: how many Zentyal users are using this very confusing naming convention?
Is it because of default names proposed by Zentyal wizard?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 20, 2012, 02:47:54 pm
I realize you are using default naming convention proposed by Zentyal installation wizard.
What makes things even more confusing is your Netbios name  ::)

I hope Zentyal team will read this thread and potentially change this wizard and/or update documentation to make things clearer, although very few users read the fucking manual.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on November 20, 2012, 02:54:09 pm
yes, I used the default name instalation since I was doing tests with beta installations.

I think I haven't change it, because in beta it was the better option not to touch this things.

Should I do a new installation and set a better name ?

which can you suggest me ? :)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: christian on November 20, 2012, 03:51:38 pm
For the time being and for testing purpose, just fix settings in your browser in order to use the right proxy (Zentyal) FQDN.
Once this works, you will have time to reinstall if really needed.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: FastLaneJB on December 01, 2012, 12:16:10 pm
Hi,

I'd just like to add that this isn't working at all for me either with SSO without it then it works fine.

So I've got just 2 rules. Both go through filter groups but I've tried it without. Neither of the rules cover all users so if you don't authenticate properly you won't be able to browse. Transparent proxy is off (I intend to use a GPO to push the proxy settings out if I get this working).

I've got Zentyal running as a Samba 4 domain, Windows 7 clients joined to the domain and Internet Explorer 9 (I've tried Firefox as well). My domain ends with a .local and I've put in the FQDN of the server of zentyal.domain.local and also tried domain.local (Does still point to the Zentyal box so goes to the proxy but doesn't work either).

Infact because I don't have a rule that works for all users when I have SSO on enabled I still get the username and password box come up. However entering a valid username and password I get a Banned User error page.

I'd like to point out that Zarafa SSO also doesn't work. For this if I enable it I get a domain login box appear but entering a valid user doesn't work.

I have moved my users from the OU=Users,DC=domain,DC=local area of AD to better apply Group Policies to various users.

Zentyal is fully patched up by doing an apt-get dist-upgrade so it should be fully current at the time of writing.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: richie1985 on January 02, 2013, 09:18:03 am
are there any news? still dont work by my site with the same problem (sso, fqdn proxy)

please help
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: richie1985 on January 02, 2013, 09:28:57 am
okay i found the issue, internet explorer 6 wont work!
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on February 26, 2013, 12:32:28 pm
Hi there.

after a few moths out, I tried again to use zentyal + sso + proxy, but once again without no luck.

scenario : 1 server zentyal (2 netcards) + windows XP desktops (using firefox 19)

everything works perfect, login into domain and accessing to shared folders, but when I try to set the rules to the proxy/dansguard it does not work with SSO activated.

my domain is incatest.lan, my server zentyal2013.incatest.lan, I've tried both in the firefox proxy configurations, but it give me the same error, that I am unable to navigate throw the proxy.

I assume that something is correctly working, because when I enable in the proxy the rule "allow everyone" it works, but when I disable it, it does not work (wich is correct). Seems that the group that the user belongs is not recognized.

When using only a group that is allowed to navigate, the proxy show me that it does not accept connections, the same as if I deny everyone. "cache access denied"

can anybody help me ?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on February 27, 2013, 09:28:24 am
hi there. at last ! :)

I've changed the server proxy name to lowercase in the firefox proxy configuration, and now I works :)

really happy now !

going to test "categorized list" :)

so today begins my transition from W2003 AD, W2003 file server to zentyal solution, (plus proxy+content filtering server)  wish me luck !
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: Sam Graf on February 27, 2013, 01:59:05 pm
Luck! Please keep us posted!
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: txsastre on February 28, 2013, 11:02:58 am
Luck! Please keep us posted!

Thanks !, gonna try first with an small office, 10 users more or less. :)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: quimguito on April 27, 2013, 08:33:32 pm
Hello i'm having the same problem with zentyal as a aditional domain controler of a windowos 2008 r2 AD,
if i enable SSO in proxy th IE keeps asking for a password and rejects it.

Any news inthis subjetc?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: thorsten on July 04, 2013, 08:17:55 am
OK, I need help, too, please:

I do not get SSO on http-proxy to work. From the Zentyal point - I installed / enabled the proxy using SSO, on the client side (Windows 7 / Firefox or IE), the computer itself joined the domain and a valid user is logged in (me).

Setting up the proxy in FF gives a cache access error (deny). OK, if I now switch the proxy to non SSO - mode on the Zentyal side (keeping the same proxy server settings in the FF client) the brower asks me for user name / password. After correct entry I can browse the internet as expected, group rules and filters as defined in squid are applied as expected. Consequently, proxy settings in FF are correct and squid proxy works, aren´t they?

IE behaves differnt with the same settings: It allway opens the password box (regardless if SSO is turned on or not) but correct entry allows browsing just if SSO is turned off. If turned on, IE does not accept my user name and password.

Now using SSH, I signed on the Zentyal server and created a ticket for the user by
Code: [Select]
kinit
Code: [Select]
klistEverything seems to be fine.

So what is my error, what do I do wrong???

Thanks and best regards
Thorsten
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: jbahillo on July 04, 2013, 11:41:35 am
Make sure that:

DNS SRV entries for kerberos exist and point to the right IP and port
Workstation is time synced (less than 1 minute skew)  with the server
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: thorsten on July 05, 2013, 11:49:10 am
How do I do that, where can I find the required info?
THX
Thorsten
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: jbahillo on July 05, 2013, 11:56:55 am
Hello :

I first would check with a dig SRV _kerberos._tcp.your.domain.lan. You should check the same with a nslookup search of the same kind (you will find several resources on the net on how to perform a SRV request with nslookup) from the workstations.


Finally check date /time running "date" both in server and in workstation at the same time, and compare the clock skew, as I have said it is mandatory that it is less than one minute. If needed in the net you will find thousands of resources on how to sync a workstation time/date with an NTP server (zentyal for instance) , depending on the OS your workstation is using

Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: thorsten on July 07, 2013, 03:11:45 pm
Hi,

Time: Windows client uses Zentyal NTP server for regular update, time difference is < 1 sec

On the Zentyal server:
Quote
dig SRV _kerberos._tcp.ebbinghaus.dyndns.org

; <<>> DiG 9.8.1-P1 <<>> SRV _kerberos._tcp.ebbinghaus.dyndns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56688
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;_kerberos._tcp.ebbinghaus.dyndns.org. IN SRV

;; ANSWER SECTION:
_kerberos._tcp.ebbinghaus.dyndns.org. 900 IN SRV 0 100 88 ebb-s01.ebbinghaus.dyndns.org.

;; AUTHORITY SECTION:
ebbinghaus.dyndns.org.  900     IN      NS      ebb-s01.ebbinghaus.dyndns.org.

;; ADDITIONAL SECTION:
ebb-s01.ebbinghaus.dyndns.org. 259200 IN A      172.17.0.100
ebb-s01.ebbinghaus.dyndns.org. 900 IN   AAAA    ::1

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul  7 14:59:25 2013
;; MSG SIZE  rcvd: 161

On the windows client (CMD):
Quote
> nslookup
Server:  Ebb-S01.ebbinghaus.dyndns.org
Address:  172.17.0.100

Nicht autorisierende Antwort:
Name:    nslookup.dyndns.org
Address:  174.103.214.119

Is this correct?

Thanks,
Thorsten
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: jbahillo on July 08, 2013, 03:18:36 pm
Are you using nslookup.dyndns.org as the dns for the server? That DNS answers to a public IP...does not sound too good for me...

Moreover in the nslookup I can't see that you are looking for SRV records, just A ones...
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: thorsten on July 08, 2013, 09:54:55 pm
Sorry,

I did not know how to use the nslookup command on windows, so forgett about nslookup.dyndns.org - this is not correct.
The output on the windows client is:

Quote
C:\>nslookup -type=SRV _ldap._tcp.ebbinghaus.dyndns
.org
Server:  Ebb-S01.ebbinghaus.dyndns.org
Address:  172.17.0.100

_ldap._tcp.ebbinghaus.dyndns.org        SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = ebb-s01.ebbinghaus.dyndns.org
ebbinghaus.dyndns.org   nameserver = ebb-s01.ebbinghaus.dyndns.org
ebb-s01.ebbinghaus.dyndns.org   internet address = 172.17.0.100
ebb-s01.ebbinghaus.dyndns.org   AAAA IPv6 address = ::1

C:\>


Thanks
Thorsten
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: jbahillo on July 08, 2013, 10:06:22 pm
And for Kerberos instead of LDAP?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: thorsten on July 08, 2013, 10:36:26 pm
Quote
C:\>nslookup -type=SRV _kerberos._tcp.ebbinghaus.dyndns.org
Server:  Ebb-S01.ebbinghaus.dyndns.org
Address:  172.17.0.100

_kerberos._tcp.ebbinghaus.dyndns.org    SRV service location:
          priority       = 0
          weight         = 100
          port           = 88
          svr hostname   = ebb-s01.ebbinghaus.dyndns.org
ebbinghaus.dyndns.org   nameserver = ebb-s01.ebbinghaus.dyndns.org
ebb-s01.ebbinghaus.dyndns.org   internet address = 172.17.0.100
ebb-s01.ebbinghaus.dyndns.org   AAAA IPv6 address = ::1
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: jbahillo on July 09, 2013, 12:16:05 pm
This seems to be ok, nevertheless I would take care about that caps

Ebb-S01.ebbinghaus.dyndns.org
vs
ebb-s01.ebbinghaus.dyndns.org


as kerberos is case sensitive (just in case)
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: thorsten on July 09, 2013, 02:05:22 pm
OK,

where do I need to change what?

Firefox proxy seems to be OK, as proxy requestes are processed.
srv hostname is the same in both cases (client / server)

Just the client output reads (first line, Server:) "Ebb-S01.ebbinghaus.dyndns.org", can this be changed?

THX
Thorsten
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: jbahillo on July 09, 2013, 02:52:21 pm
Could you please show your browser proxy settings?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: thorsten on July 09, 2013, 11:22:06 pm
Please find the image file attached, as written before I tried both, ebb-s01.ebbinghaus.dyndns.org and Ebb-S01.ebbinghaus.dyndns.org. It does work without SSO - the browser asks me for user / password in this case. If I switch SSO on, I just get the Access Denied page generated by Zentyal proxy.

SORRY: Screenshot is just visible if logged in this ...

THX
Thorsten
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: jbahillo on July 10, 2013, 01:19:20 pm
Hello :

Perhaps you could try regenerating your squid keytab. You'll find several resources in the network on how to do this.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: thorsten on July 11, 2013, 10:01:52 am
As I do not dare to do this - I give up.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: halban on July 21, 2013, 05:15:25 am
Hello guys.
I'm new in this world, in fact, i'm new in the open sourse world. I work in a healthcare center in Venezuela. We used to have a Fortinet device to do all the firewall, UTM jobs. Because of the bad economic situation in my country, the Fortinet license was too expensive and then we took the desition to migrate to a less expensive solution, so we choosed Zentyal. We get there after knowing a Linux expert who helped us to install a VoIP solution (Asterisk + Elastic). He heard about our Firewall problem, and he proposed us the Zentyal solution. When we started the installation process, everything were good, but we got this SSO problem. This problem affected us through 3 days, we were surfing the internet looking for solution but we didn't found any.

Today, i'm glad to tell you that this problem was solved, now i'm going to put the translation of the post that our Linux expert wrote in the Zentyal spanish forum:

"Here's the solution that i found for this problem, it seems that it only happens with Windows Server 2008 R2, i hope that this solves somebody else's problem and that the Zentyal development team take it for future versions, what i did was modify the /etc/kr5bs.conf file, the original Zentyal file is this:

[libdefaults]
    default_realm = [DOMAIN NAME]
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[kadmin]
    default_keys = des-cbc-crc:pw-salt des-cbc-md5:pw-salt arcfour-hmac-md5:pw-salt aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt

I modified it in this way:

[libdefaults]
        default_realm = [DOMAIN NAME]
        dns_lookup_kdc = no
        dns_lookup_realm = no
        ticket_lifetime = 24h
        default_keytab_name = /etc/squid3/HTTP.keytab
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
     
[realms]
        [DOMAIN NAME] = {
                kdc = [windows_dc_name.domain_name]
                kdc = [zentyal_server_name]
                admin_server = [windows_dc_name.domain_name]
                default_domain = [domain_name]
        }
[domain_realm]
        .example.local = [DOMAIN NAME]
        example.local = [DOMAIN NAME]

Hope this works for you."

If this works for you, please replied it through all the forum posts related to this problem. Our Linux expert who helped us to install Zentyal and who found this problem solution is known as hgeorge123 in the spanish Zentyal community, his name is George. The original spanish post is this: http://forum.zentyal.org/index.php/topic,16813.0.html?PHPSESSID=enn40hnnuurksaf04066ma2ch7

Thanks.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: jiAmnesiAc on July 29, 2013, 05:11:17 pm
After, what seemed about, 100+ attempts to get SSO to work I found the setup sequence that seems to work. I thought I would share. I have gotten this to work with both 3.0.22 and 3.1-1 Beta in an AD 2003 environment.
Hope that helps someone. Good luck!
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: MaverickZA on September 19, 2013, 04:24:41 pm
Hi,

Has anyone managed to find a solution to this? I am having the same issue as the others, "Cache access denied" when using SSO, disable SSO and it works fine. I am running a pure Samba4/Zentyal3 domain with Win7 and XP workstations.

I unfortunately cannot go through the process of reinistalling and following the steps as per the user above's suggestions as this is a live system.

Also, the solution mentioned by halban does not work either.

Any assistance would be appreciated.
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: BrettonWoods on September 25, 2013, 09:40:33 pm
Hi,

Has anyone managed to find a solution to this? I am having the same issue as the others, "Cache access denied" when using SSO, disable SSO and it works fine. I am running a pure Samba4/Zentyal3 domain with Win7 and XP workstations.

I unfortunately cannot go through the process of reinistalling and following the steps as per the user above's suggestions as this is a live system.

Also, the solution mentioned by halban does not work either.

Any assistance would be appreciated.

Did SSO work with 3 ?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: valshare on September 11, 2014, 11:43:09 am
Hello,

i have had many trouble with proxy and sso. I have installed zentyal with the latest updates. I am on version 3.5.3. I have solved the problems to use sso.

If i create users with the Microsoft tool "Active Directory User and Computer" i never get the user worked with sso on the proxy.

So i have created the user overs the Web-Interface of zentyal but it didn´t worked with sso, too.
Now i have switched in the http-proxy settings i disabled the sso function, apply all changes and save it. Now wait that all modules are reconfigured. Now i switched enbled the sso function, apply and save the changes and wait again that all modules are reconfigured. Now the sso works for the user.

Can anyone confirm that is a bug?

Regards, Valle
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: valshare on September 18, 2014, 10:38:06 am
Can anyone confirm that is a bug?

no one??
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: dhalabi on September 23, 2014, 11:45:39 am
Yes, I have saved the same probblem but I don't know the casue and solution, did you fixed it ?
Title: Re: http-proxy SSO (single sign on) zentyal 3.0 - problem
Post by: valshare on September 23, 2014, 12:00:39 pm
Yes, I have saved the same probblem but I don't know the casue and solution, did you fixed it ?

Hi dhalabi,

die you try the way in Post #82? First create the user over the zentyal GUI and the disable and enable the sso option in the proxy.