On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote:> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba: >> A little off topic, but this does revolve around >> Samaba. >> >> I'm hoping someone can help me get to a working aolution. >> I haven't been able to find a clear quide, but it must >> have been done by others. >> >> I'm trying to use setup a VPN using OpenVPN on Pfsense >> with authentication via my Samba AD (Version 4.9.4-Debian) >> >> I keep getting a "Could not connect to LDAP server" error >> when tying to configure the authentication server. When >> I try to test the server I get a "Attempting to fetch Organizational >> Units from XXXX failed" error. >> >> The "button" in the gui that allows for "selecting a container" >> for setting the authentication container doesn't work so >> I set it manually (CN=users;DC=internal,DC=company,DC=com) >> >> I've copied the ca.pem, cert.pem and key.pem files over to >> pfsense to create the certificates. >> >> The authentication server is set to type "LDAP" using a >> transport of "TCP - standard" and a port of 389.? The >> Peer Certificate Authority uses the cert created from >> importing ca.pem.? The client certificate uses the cert >> created from importing cert.pem and key.pem. >> >> The base DN is correct (DN=internal,DN=company,DN=com). >> >> The pfsense box can resolve the host name of the Samaba >> machine? (machine.internal.company.com). >> >> I have it set to use anonymous binds. >> >> Some kind of connection issue I gather with connecting >> to the Samba internal LDAP server. >> >> Can anyone please point me in the correct direction? Thanks. > > I hit that as well, you might be able to find it in the ML archive. > > For me it was crucial to import the CA certs of the Samba AD DCs into > pfsense. > > Additionally it was super important to use the correct and matching > FQDN > of one (I didn't yet manage to set up some redundant alias yet) AD DC > in > the "Authentication Server" setup on pfsense. > > I created a separate bind-user for pfsense, not anonymous. > > And SSL-encrypted via Port 636 ... while using the imported CA there. > > This as a start, feel free to ask more, I have at least 3 such > installations working.Thanks. Some progress. I changed the Transport to SSL-encrypted via 636 and created a a separate bind user. The bind user is entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com. The server checks out. However, when I run Diagnostics->Authentication although the user is checks out as authenticated, the groups the user belongs to are not listed. Must be still missing something. Marco.
I use: User naming attribute: sAMAccountName Group naming attribute: sAMAccountName Group member attribute: memberof And if I recall, the groups are only returned if they match a local pfSense group (must have the same name).
On 2020-09-01 2:02 pm, Kris Lou wrote:> I use: > > User naming attribute: sAMAccountName > Group naming attribute: sAMAccountName > Group member attribute: memberof > > And if I recall, the groups are only returned if they match a local > pfSense group (must have the same name).What would be the benefit of creating a local group on pfsense?
Am 01.09.20 um 19:57 schrieb Marco Shmerykowsky via samba:> Thanks.? Some progress.? I changed the Transport to SSL-encrypted > via 636 and created a a separate bind user.? The bind user is > entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com. > > The server checks out.? However, when I run Diagnostics->Authentication > although the user is checks out as authenticated, the groups the > user belongs to are not listed. > > Must be still missing something.You have the certs, use the FQDN and encryption with the AD-CA selected? Does "Select a container" work in the "Authentication Servers" setup? That is crucial. I might also share some (anonymized) screenshots offlist, yes. I checked a 2nd installation, there I use Bind credentials in this form : pfsense at ad.domain At first get this "Select a container" working. When you get the user authenticated in the Diagnostics, that sounds good, though.
Am 01.09.20 um 20:02 schrieb Kris Lou via samba:> I use: > > User naming attribute: sAMAccountName > Group naming attribute: sAMAccountName > Group member attribute: memberofWith Samba AD I use: User naming attribute: sAMAccountName Group naming attribute: cn Group member attribute: memberof Group Object Class: posixGroup Search scope: Entire Subtree (and I added an Extended Query after the basics worked)> And if I recall, the groups are only returned if they match a local pfSense > group (must have the same name).I didn't follow this.
On 2020-09-01 1:57 pm, Marco Shmerykowsky via samba wrote:> On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote: >> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba: >>> A little off topic, but this does revolve around >>> Samaba. >>> >>> I'm hoping someone can help me get to a working aolution. >>> I haven't been able to find a clear quide, but it must >>> have been done by others. >>> >>> I'm trying to use setup a VPN using OpenVPN on Pfsense >>> with authentication via my Samba AD (Version 4.9.4-Debian) >>> >>> I keep getting a "Could not connect to LDAP server" error >>> when tying to configure the authentication server. When >>> I try to test the server I get a "Attempting to fetch Organizational >>> Units from XXXX failed" error. >>> >>> The "button" in the gui that allows for "selecting a container" >>> for setting the authentication container doesn't work so >>> I set it manually (CN=users;DC=internal,DC=company,DC=com) >>> >>> I've copied the ca.pem, cert.pem and key.pem files over to >>> pfsense to create the certificates. >>> >>> The authentication server is set to type "LDAP" using a >>> transport of "TCP - standard" and a port of 389.? The >>> Peer Certificate Authority uses the cert created from >>> importing ca.pem.? The client certificate uses the cert >>> created from importing cert.pem and key.pem. >>> >>> The base DN is correct (DN=internal,DN=company,DN=com). >>> >>> The pfsense box can resolve the host name of the Samaba >>> machine? (machine.internal.company.com). >>> >>> I have it set to use anonymous binds. >>> >>> Some kind of connection issue I gather with connecting >>> to the Samba internal LDAP server. >>> >>> Can anyone please point me in the correct direction? Thanks. >> >> I hit that as well, you might be able to find it in the ML archive. >> >> For me it was crucial to import the CA certs of the Samba AD DCs into >> pfsense. >> >> Additionally it was super important to use the correct and matching >> FQDN >> of one (I didn't yet manage to set up some redundant alias yet) AD DC >> in >> the "Authentication Server" setup on pfsense. >> >> I created a separate bind-user for pfsense, not anonymous. >> >> And SSL-encrypted via Port 636 ... while using the imported CA there. >> >> This as a start, feel free to ask more, I have at least 3 such >> installations working. > > Thanks. Some progress. I changed the Transport to SSL-encrypted > via 636 and created a a separate bind user. The bind user is > entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com. > > The server checks out. However, when I run Diagnostics->Authentication > although the user is checks out as authenticated, the groups the > user belongs to are not listed. > > Must be still missing something.UGH. It was working & then it stopped working. No clue what I could have changed. Does "ldap server require strong auth" need to be set to 'no' or is that currently required?
On 2020-09-01 4:04 pm, Marco Shmerykowsky via samba wrote:> On 2020-09-01 1:57 pm, Marco Shmerykowsky via samba wrote: >> On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote: >>> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba: >>>> A little off topic, but this does revolve around >>>> Samaba. >>>> >>>> I'm hoping someone can help me get to a working aolution. >>>> I haven't been able to find a clear quide, but it must >>>> have been done by others. >>>> >>>> I'm trying to use setup a VPN using OpenVPN on Pfsense >>>> with authentication via my Samba AD (Version 4.9.4-Debian) >>>> >>>> I keep getting a "Could not connect to LDAP server" error >>>> when tying to configure the authentication server. When >>>> I try to test the server I get a "Attempting to fetch Organizational >>>> Units from XXXX failed" error. >>>> >>>> The "button" in the gui that allows for "selecting a container" >>>> for setting the authentication container doesn't work so >>>> I set it manually (CN=users;DC=internal,DC=company,DC=com) >>>> >>>> I've copied the ca.pem, cert.pem and key.pem files over to >>>> pfsense to create the certificates. >>>> >>>> The authentication server is set to type "LDAP" using a >>>> transport of "TCP - standard" and a port of 389.? The >>>> Peer Certificate Authority uses the cert created from >>>> importing ca.pem.? The client certificate uses the cert >>>> created from importing cert.pem and key.pem. >>>> >>>> The base DN is correct (DN=internal,DN=company,DN=com). >>>> >>>> The pfsense box can resolve the host name of the Samaba >>>> machine? (machine.internal.company.com). >>>> >>>> I have it set to use anonymous binds. >>>> >>>> Some kind of connection issue I gather with connecting >>>> to the Samba internal LDAP server. >>>> >>>> Can anyone please point me in the correct direction? Thanks. >>> >>> I hit that as well, you might be able to find it in the ML archive. >>> >>> For me it was crucial to import the CA certs of the Samba AD DCs into >>> pfsense. >>> >>> Additionally it was super important to use the correct and matching >>> FQDN >>> of one (I didn't yet manage to set up some redundant alias yet) AD DC >>> in >>> the "Authentication Server" setup on pfsense. >>> >>> I created a separate bind-user for pfsense, not anonymous. >>> >>> And SSL-encrypted via Port 636 ... while using the imported CA there. >>> >>> This as a start, feel free to ask more, I have at least 3 such >>> installations working. >> >> Thanks. Some progress. I changed the Transport to SSL-encrypted >> via 636 and created a a separate bind user. The bind user is >> entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com. >> >> The server checks out. However, when I run >> Diagnostics->Authentication >> although the user is checks out as authenticated, the groups the >> user belongs to are not listed. >> >> Must be still missing something. > > UGH. It was working & then it stopped working. > No clue what I could have changed. > > Does "ldap server require strong auth" need to be set to 'no' > or is that currently required?I get only get the tests in Pfsense working consistently if I set the following: Protocol TCP - Standard on Port 389 "ldap server require strong auth = no" in smb.conf I'm getting TLS handshake failed on the remote client, so I'm still doing something wrong.....