Marco Shmerykowsky
2020-Sep-15 19:53 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 2020-09-15 1:13 pm, miguel medalha wrote:>> I've tried restarting PHP-FPM and webconfigurator, >> but that doesn't seem to solve the problem. > > This must be done each time after you edit the configuration using the > LDAP > authentication setup page. Otherwise the changes won't stick. Before I > knew > this, I did suffer a lot trying to make it work and not understanding > why it > didn't.Yea - I'm lost. I keep trying the same thing hoping for different results. I think that is the definition of insanity. I've tried: create new OU called VPNusers and a user within that call bind-user-1 Also created a user under Users called bind-user-2 then I set the following: extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com authentication container => OU=vpnusers,DC=internal,DC=external,DC=com bind user => CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com no go. Also tried: extended query => memberof=CN=users,DC=internal,DC=external,DC=com authentication container => CN=users,DC=internal,DC=external,DC=com bind user => CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com After each change I run options 16 (restart php-fpm) and 11 (restart webconfigurator) Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted Tried using "Global Root CA List & No Client Cert" and "Samba CA & cert/key" Keeps failing to bind.
Rowland penny
2020-Sep-15 20:19 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:> On 2020-09-15 1:13 pm, miguel medalha wrote: >>> I've tried restarting PHP-FPM and webconfigurator, >>> but that doesn't seem to solve the problem. >> >> This must be done each time after you edit the configuration using >> the LDAP >> authentication setup page. Otherwise the changes won't stick. Before >> I knew >> this, I did suffer a lot trying to make it work and not understanding >> why it >> didn't. > > Yea - I'm lost.? I keep trying the same thing hoping for different > results.? I think that is the definition of insanity. > > I've tried: > > create new OU called VPNusers and a user within that call bind-user-1 > Also created a user under Users called bind-user-2 > > then I set the following: > > extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com > authentication container => OU=vpnusers,DC=internal,DC=external,DC=com > bind user => > CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com > > no go.? Also tried: > > extended query => memberof=CN=users,DC=internal,DC=external,DC=com > authentication container => CN=users,DC=internal,DC=external,DC=com > bind user => CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com > > After each change I run options 16 (restart php-fpm) and 11 (restart > webconfigurator) > > Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted > > Tried using "Global Root CA List & No Client Cert" and "Samba CA & > cert/key" > > Keeps failing to bind. > >OK, AD uses what is known as back-links, that is you create something and two attributes are created and they sort of point at each other, for instance when you add a user to a group, the user gets a 'memberOf' attribute that contains the groups DN and the group gets a 'member' attribute that contains the users DN. I think you need to use an existing group (which isn't Domain Users) or create a new one and use that groups DN in the 'extended query' Rowland
Marco Shmerykowsky
2020-Sep-15 20:57 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
On 2020-09-15 4:19 pm, Rowland penny via samba wrote:> On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote: >> On 2020-09-15 1:13 pm, miguel medalha wrote: >>>> I've tried restarting PHP-FPM and webconfigurator, >>>> but that doesn't seem to solve the problem. >>> >>> This must be done each time after you edit the configuration using >>> the LDAP >>> authentication setup page. Otherwise the changes won't stick. Before >>> I knew >>> this, I did suffer a lot trying to make it work and not understanding >>> why it >>> didn't. >> >> Yea - I'm lost.? I keep trying the same thing hoping for different >> results.? I think that is the definition of insanity. >> >> I've tried: >> >> create new OU called VPNusers and a user within that call bind-user-1 >> Also created a user under Users called bind-user-2 >> >> then I set the following: >> >> extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com >> authentication container => OU=vpnusers,DC=internal,DC=external,DC=com >> bind user => >> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com >> >> no go.? Also tried: >> >> extended query => memberof=CN=users,DC=internal,DC=external,DC=com >> authentication container => CN=users,DC=internal,DC=external,DC=com >> bind user => >> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com >> >> After each change I run options 16 (restart php-fpm) and 11 (restart >> webconfigurator) >> >> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted >> >> Tried using "Global Root CA List & No Client Cert" and "Samba CA & >> cert/key" >> >> Keeps failing to bind. >> >> > OK, AD uses what is known as back-links, that is you create something > and two attributes are created and they sort of point at each other, > for instance when you add a user to a group, the user gets a > 'memberOf' attribute that contains the groups DN and the group gets a > 'member' attribute that contains the users DN. > > I think you need to use an existing group (which isn't Domain Users) > or create a new one and use that groups DN in the 'extended query' > > RowlandPerhaps I'm mixing terminology in my understanding of how I'm setting things up. Does the user being used to create the bind need to be part of a "security group" or just part of a different organizational unit? When I use the windows admin tool for "Active Directory Users and Computers" I have a user located in "internal.external.com->users->bind-user-1". This is just another user like anyone else in the office. Under "internal.external.com->users" I also have a number of "Security *Groups*" defined to which I assigned my users to establish access privileges. so the distinguished name for a groups is something like: CN=Group,CN=Users,DC=internal,DC=external,DC=com I also tried creating a new organizational unit and then creating a user within that OU (ie internal.external.com->VPNUsers->bind-user-2) This user, however, was not assigned to a security group. Do either of the scenarios described make sense or does the user need to be part of a Windows "Security Group"?
L.P.H. van Belle
2020-Sep-16 07:14 UTC
[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
> This is just another user like anyone else in the office.No, its offcourse not .. Why do you think you binding user is failing ;-) So, on the bind fail. Did you set on the "binding" user, : account is trusted and cant not be delegated? Password can be changed and never expire need to be ticked also. Whats set on the Pfsence server in ldap.conf ? Is BASE and URI defined? As far i can tell, you certificate setup of fine. If your not sure, goto : testssl.sh (yes that is a website ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Shmerykowsky via samba > Verzonden: dinsdag 15 september 2020 22:57 > Aan: Rowland penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] PFsense via Samba Authentication > Server -> ERROR! ldap_get_groups() could not bind > > On 2020-09-15 4:19 pm, Rowland penny via samba wrote: > > On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote: > >> On 2020-09-15 1:13 pm, miguel medalha wrote: > >>>> I've tried restarting PHP-FPM and webconfigurator, > >>>> but that doesn't seem to solve the problem. > >>> > >>> This must be done each time after you edit the > configuration using > >>> the LDAP > >>> authentication setup page. Otherwise the changes won't > stick. Before > >>> I knew > >>> this, I did suffer a lot trying to make it work and not > understanding > >>> why it > >>> didn't. > >> > >> Yea - I'm lost.? I keep trying the same thing hoping for different > >> results.? I think that is the definition of insanity. > >> > >> I've tried: > >> > >> create new OU called VPNusers and a user within that call > bind-user-1 > >> Also created a user under Users called bind-user-2 > >> > >> then I set the following: > >> > >> extended query => > memberof=OU=vpnusers,DC=internal,DC=external,DC=com > >> authentication container => > OU=vpnusers,DC=internal,DC=external,DC=com > >> bind user => > >> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com > >> > >> no go.? Also tried: > >> > >> extended query => memberof=CN=users,DC=internal,DC=external,DC=com > >> authentication container => CN=users,DC=internal,DC=external,DC=com > >> bind user => > >> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com > >> > >> After each change I run options 16 (restart php-fpm) and > 11 (restart > >> webconfigurator) > >> > >> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted > >> > >> Tried using "Global Root CA List & No Client Cert" and "Samba CA & > >> cert/key" > >> > >> Keeps failing to bind. > >> > >> > > OK, AD uses what is known as back-links, that is you create > something > > and two attributes are created and they sort of point at each other, > > for instance when you add a user to a group, the user gets a > > 'memberOf' attribute that contains the groups DN and the > group gets a > > 'member' attribute that contains the users DN. > > > > I think you need to use an existing group (which isn't Domain Users) > > or create a new one and use that groups DN in the 'extended query' > > > > Rowland > > Perhaps I'm mixing terminology in my understanding of how I'm > setting things up. Does the user being used to create the > bind need to be part of a "security group" or just part > of a different organizational unit? > > When I use the windows admin tool for "Active Directory Users and > Computers" > I have a user located in "internal.external.com->users->bind-user-1". > This is just another user like anyone else in the office. > > Under "internal.external.com->users" I also have a number of > "Security > *Groups*" > defined to which I assigned my users to establish access privileges. > so the distinguished name for a groups is something like: > CN=Group,CN=Users,DC=internal,DC=external,DC=com > > I also tried creating a new organizational unit and then creating > a user within that OU (ie > internal.external.com->VPNUsers->bind-user-2) > This user, however, was not assigned to a security group. > > Do either of the scenarios described make sense or does the user > need to be part of a Windows "Security Group"? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind