I only have some experience with OPNsense but maybe you can relate: - In my case it was always the certificate.? - I had to add the cert to the system certs using CLI. Adding them in the WebGUI was not enough. - Port 636 did not work for me, only 389 using STARTTLS Hope that helps... On 16. March 2020 at 08:13:50, Stefan G. Weichinger via samba (samba at lists.samba.org) wrote: Am 15.03.20 um 10:46 schrieb Christian Naumer via samba:> > >> Am 15.03.2020 um 08:21 schrieb S?rgio Basto via samba <samba at lists.samba.org>: >> >> ?On Sat, 2020-03-14 at 07:43 -0700, gabben via samba wrote: >>> Your pfSense firewall has OpenVPN built into it already, and you can >>> point pfSense authentication back to your samba AD. We support over >>> 400 users in this model. The configuration file for OpenVPN is common >>> to all users, and they authenticate with their AD credentials. >> >> can you give some example of configuration file for OpenVPN ? and more >> about howto ? > > Hello, > We also use this. The Documentation is very good: > https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.htmlI also have that running at a customer. Now with the new corona issues in austria I have to set that up for at least 2 other sites as well ... Unfortunately the pfsense GUI isn't very intuitive or helpful with connecting to AD: "Could not connect to the LDAP server" means everything from DNS to wrong user to missing client cert etc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Am 16.03.20 um 09:02 schrieb Alexander Harm via samba:> > I only have some experience with OPNsense but maybe you can relate: > > - In my case it was always the certificate.? > - I had to add the cert to the system certs using CLI. Adding them in the WebGUI was not enough. > - Port 636 did not work for me, only 389 using STARTTLS > > Hope that helps...Ah, yes, thanks. I agree, the cert-issues are the main spot to check. In the meantime I fixed it (for now) setting ldap server require strong auth = No on the DC and using the IP and "TCP - Standard" on pfsense. Not as secure as possible, but works for now. - Dunno about opnsense but in pfsense I am irritated by the fact that 2 instances of the same release show different dropdown-menus for "Authentication Servers" (even after saving etc) There is a "Peer Certificate Authority" and a "Client Certificate". On a pfsense where things work I back then imported the "/var/lib/samba/private/tls/ca.pem" of my samba-dcs into "Certificate Manager /CAs" on the pfsense. And chose that in the dropdown for "Peer Certificate Authority". No "Client Certificate" there. OK, a bit off-topic or "cross-topic" in this ML ;-)
On 3/16/2020 4:29 AM, Stefan G. Weichinger via samba wrote:> Am 16.03.20 um 09:02 schrieb Alexander Harm via samba: >> >> I only have some experience with OPNsense but maybe you can relate: >> >> - In my case it was always the certificate. >> - I had to add the cert to the system certs using CLI. Adding them in the WebGUI was not enough. >> - Port 636 did not work for me, only 389 using STARTTLS >> >> Hope that helps... > > Ah, yes, thanks. > > I agree, the cert-issues are the main spot to check. > > In the meantime I fixed it (for now) setting > > ldap server require strong auth = No > > on the DC and using the IP and "TCP - Standard" on pfsense. > > Not as secure as possible, but works for now. > > - > > Dunno about opnsense but in pfsense I am irritated by the fact that 2 > instances of the same release show different dropdown-menus for > "Authentication Servers" (even after saving etc) > > There is a "Peer Certificate Authority" and a "Client Certificate". > > On a pfsense where things work I back then imported the > "/var/lib/samba/private/tls/ca.pem" of my samba-dcs into "Certificate > Manager /CAs" on the pfsense. > > And chose that in the dropdown for "Peer Certificate Authority". > > No "Client Certificate" there. > > OK, a bit off-topic or "cross-topic" in this ML ;-) >Is there some sort of FAQ or Checklist (for a newbie) that is Samba4 specific beyond the information that is available via OpenVPN or PfSense sources? It seems that it gets murky at the authentication server (LDAP?) and what to do with the various certificates. Thanks.