OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: rgemmell on October 17, 2016, 04:46:09 pm
-
Hi Guys
Quick question, when is single sign on going to be made avaialble? Alternatively is there a way to manually implement this?
Regards
Rob
-
Hi rgemmell,
I started a plugin for this https://github.com/gitdevmod/plugins/commits/master, in my labs (vbox+windows 2012R2) it's works with Internet Explorer but it miss a lot of testing, testing and testing. :)
If you are interrested just let me know.
-
Hi guys,
I've of late done more cleaning of msktutil for the plugin. It seems there is a new version out (1.0), do you want to try this one? I can provide a build.
Maybe it's time to bring this into the official plugins.git as a private plugin for further testing. From our side it's ready for inclusion, also pending testing, a bit refactoring and alignment.
It would be nice to get this in, I know domg spent a lot of time on this already. :)
Cheers,
Franco
-
franco, sure I can try 1.0 msktutil version :)
-
Sorry, I missed you on IRC tonight. Are we talking amd64/OpenSSL or another combination?
-
Hi domg and Franco
Thank you for the responses.
Domg, I have checked github and will give it a go today.
Franco, please provide a build, would love to try it out too.
Thanks again, your help is greatly appreciated.
-
Good, still need to know which combinations the packages are for... usually amd64/OpenSSL, but if not the packages won't install properly.
-
franco,
Yes it's amd64/OpenSSL
-
Hi Guys, sorry to pester you but would you be able to explain how I would install the SSO plugin?
-
Let me get back to this later today. :)
-
When 16.7.7 is out the plugin can be installed from the command line:
# pkg install ospriv-web-proxy-sso
We still have some TODO items as recorded here:
https://github.com/opnsense/plugins/issues/43
-
Great news, thanks Franco.
When is 16.7.7 due to be released?
-
On Wednesday this week. :)
Note it's still under development as we figure out how to best integrate it. It could take one or two more iterations on 16.7.x to become easily usable.
-
Brilliant.
Thats perfect, at this stage we just running within a test environment so it suits me perfectly.
Thanks so much for the assistance.
-
Hi Fabian
I see there was an update, but I dont see the SSO package.
-
Plugin is marked private so it does not show up in the GUI. The system needs multiple changes that came in last minute. You need to run the following on top of 16.7.7:
# opnsense-update -t opnsense-devel
# pkg install ospriv-web-proxy-sso
# opnsense-patch -c plugins 57cfcddf 916d315 9301836
# opnsense-patch 528866c5 7094a5cd3
The plugin is found under "Services: Proxy Server: Single sign-on" and hopefully domg can help explain how it works if need be.
Cheers,
Franco
-
domg provided a README:
Prerequisites:
OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
OPNsense must have a hostname in AD DNS (A and PTR)
OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
OPNsense must be in same domain as AD (hostname configuration page)
Create a new Authorization server with ssoproxyad type
Configuration:
Configure Single-Sign-On page with appropriate information
Execute joinDomain button
OPNsense should be in AD in computers OU
Reset comptuers from AD
Execute UpdateDomain
Select Authorization server in Proxy page
Todo:
Add cron job for auto-update keytab
Test button should test prerequisites
https://github.com/gitdevmod/plugins/tree/patch-4/www/web-proxy-sso
-
Hi Guys
Thanks for the update.
I am attempting to join the server to the domain but I get the error "no configuration file found" when testing the settings. Could you provide an example list of settings that I should be using?
Kind regards
Robert
-
Hi rgemmell,
This is the configuration I use, Domain Version can be 2003 or 2008 then save and join domain
-
Ok I am making small progress.
With the below settings I get a "Test ok!" but a "unable to run config action" when clicking Join Domain. Any ideas?
Domain Name: HILT-OPNSENSE
Domain Controller: BWX-HILT-DC01.bwx.local
Version: 2012
Domain user: rgemmell
Password: ....
-
Hi,
Domain Controller must be in same Domain, it should be BWX-HILT-DC01.HILT-OPNSENSE and Version can only be 2003 or 2008. For 2012 Domain, you can use 2008.
-
The button "Test" actually only prints a "Test ok!" message, in future it should test prerequisites and fields.
-
Hi Guys
I am sure you are getting sick of me now. :)
I am still having issues. I started with a fresh installation this time.
Firstly, I can ping bwx.local and BWX-HILT-DC01.bwx.local from the server with no issues.
Here are the settings I have:
-
Could you run from the console:
# configctl ssoproxyad joinDomain
-
Ok I ran the command and get the following:
root@HILT-OPNSENSE:~ # configctl ssoproxyad joinDomain
Warning: file_put_contents(/usr/local/etc/ssoproxyad/krb5secret): failed to open stream: No such file or directory in /usr/local/opnsense/scripts/OPNsense/SSOPr oxyAD/joinDomain.php on line 60
Warning: chmod(): No such file or directory in /usr/local/opnsense/scripts/OPNse nse/SSOProxyAD/joinDomain.php on line 61
{"message":"Array"}
-
Sorry Guys, in my stupidity I forgot to setup the proxy itself after a setup the new server.
Running the command now gives the following:
configctl ssoproxyad joinDomain
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Can't contact LDAP server)Error: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}
root@HILT-OPNSENSE:~ # ping bwt.local
-
Alright, i now the get following:
Nov 1 10:54:56 configd_ctl.py: error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 65, in exec_config_cmd line = sock.recv(65536) timeout: timed out
Nov 1 10:52:56 configd.py: [37a2e8b3-6d6b-41cf-846a-ab9c9bc25f24] SSO Proxy AD module join AD domain
Nov 1 10:52:51 api[43906]: no matching csrf found for request
Nov 1 10:52:48 api[43906]: no matching csrf found for request
-
Hi,
Could you ping your OPNsense with hostname.domain and IP ?
If you can, I'm on IRC #opnsense for debugging
-
Hi there. Yes I can, everything resolves perfectly. Before I had an issue with DNS which is why I redid the server.
-
ok, could you confirm all prerequisites are ok ?
-
Ok, as follows:
OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
Confirmed, set to domain controllers only
OPNsense must have a hostname in AD DNS (A and PTR)
Confirmed, I can ping the hostname
OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
Confirmed, syncing with DC
OPNsense must be in same domain as AD (hostname configuration page)
Confirmed, under settings, General, the hostname is set to HILT-OPNSENSE
Create a new Authorization server with ssoproxyad type
Confirmed, tested authentication and it works
-
OPNsense must be in same domain as AD (hostname configuration page)
Confirmed, under settings, General, the hostname is set to HILT-OPNSENSE
And the domain ?
-
Sorry, thats there too.
-
Basically the plugin use the same configuration described here http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory#Configuring_a_Squid_Server_to_authenticate_off_Active_Directory
I still think it's a DNS problem my AD DNS contains this (sorry it's in french, but the important part is opnsense A and PTR)
-
So I can confirm the following:
PRT record for the DC: bwx-hilt-dc01.bwt.local. - 192.168.1.254
A record for the firewall: HILT-OPNSENSE.bwt.local - 192.168.1.77
-
You need also a PTR record for HILT-OPNSENSE.bwt.local
-
Alright, I added that. I get the following:
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)\tadditional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}
I am reading the Wiki page you sent and trying a few things. Will let you know how things go.
-
Could you run the following from console (respect upppercase)
# cat /etc/resolv.conf
# dig -x 192.168.1.77
# dig hilt-opnsense.bwt.local
# cat /usr/local/etc/ssoproxyad/krb5.conf
# kinit Administrateur@BWT.LOCAL
# klist
# /usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k /usr/local/etc/ssoproxyad/PROXY.keytab --computer-name HILT-OPNSENSE --upn HTTP/hilt-opnsense.bwt.local --server bwx-hilt-dc01.bwt.local --enctypes 28 --verbose
-
Hi Guys
It seems to have come right.
I was having issues with time which was odd as both DC and firewall were correct.
I have attached the CLI history for your reference.
Thanks a million for all your help. I learnt a lot from all the digging around.
Will continue to test to see how things go.
Kind regards
-
rgemmell,
Cool :) Ah right I missed clock problem. Now you should have a /usr/local/etc/ssoproxyad/PROXY.keytab file and your OPNsense in AD (ou=computers).
Last step, you need to reset computers in AD and try updateDomain button.
And proxy SSO should work in IE, check in OPNsense /var/log/squid/access.log file
The plugin miss an updateDomain crontab to update computer account (it expires every 30 days). I do not know what happens if computer is not updated in time...
-
Hi !
Prerequisites:
+ OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
+ OPNsense must have a hostname in AD DNS (A and PTR)
+ OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
+ OPNsense must be in same domain as AD (hostname configuration page)
+ Create a new Authorization server with ssoproxyad type
Configuration:
+ Configure Single-Sign-On page with appropriate information
- Execute joinDomain button
Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method) additional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-"kinit"ing.--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
--------------
opnsense-devel-17.1.b_91, ospriv-web-proxy-sso-0.3
Active Directory Domain Name: orghim.int
Active Directory Domain Controller: svdc
Active Directory Domain Version: 2008
Active Directory Domain User: administrator
pass ...
-----------------
opns.orghim.int - 192.168.145.31 - proxy server
svdc.orghim.int - 192.168.145.231 - DC 2008r2
time on opns and svdc is same.
root@opns:/ # less /etc/resolv.conf
domain orghim.int
nameserver 192.168.145.231
root@opns:/ # dig -x 192.168.145.31
;; ANSWER SECTION:
31.145.168.192.in-addr.arpa. 3600 IN PTR opns.orghim.int.
;; Query time: 1 msec
;; SERVER: 192.168.145.231#53(192.168.145.231)
;; WHEN: Sat Jan 07 13:13:02 EET 2017
root@opns:/ # dig opns.orghim.int
;; ANSWER SECTION:
opns.orghim.int. 3600 IN A 192.168.145.31
root@opns:/ # dig -x 192.168.145.231
;; ANSWER SECTION:
231.145.168.192.in-addr.arpa. 1200 IN PTR svdc.orghim.int.
root@opns:/ # dig svdc.orghim.int
;; ANSWER SECTION:
svdc.orghim.int. 3600 IN A 192.168.145.231
root@opns:/ # less /usr/local/etc/ssoproxyad/krb5.conf
[libdefaults]
default_realm = ORGHIM.INT
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24h
default_keytab_name = /usr/local/etc/ssoproxyad/PROXY.keytab
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
ORGHIM.INT = {
kdc = svdc.orghim.int
admin_server = svdc.orghim.int
default_domain = orghim.int
}
[domain_realm]
.orghim.int = ORGHIM.INT
orghim.int = ORGHIM.INT
root@opns:/ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@ORGHIM.INT
Issued Expires Principal
Jan 7 13:15:09 2017 Jan 7 23:15:09 2017 krbtgt/ORGHIM.INT@ORGHIM.INT
root@opns:/ # /usr/local/sbin/msktutil -c -b CN=COMPUTERS -s HTTP -k /usr/local/etc/ssoproxyad/PROXY.keytab --computer-name OPNS --upn HTTP/opns.orghim.int --server svdc.orghim.int --enctypes 28 --verbose
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/urandom = 87
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-1MV5Cr
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: OPNS$
-- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for OPNS$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_keytab_princ: Trying to authenticate for host/opns.orghim.int from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_keytab_princ: Authentication with keytab failed
-- try_machine_password: Trying to authenticate for OPNS$ with password.
-- create_default_machine_password: Default machine password for OPNS$ is opns
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Unknown error -1765328378)
-- try_machine_password: Authentication with password failed
-- try_user_creds: Checking if default ticket cache has tickets...
-- finalize_exec: Authenticated using method 5
-- LDAPConnection: Connecting to LDAP server: svdc.orghim.int
Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)
additional info: SASL(-4): no mechanism available: No worthy mechs found
Error: ldap_connect failed
--> Is your kerberos ticket expired? You might try re-"kinit"ing.
--> Is DNS configured correctly? You might try options "--server" and "--no-reverse-lookups".
-- ~KRB5Context: Destroying Kerberos Context
HELP !!!!
-
Join to voljek's question. Absolutely same issue, can't join domain neither through web-gui, nor through kinit/msktutil. Please, help :)
-
The SSO plugin is still under development. I will see if I can reach domg for an update.
Cheers,
Franco
-
Hi!
What about the development of the SSO plugin. We're using 17.1.2 but there's still no possbility to use SSO/AD in a simple way. Do you know the roadmap for that?
Kind regards
-
Hi,
There is no roadmap here because the work is being done by an external contributor.
Cheers,
Franco
-
Hi,
Besides the external contributor has not already put the plugin available, is there any way to implement the SSO/AD with the current firmware?
Regards,
Crisman.
-
The plugin is available, but not advertised as it is in development mode. You can install it from the console and it should then show up in the services menu:
# pkg install os-web-proxy-sso-devel
Cheers,
Franco
-
FYI: The plugin code is here:
https://github.com/opnsense/plugins/tree/master/www/web-proxy-sso
@fichtner: there is an really old ticket: https://github.com/opnsense/plugins/issues/43
-
Yes, but we don't want to release something that is not approved by the maintainer, even if we fix that list.
-
Sorry to ask again, but is there any solution to this error?
Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)\tadditional info: SASL(-4): no mechanism available: No worthy mechs found
OPNsense 17.1.10-amd64
I have tried in many ways to solve, even with older versions (16.7) and I can not make the plugin work.
-
I tested it with 17.7r1 and it says /usr/bin/kinit: not found.
That would be awesome if this becomes stable.
-
Hi Andy,
Thanks for this hint, the paths to kinit / kdestroy are definitely wrong, apply this patch[1] to fix that:
# opnsense-patch -c plugins 3189ebd1
I really don't know about the state of this, it somehow worked a while back, but we had several open issues and at least for me personally no test setup to be able to finish it.
Cheers,
Franco
[1] https://github.com/opnsense/plugins/commit/3189ebd1
-
Thank you Franco! But now joining domain dies with the following error:
kinit: unrecognized option `--password-file=/usr/local/etc/ssoproxyad/krb5secret'Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F | --forwardable | --noforwardable] [-p | -P | --proxiable | --noproxiable] -n [-a | -A | --addresses | --noaddresses] [--request-pac | --no-request-pac] [-C | --canonicalize] [-E | --enterprise] [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] [-S service_name] [-T ticket_armor_cache] [-X <attribute>[=<value>]] [principal] options: -V verbose -l lifetime -s start time -r renewable lifetime -f forwardable -F not forwardable -p proxiable -P not proxiable -n anonymous -a include addresses -A do not include addresses -v validate -R renew -C canonicalize -E client is enterprise principal name -k use keytab -i use default client keytab (with -k) -t filename of keytab to use -c Kerberos 5 cache name -S service -T armor credential cache -X <attribute>[=<value>]Also the category in the menu-tree is not correct. It is listed under "Proxy" but the new category is "Web Proxy".
Thanks for your awesome work!
-
Hi Andy,
Thanks for the fix. The switch from Heimdal to MIT Kerberos seems to have taken its toll on the implementation. It looks like "-k -t file" should be used, if the file specified needs a different contents I do not know...
https://serverfault.com/a/488553
Cheers,
Franco