[Samba] LDAP bind to AD fails

Thu Sep 26 17:02:03 UTC 2019

1) You definitely need to have the CA specified for pfSense to use the
custom certificate.
2) The hostname/IP of the specified DC also needs to match the CN on the
certificate.

If you want to auth against multiple DC's, then either pfSense needs to
have some distribution among multiple LDAP providers (I don't think this is
possible), or your LDAP provider then needs to distribute among multiple
sources.  So then, you have at least 2 issues:  figuring out how the
round-robin to sources works, and also making sure that each source can
properly authenticate (from a single LDAP provider).

Regarding the certificates, each Samba server (if you self-sign) has its
own cert (unique CN) and CA.  So, that means that you can't specify a
single CA for the LDAP provider to reference against all of your Samba
Servers -- unless you replace the self-signed certs within Samba with
something else like a wildcard or multi-domain certificate.

I cheat and use a third-party multi-domain cert on all of my DCs, so the CA
is on the Global Root CA List.  But the trade-offs are that I have to worry
about certificate renewals and the like.

Lastly, pfSense mostly uses DNS to determine which server to use for
lookups, but there's a slight difference between "domain override"
forwarding (where it looks up *.ads.samdom.com and forwards these queries
somewhere) and looking up the domain itself (looking up ads.samdom.com).
In my case, I don't want queries to be forwarded to a remote DC across a
VPN, so I use Host Overrides to specify my DC's and queries are
round-robined between them.  I don't think that Sites will work with pure
DNS lookups.  This is also with DNSMasq, and not Unbound.

Kris Lou
klou at themusiclink.net

On Wed, Sep 25, 2019 at 9:09 AM Stefan G. Weichinger via samba <
samba at lists.samba.org> wrote:

> Am 18.09.19 um 21:41 schrieb Stefan G. Weichinger via samba:
> > Am 18.09.19 um 19:43 schrieb Stefan G. Weichinger via samba:
> >
> >> I assume I have to somehow import the Samba-ADS-CA into pfsense?
> >>
> >> I took /var/lib/samba/private/tls/ca.pem and imported that as an
> >> additional CA ...
> >>
> >> ... and now it works ... I wonder how long ...
> >
> > and then it failed
> > and now it works
> >
> > hmm ... will check back tmrw
>
> Do I have to add ca.pem or cert.pem??
>
> reference:
>
> https://forum.netgate.com/topic/146634/openvpn-auth-via-samba4-ads-ldap
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>