Am 18.09.19 um 19:16 schrieb Kris Lou via samba:> More than likely, certificate issues. > > If you use the IP in pfsense, then the Samba certificate needs to have the > IP as the CN.So you suggest to contact the dc via hostname ... googled this query command: # openssl s_client -connect adc1:636 tells me ... CONNECTED(00000003) depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = ADC1.arbeitsgruppe.mydomain.at verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 O = Samba Administration, OU = Samba - temporary autogenerated HOST certificate, CN = ADC1.arbeitsgruppe.mydomain.at verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/O=Samba Administration/OU=Samba - temporary autogenerated HOST certificate/CN=ADC1.arbeitsgruppe.mydomain.at i:/O=Samba Administration/OU=Samba - temporary autogenerated CA certificate/CN=ADC1.arbeitsgruppe.mydomain.at So I would have to use "adc1.arbeitsgruppe.mydomain.at" ? But why did that work yesterday ... ? aside from this thread I also posted at netgate forum: https://forum.netgate.com/topic/146634/openvpn-auth-via-samba4-ads-ldap thanks
Am 18.09.19 um 19:28 schrieb Stefan G. Weichinger via samba:> So I would have to use "adc1.arbeitsgruppe.mydomain.at"Tried that. Doesn't help so far. gives: [2019/09/18 19:32:07.544332, 1] ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been received. [2019/09/18 19:32:07.544401, 1] ../source4/ldap_server/ldap_extended.c:89(ldapsrv_starttls_postprocess_done) ldapsrv_starttls_postprocess_done: accept_tls_loop: tstream_tls_accept_recv() - 5:Input/output error => NT_STATUS_IO_DEVICE_ERRORstream_terminate_connection: Terminating connection - 'ldapsrv_call_postprocess_done: call->postprocess_recv() - NT_STATUS_IO_DEVICE_ERROR' again
Am 18.09.19 um 19:32 schrieb Stefan G. Weichinger via samba:> Am 18.09.19 um 19:28 schrieb Stefan G. Weichinger via samba: > >> So I would have to use "adc1.arbeitsgruppe.mydomain.at" > > Tried that. Doesn't help so far. > > gives: > > [2019/09/18 19:32:07.544332, 1] > ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake) > TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been > received. > [2019/09/18 19:32:07.544401, 1] > ../source4/ldap_server/ldap_extended.c:89(ldapsrv_starttls_postprocess_done) > ldapsrv_starttls_postprocess_done: accept_tls_loop: > tstream_tls_accept_recv() - 5:Input/output error => > NT_STATUS_IO_DEVICE_ERRORstream_terminate_connection: Terminating > connection - 'ldapsrv_call_postprocess_done: call->postprocess_recv() - > NT_STATUS_IO_DEVICE_ERROR' > > againI assume I have to somehow import the Samba-ADS-CA into pfsense? I took /var/lib/samba/private/tls/ca.pem and imported that as an additional CA ... ... and now it works ... I wonder how long ... thanks so far!