Hi all, I'm trying to make pfSense talk to Samba AD LDAP through "bind credentials to resolve distinguished names" option. One account them successfully connects (Samba logs): [2019/06/12 14:34:41.517364, ?3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) ? ldb_wrap open of secrets.ldb [2019/06/12 14:34:41.520731, ?3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send) ? auth_check_password_send: Checking password for unmapped user [MATRIX_SCIENCE]\[account1]@[(null)] ? auth_check_password_send: mapped user is: [MATRIX_SCIENCE]\[account1]@[(null)] [2019/06/12 14:34:41.521510, ?4] ../source4/auth/sam.c:183(authsam_account_ok) ? authsam_account_ok: Checking SMB password for user account1 The other one fails: [2019/06/12 15:09:56.215000, ?3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) ? ldb_wrap open of secrets.ldb [2019/06/12 15:09:56.217871, ?3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) ? Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2019/06/12 15:09:56.217941, ?3] ../source4/smbd/process_single.c:114(single_terminate) ? single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] I get the same failure when I try it against the primary DC (Samba 4.0.9) and the replica (Samba 4.5.16) which I've deployed as a soon-to-be replacement. All credentials are valid as I can log in to the domain with both. Both accounts, as far as I can tell, look identical from AD perspective. The only difference that I can spot is when I run "ldapsearch -D 'account at matrixscience.co.uk' -b 'cn=Users,dc=matrixscience,dc=co,dc=uk' -H ldap://dc15 -W sAMAccountName=account" The responses are successful and identical apart from these 2 lines: msDS-SupportedEncryptionTypes: 0 msSFU30Name: account2 which only appear for the second (problematic) account. Any idea what the second account is missing? The difference in my opinion must be restricted to what's replicated between domain controllers. Thanks, Adam
I got authentication (bind credentials) working for account2 on the old DC (Samba 4.0.9): CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL MATRIXSCIENCE.CO.UK\account1 ---> OK MATRIXSCIENCE.CO.UK\account2 ---> OK but it's still failing on the new DC (Samba 4.5.16): CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL MATRIXSCIENCE.CO.UK\account1 ---> FAIL MATRIXSCIENCE.CO.UK\account2 ---> FAIL I suspected this might be due to some difference in smb.conf files on both controllers. They are now almost identical to no joy and I'm running out of ideas... On 13/06/19 09:26, Adam Weremczuk wrote:> > Hi all, > > I'm trying to make pfSense talk to Samba AD LDAP through "bind > credentials to resolve distinguished names" option. > > One account them successfully connects (Samba logs): > > [2019/06/12 14:34:41.517364, ?3] > ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) > ? ldb_wrap open of secrets.ldb > [2019/06/12 14:34:41.520731, ?3] > ../source4/auth/ntlm/auth.c:271(auth_check_password_send) > ? auth_check_password_send: Checking password for unmapped user > [MATRIX_SCIENCE]\[account1]@[(null)] > ? auth_check_password_send: mapped user is: > [MATRIX_SCIENCE]\[account1]@[(null)] > [2019/06/12 14:34:41.521510, ?4] > ../source4/auth/sam.c:183(authsam_account_ok) > ? authsam_account_ok: Checking SMB password for user account1 > > The other one fails: > > [2019/06/12 15:09:56.215000, ?3] > ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) > ? ldb_wrap open of secrets.ldb > [2019/06/12 15:09:56.217871, ?3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > ? Terminating connection - 'ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' > [2019/06/12 15:09:56.217941, ?3] > ../source4/smbd/process_single.c:114(single_terminate) > ? single_terminate: reason[ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] > > I get the same failure when I try it against the primary DC (Samba > 4.0.9) and the replica (Samba 4.5.16) which I've deployed as a > soon-to-be replacement. > > All credentials are valid as I can log in to the domain with both. > > Both accounts, as far as I can tell, look identical from AD perspective. > > The only difference that I can spot is when I run "ldapsearch -D > 'account at matrixscience.co.uk' -b > 'cn=Users,dc=matrixscience,dc=co,dc=uk' -H ldap://dc15 -W > sAMAccountName=account" > > The responses are successful and identical apart from these 2 lines: > > msDS-SupportedEncryptionTypes: 0 > msSFU30Name: account2 > > which only appear for the second (problematic) account. > > Any idea what the second account is missing? > > The difference in my opinion must be restricted to what's replicated > between domain controllers. > > Thanks, > Adam >
On 13/06/2019 16:05, Adam Weremczuk via samba wrote:> I got authentication (bind credentials) working for account2 on the > old DC (Samba 4.0.9): > > CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK > CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL > MATRIXSCIENCE.CO.UK\account1 ---> OK > MATRIXSCIENCE.CO.UK\account2 ---> OK > > but it's still failing on the new DC (Samba 4.5.16): > > CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK > CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL > MATRIXSCIENCE.CO.UK\account1 ---> FAIL > MATRIXSCIENCE.CO.UK\account2 ---> FAIL > > I suspected this might be due to some difference in smb.conf files on > both controllers. > They are now almost identical to no joy and I'm running out of ideas... >Try posting the smb.conf files here, we may be able to spot something. It might also help if you can show how pfsense is trying to connect to AD. Rowland