Infrastructure Software

Hi Habib,

The SGD Admin Guide has some good pointers on assigning applications to AD/LDAP groups. You can find the documentation on this for SGD 4.6 here:

http://download.oracle.com/docs/cd/E19351-01/821-1926/z4000be81312457.html#z40003821318141

Hope this helps,

Matt

Hi Matt,

Thanks for quick response. It was good link you provided. I have much better picture however; I am still not there yet. I have assigned each application a specific user profile (group) but I am still missing something because it is still not working. And when I said it is not working, I mean it is stills showing all the application including that I am not suppose to have it based on the AD profile.

I am digging more with documentation but if something you could point me the right direction would be nice.

In the mean time, I am looking at “Effective User profile” and “Editable Assignments”. In my case “Editable Assignments” are showing the appropriate groups but “Effective User profile” are either blank or showing “NT User Profile” and “LDAP Profile”. Does it mean I missed any step?

Thanks.

Habib.

Hi Habib,

If you are wanting to assign an application to an AD group, you need to:

1) Login to the SGD Admin Console
2) Navigate to the "Applications" tab.
3) Browse to the application you want to assign and click on it's name.
4) In Object View, navigate to the "Assigned User Profiles" tab.
5) Click on the "Add" button in the "Editable Assignments" section.
6) In the "Add Assignment" window, set "Respository" to be -> "Local + LDAP" (top right).
7) (If multiple service objects) Select "View" and choose the correct service object.
8) Browse to the AD group (marked with a blue bar) that you are wanting to assign the application to.
9) Check the checkbox next to that group and press the "Add" button.
10) Back in Object View, click the "(Load LDAP Assignments)" button in the "Effective User Profiles" section.

The users in the AD group that you assigned in step #9 should be displayed in the "Effective User Profiles" section.

Hope this helps,

Matt

Hi Matt,

Thanks again for detailed step by step instruction. Sincerely appreciate it.

I did follow every single step (earlier I was missing step -10). Looks good but unfortunately still no success. 'Effective User Profiles' look good but still not displaying the list of groups I am suppose to see as member of the AD group.

While I was playing with groups, I realized that it doesn't do anything with AD groups but it works with 'NT User Profile' (Local Profile). If I remove this group, I don't see anything. If I add back, I could see the list of applications that assigned to this profile.

At this point I am not sure what is this 'NT User Profile', how to avoid and what to do to rely on AD groups.

Any suggestion would be appreciated.

Habib.

Hi Habib,

Can you post the output of:

# tarantella config list login-ldap login-ad login-nt login-nt-domain

Thanks,

Matt

Hi Matt,

Thanks a million for helping with this. Here is the output:

login-ad: 1
login-ldap: 0
login-nt-domain: orgds1.hs.uci.edu
login-nt: 1

Habib.

Hi Habib,

The problem you're having is caused by the use of Windows Domain Authentication (see http://download.oracle.com/docs/cd/E19351-01/821-1926/z40000dd1305942.html) . As your users are being authenticated to the Windows domain orgds1.hs.uci.edu, they are being assigned the "NT User Profile". This mode of authentication does not support integration with Active Directory.

If you want Active Directory integration, your users need to be authenticated by Active Directory Authentication (see http://download.oracle.com/docs/cd/E19351-01/821-1926/z40000dd1295358.html).

My advise would be to disable Windows Domain Authentication:

# tarantella config edit --login-nt 0

And then follow the Active Directory Authentication docs (see http://download.oracle.com/docs/cd/E19351-01/821-1926/z40000dd1295358.html) to correctly configure your SGD server for AD integration.

Hope this helps,

Matt

Edited by: DeanyDean on 02-Mar-2011 09:11

Hi Matt,

Sorry, you must be wondering what happened to me. Well, I had an injury and end up taking LOA. Just came back to work.

Thank you for your suggestions. I went through the document and made required changes. I guess I missed something since I can’t login to SGD at all now.

Here is the output of:

# ./tarantella config list login-ldap login-ad login-nt login-nt-domain

login-ad: 1
login-nt-domain: orgds2.hs.uci.edu
login-nt: 0
login-ldap: not found

My krb.conf file is as follows:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = HS.UCI.EDU
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}

HS.UCI.EDU = {
kdc = hs.uci.edu:88
admin_server = hs.uci.edu:749
}

UCI.EDU = {
kdc = kerberos.service.uci.edu:88
admin_server = kerberos.service.uci.edu:749
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

hs.uci.edu = HS.UCI.EDU
.hs.uci.edu = HS.UCI.EDU
uci.edu = UCI.EDU
.uci.edu = UCI.EDU
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

What did I miss?

Thanks again for all the help.

Habib.

Hi Habib,

"login-ldap: not found" worries me a little as it was present in your previous posts. Any idea why this might have being removed?

Also, to try and gauge your AD env, can you provide the output of the following command (obfuscated as required):

# ./tarantella service list

Thanks,

Matt

Hi Matt,

I am not clear about this issue but I guess because earlier it was setup for ldap and now i changed to ad? Before I made changes selection was under ldap and URL was ldap://hs.uci.edu. Now I have changed this to ad with URL ad://hs.uci.edu.

Regarding

# ./tarantella service list

I couldn't run it. It give me error complaining that 'service' is not available command and it gives me list of command from archive, array and config through version, webserver and webtopsession.

Seems like I missed something very obvious?

Thanks.

Hi Habib,

Are you using SGD 4.50 or earlier? The service list command was only introduced in 4.60, so this might explain why it's missing.

Matt

Hi Matt,

True, we are using version 4.5.933. Any equivalent to service command? Any other suggestion?

Thansk.

Habib.

OK, sorry about that, was assuming (wrongly) you were using 4.60.

In 4.50, can you get the output of:

# tarantella config list --login-ldap-url

Thanks,

Matt

Sorry, it is my mistake, I should have mentioned in very beginning.

Here is the output of tarantella config list --login-ldap-url

login-ldap-url: ad://hs.uci.edu

Thanks again Matt. I sincerely apprecite all the help and guidance.

Habib.

Hi Habib,

At first glance this looks fine. Can you check for any errors in the SGD logs? These are located in /opt/tarantella/var/log. Please post the output of any errors caused when trying to login.

Thanks,

Matt

Hi Matt,

i was not sure exactly what log file to look for. Below is jserver20735_error.log based on time stamp. Thansk.

Habib.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

2011/03/31 07:41:13.280 (pid 20735) server/ad/warningerror #1301582473280
Sun Secure Global Desktop Software (4.5) WARNING:

DNS lookup failed to find infodev-globaldesk

Reason:
javax.naming.ServiceUnavailableException: DNS server failure [response code 2]; remaining name 'infodev-globaldesk'

infodev-globaldesk
cannot be used by SGD.

Make sure the DNS server contains a valid entry for this host.

2011/03/31 07:41:13.285 (pid 20735) server/ad/warningerror #1301582473285
Sun Secure Global Desktop Software (4.5) WARNING:

Active Directory service discovery failed
Failed to get IP addresses for the peer DNS name

Current state:
Looking up Global Catalog DNS name: gc.tcp.hs.uci.edu. - HIT
Looking for GC on server: Active Directory(ldap://160.87.13.147:3268::orgds3.hs.uci.edu[160.87.13.147]:[Up]) - HIT
Checking for CN=Configuration: DC=hs,DC=uci,DC=edu - MISS
Checking for CN=Configuration: CN=Configuration,DC=hs,DC=uci,DC=edu - HIT
Looking up domain root context: DC=hs,DC=uci,DC=edu - HIT
Looking up site context: CN=Sites,CN=Configuration
Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
Looking up addresses for peer DNS: infodev-globaldesk - HIT


Failed to discover Active Directory Site, Domain and server data.

Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.

2011/03/31 07:41:13.287 (pid 20735) server/ldap/warningerror #1301582473287
Sun Secure Global Desktop Software (4.5) WARNING:

LDAP call failed:
null lookupLink-.../_ldapmulti/forest/("DC=HS,DC=UCI,DC=EDU")
Call took 30183ms.

Reason:
javax.naming.NameNotFoundException: Failed to get IP addresses for the peer DNS name.

The call to the directory server failed.

Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.

2011/03/31 08:32:52.474 (pid 20735) server/ad/warningerror #1301585572474
Sun Secure Global Desktop Software (4.5) WARNING:

DNS lookup failed to find infodev-globaldesk

Reason:
javax.naming.ServiceUnavailableException: DNS server failure [response code 2]; remaining name 'infodev-globaldesk'

infodev-globaldesk
cannot be used by SGD.

Make sure the DNS server contains a valid entry for this host.

2011/03/31 08:32:52.474 (pid 20735) server/ad/warningerror #1301585572475
Sun Secure Global Desktop Software (4.5) WARNING:

Active Directory service discovery failed
Failed to get IP addresses for the peer DNS name

Current state:
Looking up Global Catalog DNS name: gc.tcp.hs.uci.edu. - HIT
Looking for GC on server: Active Directory(ldap://128.200.145.93:3268::directory.hs.uci.edu[128.200.145.93]:[Up]) - HIT
Checking for CN=Configuration: DC=hs,DC=uci,DC=edu - MISS
Checking for CN=Configuration: CN=Configuration,DC=hs,DC=uci,DC=edu - HIT
Looking up domain root context: DC=hs,DC=uci,DC=edu - HIT
Looking up site context: CN=Sites,CN=Configuration
Searching for sites: (&(objectClass=site)(siteObjectBL=*)) - HIT
Looking up addresses for peer DNS: infodev-globaldesk - HIT


Failed to discover Active Directory Site, Domain and server data.

Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.

2011/03/31 08:32:52.475 (pid 20735) server/ldap/warningerror #1301585572476
Sun Secure Global Desktop Software (4.5) WARNING:

LDAP call failed:
null lookupLink-.../_ldapmulti/forest/("DC=HS,DC=UCI,DC=EDU")
Call took 30185ms.

Reason:
javax.naming.NameNotFoundException: Failed to get IP addresses for the peer DNS name.

The call to the directory server failed.

Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.

Hi Matt,

I googled on the error log and found this thread:

2023613

Renaming the server name from infodev-globaldesk to infodev-globaldesk.hs.uci.edu, it try to login (doesn't give me 'Invalid Credential' message any more), however i get the dialog box saying:

Cannot connect to the server infodev-globaldesk:5307 Unknown error.

I am searching for this error but so far no luck.

Any insight?

Thanks.

habib.

firewall/proxy and DNS

have you read the install/config requirements?

Hi,

Thanks for suggestion.

Yes, I did check and port 5307 is enable already. Confusing part is, it was working before switch to ad authentication.

Habib.

Hi Habib,

The problem here is that the SGD server cannot resolve its own peer DNS name "infodev-globaldesk". For more information on this see the doc reference:

http://download.oracle.com/docs/cd/E19141-01/820-6689/chapter1.html#d0e955.

To verify if the peer name can be resolved by DNS, perform a DNS lookup of "infodev-globaldesk" from the SGD server:

$ nslookup infodev-globaldesk

If you cannot resolve the peer DNS name of the SGD server, SGD AD authentication will not work as it requires working DNS.

Hope this helps,

Matt

Edited by: DeanyDean on 05-Apr-2011 09:10

Edited by: DeanyDean on 05-Apr-2011 09:12

Thanks again Matt,

I am going through with the docment right now to see if i missed anything, however in the mean time if I run

$ nslookup infodev-globaldesk

I get following responce:

Server: 160.87.7.31
Address: 160.87.7.31#53

Name: infodev-globaldesk.hs.uci.edu
Address: 160.87.9.122

This is right name and address of the server.

Should I be expecting something different?

Thanks.

Habib.

Hi Habib,

I think your DNS error is being triggered because the full DNS name infodev-globaldesk.hs.uci.edu is not being used as the peer name for the SGD server. When you install the SGD server, you should always use the full DNS name of the host.

To change the peer DNS name of the server, you should read the following docs:

http://download.oracle.com/docs/cd/E19141-01/820-6689/chapter1.html#d0e1237

I suggest you change the peer name from "infodev-globaldesk" to "infodev-globaldesk.hs.uci.edu". Doing this should (at least) get rid of the peer name error from the logs.

Hope this helps,

Matt

Hi Matt,

Thanks for being persistent with helping me to resolve this issue.

I had changed peerdns to infodev-globaldesk.hs.uci.edu last week, as I mentioned in my previous post on 3/31.

Just to make sure, I ran it again and I got following error:

Peer DNS name is already infodev-globaldesk.hs.uci.edu: it will not be changed.
Nothing to do: exiting

Did I miss something obvious?

Thanks again.

habib.

Hi Habib,

Yep, missed that post, sorry about that.

So, you got the DNS error in the logs, fixed the DNS issue from AD auth and now you get the error:

"Cannot connect to the server infodev-globaldesk:5307 Unknown error."

The good news is that I think this means AD authentication is working. The problem now appears to be that the client cannot connect to the SGD server, which I think has been caused by the changing of the peer DNS name. I'm fairly sure this error is related to the external DNS name config. By default after an install, peer DNS name and external DNS name are set to the same value. If you change the peer DNS name, it doesn't automatically change the external DNS name configuration. You have to do this manually:

http://download.oracle.com/docs/cd/E19141-01/820-6689/chapter1.html#d0e1065

I think you should set the "External DNS names" value to "*:infodev-globaldesk.hs.uci.edu" so that the client can connect to the SGD server.

If you think this is already set up correctly, can you send me what you currently have set for "External DNS names" for your SGD server.

Thanks,

Matt

You are right Matt, this means AD authentication is working.

I looked under external dsn name and found extra period. it was showing *:infodev-globaldesk.hs..uci.edu instead of *:infodev-globaldesk.hs.uci.edu and probably it was over riding to peerdsn name.

After I fixed it, error message is changed as follows:

Cannot connect to the server infodev-globaldesk.hs.uci.edu:5307 Unknown error

We are getting closer :-) thanks for all the help.

We need to make sure the SGD client can connect to port 5307 of the SGD server using the hostname infodev-globaldesk.hs.uci.edu. If you have a solaris/linux or mac client you can use:

$ telnet infodev-globaldesk.hs.uci.edu 5307

You won't be able to do anything, just verify you can connect.

Also, to check the SGD server is listening on the correct network interfaces, you can use something like:

$ netstat -na | grep 5307

I'd expect a LISTEN on 0.0.0.0:5307 from the netstat call.

Matt

Hi Matt,

telnet infodev-globaldesk.hs.uci.edu 5307

produce this result:

Connected to infodev-globaldesk.hs.uci.edu (160.87.9.122)
Escape character is '^]'.

and output for netstat -na | grep 5307 is:

tcp 0 0 0.0.0.0:5307 0.0.0.0:* LISTEN

Thanks again.

Habib.

Hi Habib,

I've tried to reproduce your problem here but have had no luck. As you now seem to be having client issues, can you provide me with information about the clients you are using? Client O/S and version should be sufficient.

Also, when you editted the "External DNS Name" config, was this done from the SGD Admin Console?

Thanks,

Matt

Hi Matt,

We are typical Microsoft shop. I was using Windows XP, Windows 7 and Windows server 2003 all with IE 8. It didn't occur to me that it could be client issue since it was working before I made all those changes from Windows authentication to AD authentication.

Good news and bad news.

After you mentioned, I downloaded Safari and Firefox. Good news is, I was able get in with Safari (not with Firefox and Internet Explorer).

Bad news is, even I was able to pass this error message in Safari, I still see the application that I am not suppose to see base on AD group membership.

I am back to square one now :-(

Any other suggestion?

Thanks again.

Habib.

Hi Habib,

To make sure there's no data on your client that references the old SGD external name, you should clear the IE8 browser cache and also clear out any SGD client profiles from your client machine. Client profiles can be found at:

Windows 7: USER_HOME_DIR/AppData/Local/Sun/SSGD/profile.xml

Removing this file will clear out any existing SGD client profiles.

Does this fix your client issue with IE8 and Firefox?

Matt

Hi Matt,

I deleted the profile.xml file, still no success. Just FYi, this Windows 7 machine was freh installed any way and also i didn't have Firefox and Safari installed until you asked about the client platform.

Sorry. In your previous post you asked me:

when you editted the "External DNS Name" config, was this done from the SGD Admin Console?

and I forgot to respond. Yes, I made that change in "SGD Admin Console" via the browser.

And talking about 'SGD Admin Console', I am not sure if it matters to know but I could log in to 'SGD Admin Console' even when I can't login as end user.

Thanks again for all the help.

Habib.

Here is the good news. After installing the 'Self-Signed SSL Certificate' using

tarantella security selfsign

I was able to pass the error message and able to logon to SGD.

Bad news is I am still seeing the application that I am not suppose to see.

Any other suggestion?

in the mean time, I am reviewing the 'Effective User Profile'. LDAP assignment looks OK, but 'Local Assignments' showing 'LDAP Profile' and 'NT User Profile'. I am wonder these two profiles may be causing the issue?

Thanks again.

Habib.

Hi Habib,

If you are logged in as an LDAP user and you haven't created any custom user profiles, the user will be using the "LDAP Profile" so if the app is assigned directly to the LDAP Profile the user should see application on the webtop. If your AD user isn't seeing the app, then you should check the profile the user is using (webtop -> info -> detailed diagnostics -> user -> profile). Can you confirm that it's the LDAP Profile?

If you want to assign the application to only members of an AD group then you shouldn't assign the application directly to the LDAP Profile. Here are the docs for LDAP/AD group app assignment:

http://download.oracle.com/docs/cd/E19141-01/820-6689/chapter3.html#d0e14960

Matt

Hi Matt,

Here is the output:


User :
.../_service/sco/tta/ldapcache/CN=Habibullah\, Mohammad,OU=Desktop,OU=Mobile and Administrative Workstations with Special Exemptions,DC=HS,DC=UCI,DC=EDU
Profile :
.../_ens/o=Tarantella System Objects/cn=LDAP Profile


You are right, goal is to assign certain applications to only members of certain AD groups. I am looking at the link you provided and got somewhat more confuse. I am not clear how to achieve this goal. I will go over it again to see what did I miss.

Thanks again.

Habib.