samba - Sep 2020 - PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

On 2020-09-15 1:13 pm, miguel medalha wrote:
>> I've tried restarting PHP-FPM and webconfigurator,
>> but that doesn't seem to solve the problem.
> 
> This must be done each time after you edit the configuration using the 
> LDAP
> authentication setup page. Otherwise the changes won't stick. Before I 
> knew
> this, I did suffer a lot trying to make it work and not understanding 
> why it
> didn't.
Yea - I'm lost.  I keep trying the same thing hoping for different
results.  I think that is the definition of insanity.

I've tried:

create new OU called VPNusers and a user within that call bind-user-1
Also created a user under Users called bind-user-2

then I set the following:

extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com
authentication container => OU=vpnusers,DC=internal,DC=external,DC=com
bind user => 
CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com

no go.  Also tried:

extended query => memberof=CN=users,DC=internal,DC=external,DC=com
authentication container => CN=users,DC=internal,DC=external,DC=com
bind user => CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com

After each change I run options 16 (restart php-fpm) and 11 (restart 
webconfigurator)

Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted

Tried using "Global Root CA List & No Client Cert" and "Samba
CA &
cert/key"

Keeps failing to bind.

On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
> On 2020-09-15 1:13 pm, miguel medalha wrote:
>>> I've tried restarting PHP-FPM and webconfigurator,
>>> but that doesn't seem to solve the problem.
>>
>> This must be done each time after you edit the configuration using 
>> the LDAP
>> authentication setup page. Otherwise the changes won't stick.
Before
>> I knew
>> this, I did suffer a lot trying to make it work and not understanding 
>> why it
>> didn't.
>
> Yea - I'm lost.? I keep trying the same thing hoping for different
> results.? I think that is the definition of insanity.
>
> I've tried:
>
> create new OU called VPNusers and a user within that call bind-user-1
> Also created a user under Users called bind-user-2
>
> then I set the following:
>
> extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com
> authentication container => OU=vpnusers,DC=internal,DC=external,DC=com
> bind user => 
> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
>
> no go.? Also tried:
>
> extended query => memberof=CN=users,DC=internal,DC=external,DC=com
> authentication container => CN=users,DC=internal,DC=external,DC=com
> bind user => CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
>
> After each change I run options 16 (restart php-fpm) and 11 (restart 
> webconfigurator)
>
> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted
>
> Tried using "Global Root CA List & No Client Cert" and
"Samba CA &
> cert/key"
>
> Keeps failing to bind.
>
>
OK, AD uses what is known as back-links, that is you create something 
and two attributes are created and they sort of point at each other, for 
instance when you add a user to a group, the user gets a 'memberOf' 
attribute that contains the groups DN and the group gets a 'member' 
attribute that contains the users DN.

I think you need to use an existing group (which isn't Domain Users) or 
create a new one and use that groups DN in the 'extended query'

Rowland

On 2020-09-15 4:19 pm, Rowland penny via samba wrote:
> On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
>> On 2020-09-15 1:13 pm, miguel medalha wrote:
>>>> I've tried restarting PHP-FPM and webconfigurator,
>>>> but that doesn't seem to solve the problem.
>>> 
>>> This must be done each time after you edit the configuration using 
>>> the LDAP
>>> authentication setup page. Otherwise the changes won't stick.
Before
>>> I knew
>>> this, I did suffer a lot trying to make it work and not
understanding
>>> why it
>>> didn't.
>> 
>> Yea - I'm lost.? I keep trying the same thing hoping for different
>> results.? I think that is the definition of insanity.
>> 
>> I've tried:
>> 
>> create new OU called VPNusers and a user within that call bind-user-1
>> Also created a user under Users called bind-user-2
>> 
>> then I set the following:
>> 
>> extended query =>
memberof=OU=vpnusers,DC=internal,DC=external,DC=com
>> authentication container =>
OU=vpnusers,DC=internal,DC=external,DC=com
>> bind user => 
>> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
>> 
>> no go.? Also tried:
>> 
>> extended query => memberof=CN=users,DC=internal,DC=external,DC=com
>> authentication container => CN=users,DC=internal,DC=external,DC=com
>> bind user => 
>> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
>> 
>> After each change I run options 16 (restart php-fpm) and 11 (restart 
>> webconfigurator)
>> 
>> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted
>> 
>> Tried using "Global Root CA List & No Client Cert" and
"Samba CA &
>> cert/key"
>> 
>> Keeps failing to bind.
>> 
>> 
> OK, AD uses what is known as back-links, that is you create something
> and two attributes are created and they sort of point at each other,
> for instance when you add a user to a group, the user gets a
> 'memberOf' attribute that contains the groups DN and the group gets
a
> 'member' attribute that contains the users DN.
> 
> I think you need to use an existing group (which isn't Domain Users)
> or create a new one and use that groups DN in the 'extended query'
> 
> Rowland
Perhaps I'm mixing terminology in my understanding of how I'm
setting things up.  Does the user being used to create the
bind need to be part of a "security group" or just part
of a different organizational unit?

When I use the windows admin tool for "Active Directory Users and 
Computers"
I have a user located in
"internal.external.com->users->bind-user-1".
This is just another user like anyone else in the office.

Under "internal.external.com->users" I also have a number of
"Security
*Groups*"
defined to which I assigned my users to establish access privileges.
so the distinguished name for a groups is something like:
CN=Group,CN=Users,DC=internal,DC=external,DC=com

I also tried creating a new organizational unit and then creating
a user within that OU (ie internal.external.com->VPNUsers->bind-user-2)
This user, however, was not assigned to a security group.

Do either of the scenarios described make sense or does the user
need to be part of a Windows "Security Group"?

> This is just another user like anyone else in the office.
No, its offcourse not .. Why do you think you binding user is failing ;-) 

So, on the bind fail. 
Did you set on the "binding" user, : account is trusted and cant not
be delegated?
Password can be changed and never expire need to be ticked also.

Whats set on the Pfsence server in ldap.conf ? 
Is BASE and URI defined? 


As far i can tell, you certificate setup of fine. 
If your not sure, goto :  testssl.sh  (yes that is a website ) 


Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Shmerykowsky via samba
> Verzonden: dinsdag 15 september 2020 22:57
> Aan: Rowland penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] PFsense via Samba Authentication 
> Server -> ERROR! ldap_get_groups() could not bind
> 
> On 2020-09-15 4:19 pm, Rowland penny via samba wrote:
> > On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
> >> On 2020-09-15 1:13 pm, miguel medalha wrote:
> >>>> I've tried restarting PHP-FPM and webconfigurator,
> >>>> but that doesn't seem to solve the problem.
> >>> 
> >>> This must be done each time after you edit the 
> configuration using 
> >>> the LDAP
> >>> authentication setup page. Otherwise the changes won't 
> stick. Before 
> >>> I knew
> >>> this, I did suffer a lot trying to make it work and not 
> understanding 
> >>> why it
> >>> didn't.
> >> 
> >> Yea - I'm lost.? I keep trying the same thing hoping for
different
> >> results.? I think that is the definition of insanity.
> >> 
> >> I've tried:
> >> 
> >> create new OU called VPNusers and a user within that call 
> bind-user-1
> >> Also created a user under Users called bind-user-2
> >> 
> >> then I set the following:
> >> 
> >> extended query => 
> memberof=OU=vpnusers,DC=internal,DC=external,DC=com
> >> authentication container => 
> OU=vpnusers,DC=internal,DC=external,DC=com
> >> bind user => 
> >> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
> >> 
> >> no go.? Also tried:
> >> 
> >> extended query =>
memberof=CN=users,DC=internal,DC=external,DC=com
> >> authentication container =>
CN=users,DC=internal,DC=external,DC=com
> >> bind user => 
> >> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
> >> 
> >> After each change I run options 16 (restart php-fpm) and 
> 11 (restart 
> >> webconfigurator)
> >> 
> >> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, &
636/SSL-Encrypted
> >> 
> >> Tried using "Global Root CA List & No Client Cert"
and "Samba CA &
> >> cert/key"
> >> 
> >> Keeps failing to bind.
> >> 
> >> 
> > OK, AD uses what is known as back-links, that is you create 
> something
> > and two attributes are created and they sort of point at each other,
> > for instance when you add a user to a group, the user gets a
> > 'memberOf' attribute that contains the groups DN and the 
> group gets a
> > 'member' attribute that contains the users DN.
> > 
> > I think you need to use an existing group (which isn't Domain
Users)
> > or create a new one and use that groups DN in the 'extended
query'
> > 
> > Rowland
> 
> Perhaps I'm mixing terminology in my understanding of how I'm
> setting things up.  Does the user being used to create the
> bind need to be part of a "security group" or just part
> of a different organizational unit?
> 
> When I use the windows admin tool for "Active Directory Users and 
> Computers"
> I have a user located in
"internal.external.com->users->bind-user-1".
> This is just another user like anyone else in the office.
> 
> Under "internal.external.com->users" I also have a number of 
> "Security 
> *Groups*"
> defined to which I assigned my users to establish access privileges.
> so the distinguished name for a groups is something like:
> CN=Group,CN=Users,DC=internal,DC=external,DC=com
> 
> I also tried creating a new organizational unit and then creating
> a user within that OU (ie 
> internal.external.com->VPNUsers->bind-user-2)
> This user, however, was not assigned to a security group.
> 
> Do either of the scenarios described make sense or does the user
> need to be part of a Windows "Security Group"?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>