Windows AD and SSO

[franco]

Plugin is marked private so it does not show up in the GUI. The system needs multiple changes that came in last minute. You need to run the following on top of 16.7.7:

# opnsense-update -t opnsense-devel
# pkg install ospriv-web-proxy-sso
# opnsense-patch -c plugins 57cfcddf 916d315 9301836
# opnsense-patch 528866c5 7094a5cd3

The plugin is found under "Services: Proxy Server: Single sign-on" and hopefully domg can help explain how it works if need be.


Cheers,
Franco

[franco]

domg provided a README:

Code: [Select]

Prerequisites:
OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
OPNsense must have a hostname in AD DNS (A and PTR)
OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
OPNsense must be in same domain as AD (hostname configuration page)
Create a new Authorization server with ssoproxyad type

Configuration:
Configure Single-Sign-On page with appropriate information
Execute joinDomain button
OPNsense should be in AD in computers OU
Reset comptuers from AD
Execute UpdateDomain
Select Authorization server in Proxy page

Todo:
Add cron job for auto-update keytab
Test button should test prerequisites
https://github.com/gitdevmod/plugins/tree/patch-4/www/web-proxy-sso

[rgemmell]

Hi Guys

Thanks for the update.
I am attempting to join the server to the domain but I get the error "no configuration file found" when testing the settings. Could you provide an example list of settings that I should be using?

Kind regards
Robert

[domg]

Hi rgemmell,

This is the configuration I use, Domain Version can be 2003 or 2008 then save and join domain

[rgemmell]

Ok I am making small progress.
With the below settings I get a "Test ok!" but a "unable to run config action" when clicking Join Domain. Any ideas?

Domain Name: HILT-OPNSENSE
Domain Controller: BWX-HILT-DC01.bwx.local
Version: 2012
Domain user: rgemmell
Password: ....

[domg]

Hi,

Domain Controller must be in same Domain, it should be BWX-HILT-DC01.HILT-OPNSENSE and Version can only be 2003 or 2008. For 2012 Domain, you can use 2008.

[domg]

The button "Test" actually only prints a "Test ok!" message, in future it should test prerequisites and fields.

[rgemmell]

Hi Guys

I am sure you are getting sick of me now. 
I am still having issues. I started with a fresh installation this time.
Firstly, I can ping bwx.local and BWX-HILT-DC01.bwx.local from the server with no issues.
Here are the settings I have:

[domg]

Could you run from the console:

Code: [Select]

# configctl ssoproxyad joinDomain

[rgemmell]

Ok I ran the command and get the following:
root@HILT-OPNSENSE:~ # configctl ssoproxyad joinDomain
Warning: file_put_contents(/usr/local/etc/ssoproxyad/krb5secret): failed to open                     stream: No such file or directory in /usr/local/opnsense/scripts/OPNsense/SSOPr                    oxyAD/joinDomain.php on line 60

Warning: chmod(): No such file or directory in /usr/local/opnsense/scripts/OPNse                    nse/SSOProxyAD/joinDomain.php on line 61
{"message":"Array"}

[rgemmell]

Sorry Guys, in my stupidity I forgot to setup the proxy itself after a setup the new server.
Running the command now gives the following:
configctl ssoproxyad joinDomain
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Can't contact LDAP server)Error: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}
root@HILT-OPNSENSE:~ # ping bwt.local

[rgemmell]

Alright, i now the get following:
Nov 1 10:54:56   configd_ctl.py: error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 65, in exec_config_cmd line = sock.recv(65536) timeout: timed out
Nov 1 10:52:56   configd.py: [37a2e8b3-6d6b-41cf-846a-ab9c9bc25f24] SSO Proxy AD module join AD domain
Nov 1 10:52:51   api[43906]: no matching csrf found for request
Nov 1 10:52:48   api[43906]: no matching csrf found for request

[domg]

Hi,
Could you ping your OPNsense with hostname.domain and IP ?
If you can, I'm on IRC #opnsense for debugging

[rgemmell]

Hi there. Yes I can, everything resolves perfectly. Before I had an issue with DNS which is why I redid the server.

[domg]

ok, could you confirm all prerequisites are ok ?