samba - Sep 2020 - PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

> This is just another user like anyone else in the office.
No, its offcourse not .. Why do you think you binding user is failing ;-) 

So, on the bind fail. 
Did you set on the "binding" user, : account is trusted and cant not
be delegated?
Password can be changed and never expire need to be ticked also.

Whats set on the Pfsence server in ldap.conf ? 
Is BASE and URI defined? 


As far i can tell, you certificate setup of fine. 
If your not sure, goto :  testssl.sh  (yes that is a website ) 


Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Shmerykowsky via samba
> Verzonden: dinsdag 15 september 2020 22:57
> Aan: Rowland penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] PFsense via Samba Authentication 
> Server -> ERROR! ldap_get_groups() could not bind
> 
> On 2020-09-15 4:19 pm, Rowland penny via samba wrote:
> > On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
> >> On 2020-09-15 1:13 pm, miguel medalha wrote:
> >>>> I've tried restarting PHP-FPM and webconfigurator,
> >>>> but that doesn't seem to solve the problem.
> >>> 
> >>> This must be done each time after you edit the 
> configuration using 
> >>> the LDAP
> >>> authentication setup page. Otherwise the changes won't 
> stick. Before 
> >>> I knew
> >>> this, I did suffer a lot trying to make it work and not 
> understanding 
> >>> why it
> >>> didn't.
> >> 
> >> Yea - I'm lost.? I keep trying the same thing hoping for
different
> >> results.? I think that is the definition of insanity.
> >> 
> >> I've tried:
> >> 
> >> create new OU called VPNusers and a user within that call 
> bind-user-1
> >> Also created a user under Users called bind-user-2
> >> 
> >> then I set the following:
> >> 
> >> extended query => 
> memberof=OU=vpnusers,DC=internal,DC=external,DC=com
> >> authentication container => 
> OU=vpnusers,DC=internal,DC=external,DC=com
> >> bind user => 
> >> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
> >> 
> >> no go.? Also tried:
> >> 
> >> extended query =>
memberof=CN=users,DC=internal,DC=external,DC=com
> >> authentication container =>
CN=users,DC=internal,DC=external,DC=com
> >> bind user => 
> >> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
> >> 
> >> After each change I run options 16 (restart php-fpm) and 
> 11 (restart 
> >> webconfigurator)
> >> 
> >> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, &
636/SSL-Encrypted
> >> 
> >> Tried using "Global Root CA List & No Client Cert"
and "Samba CA &
> >> cert/key"
> >> 
> >> Keeps failing to bind.
> >> 
> >> 
> > OK, AD uses what is known as back-links, that is you create 
> something
> > and two attributes are created and they sort of point at each other,
> > for instance when you add a user to a group, the user gets a
> > 'memberOf' attribute that contains the groups DN and the 
> group gets a
> > 'member' attribute that contains the users DN.
> > 
> > I think you need to use an existing group (which isn't Domain
Users)
> > or create a new one and use that groups DN in the 'extended
query'
> > 
> > Rowland
> 
> Perhaps I'm mixing terminology in my understanding of how I'm
> setting things up.  Does the user being used to create the
> bind need to be part of a "security group" or just part
> of a different organizational unit?
> 
> When I use the windows admin tool for "Active Directory Users and 
> Computers"
> I have a user located in
"internal.external.com->users->bind-user-1".
> This is just another user like anyone else in the office.
> 
> Under "internal.external.com->users" I also have a number of 
> "Security 
> *Groups*"
> defined to which I assigned my users to establish access privileges.
> so the distinguished name for a groups is something like:
> CN=Group,CN=Users,DC=internal,DC=external,DC=com
> 
> I also tried creating a new organizational unit and then creating
> a user within that OU (ie 
> internal.external.com->VPNUsers->bind-user-2)
> This user, however, was not assigned to a security group.
> 
> Do either of the scenarios described make sense or does the user
> need to be part of a Windows "Security Group"?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

I followed the instructions on the OpenVPN site for creating
the bind user:

https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user

Following this procedure creates a user, but does not
assign it to any security group other than "Domain Users"
as described on the site.

The bind works sometimes.  I can not track down what
the difference between what causes apparent
success vs failure for the bind.

On 9/16/2020 3:14 AM, L.P.H. van Belle via samba wrote:
>> This is just another user like anyone else in the office.
> No, its offcourse not .. Why do you think you binding user is failing ;-)
> 
> So, on the bind fail.
> Did you set on the "binding" user, : account is trusted and cant
not be delegated?
> Password can be changed and never expire need to be ticked also.
> 
> Whats set on the Pfsence server in ldap.conf ?
> Is BASE and URI defined?
> 
> 
> As far i can tell, you certificate setup of fine.
> If your not sure, goto :  testssl.sh  (yes that is a website )
> 
> 
> Greetz,
> 
> Louis
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Marco Shmerykowsky via samba
>> Verzonden: dinsdag 15 september 2020 22:57
>> Aan: Rowland penny
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] PFsense via Samba Authentication
>> Server -> ERROR! ldap_get_groups() could not bind
>>
>> On 2020-09-15 4:19 pm, Rowland penny via samba wrote:
>>> On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
>>>> On 2020-09-15 1:13 pm, miguel medalha wrote:
>>>>>> I've tried restarting PHP-FPM and webconfigurator,
>>>>>> but that doesn't seem to solve the problem.
>>>>>
>>>>> This must be done each time after you edit the
>> configuration using
>>>>> the LDAP
>>>>> authentication setup page. Otherwise the changes won't
>> stick. Before
>>>>> I knew
>>>>> this, I did suffer a lot trying to make it work and not
>> understanding
>>>>> why it
>>>>> didn't.
>>>>
>>>> Yea - I'm lost.? I keep trying the same thing hoping for
different
>>>> results.? I think that is the definition of insanity.
>>>>
>>>> I've tried:
>>>>
>>>> create new OU called VPNusers and a user within that call
>> bind-user-1
>>>> Also created a user under Users called bind-user-2
>>>>
>>>> then I set the following:
>>>>
>>>> extended query =>
>> memberof=OU=vpnusers,DC=internal,DC=external,DC=com
>>>> authentication container =>
>> OU=vpnusers,DC=internal,DC=external,DC=com
>>>> bind user =>
>>>> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
>>>>
>>>> no go.? Also tried:
>>>>
>>>> extended query =>
memberof=CN=users,DC=internal,DC=external,DC=com
>>>> authentication container =>
CN=users,DC=internal,DC=external,DC=com
>>>> bind user =>
>>>> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
>>>>
>>>> After each change I run options 16 (restart php-fpm) and
>> 11 (restart
>>>> webconfigurator)
>>>>
>>>> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, &
636/SSL-Encrypted
>>>>
>>>> Tried using "Global Root CA List & No Client
Cert" and "Samba CA &
>>>> cert/key"
>>>>
>>>> Keeps failing to bind.
>>>>
>>>>
>>> OK, AD uses what is known as back-links, that is you create
>> something
>>> and two attributes are created and they sort of point at each
other,
>>> for instance when you add a user to a group, the user gets a
>>> 'memberOf' attribute that contains the groups DN and the
>> group gets a
>>> 'member' attribute that contains the users DN.
>>>
>>> I think you need to use an existing group (which isn't Domain
Users)
>>> or create a new one and use that groups DN in the 'extended
query'
>>>
>>> Rowland
>>
>> Perhaps I'm mixing terminology in my understanding of how I'm
>> setting things up.  Does the user being used to create the
>> bind need to be part of a "security group" or just part
>> of a different organizational unit?
>>
>> When I use the windows admin tool for "Active Directory Users and
>> Computers"
>> I have a user located in
"internal.external.com->users->bind-user-1".
>> This is just another user like anyone else in the office.
>>
>> Under "internal.external.com->users" I also have a number
of
>> "Security
>> *Groups*"
>> defined to which I assigned my users to establish access privileges.
>> so the distinguished name for a groups is something like:
>> CN=Group,CN=Users,DC=internal,DC=external,DC=com
>>
>> I also tried creating a new organizational unit and then creating
>> a user within that OU (ie
>> internal.external.com->VPNUsers->bind-user-2)
>> This user, however, was not assigned to a security group.
>>
>> Do either of the scenarios described make sense or does the user
>> need to be part of a Windows "Security Group"?
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
>

On 16/09/2020 17:34, Marco Shmerykowsky via samba wrote:
> I followed the instructions on the OpenVPN site for creating
> the bind user:
>
>
https://openvpn.net/vpn-server-resources/openvpn-access-server-on-active-directory-via-ldap/#Create_and_configure_a_bind_user
>
OK after reading the supplied link, I think I see where the 
miss-understanding is coming from. Under the heading 'Only allow users 
from one specific group to log on'

Which is pretty clear, there is this:

In fact the whole idea is that you are restricting your query to only a 
portion of the LDAP directory that meets your requirements, and any user 
that doesn?t meet that requirement, simply cannot be found in the LDAP 
directory.

Here you could think that 'portion'? was an OU, I think it should be:

In fact the whole idea is that you are restricting your query to only 
members of a particular AD group, and any user that isn?t in that group, 
simply will not be found in the LDAP directory.

For example if the user 'rowland' was searched for using this LDAP 
filter 
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=rowland)(memberOf='GROUPS_DN'))"
The user would only be found if it was a member of the required group

Rowland