[Samba] LDAP bind to AD fails

[Kris Lou]

An easier way to test is to authenticate pfSense users itself against your
AD -- which can also be done separately from your OpenVPN so you
potentially don't have to worry about your other admin.

In either case, the "Diagnostics: Authentication" test will do the trick
(spam it), or with User Authentication enabled, simply browsing the GUI
will do it as well as almost every page is checked against an ACL (this
assumes you use Security Groups).  If you suddenly get booted or the page
slows down considerably, then there's something odd with the
communication/authentication with the LDAP source.



Kris Lou
klou at themusiclink.net


On Mon, Sep 30, 2019 at 12:26 AM Stefan G. Weichinger via samba <
samba at lists.samba.org> wrote:

> Am 26.09.19 um 19:02 schrieb Kris Lou via samba:
> > 1) You definitely need to have the CA specified for pfSense to use the
> > custom certificate.
> > 2) The hostname/IP of the specified DC also needs to match the CN on the
> > certificate.
> >
> > If you want to auth against multiple DC's, then either pfSense needs to
> > have some distribution among multiple LDAP providers (I don't think this
> is
> > possible), or your LDAP provider then needs to distribute among multiple
> > sources.  So then, you have at least 2 issues:  figuring out how the
> > round-robin to sources works, and also making sure that each source can
> > properly authenticate (from a single LDAP provider).
> >
> > Regarding the certificates, each Samba server (if you self-sign) has its
> > own cert (unique CN) and CA.  So, that means that you can't specify a
> > single CA for the LDAP provider to reference against all of your Samba
> > Servers -- unless you replace the self-signed certs within Samba with
> > something else like a wildcard or multi-domain certificate.
> >
> > I cheat and use a third-party multi-domain cert on all of my DCs, so the
> CA
> > is on the Global Root CA List.  But the trade-offs are that I have to
> worry
> > about certificate renewals and the like.
> >
> > Lastly, pfSense mostly uses DNS to determine which server to use for
> > lookups, but there's a slight difference between "domain override"
> > forwarding (where it looks up *.ads.samdom.com and forwards these
> queries
> > somewhere) and looking up the domain itself (looking up ads.samdom.com).
> > In my case, I don't want queries to be forwarded to a remote DC across a
> > VPN, so I use Host Overrides to specify my DC's and queries are
> > round-robined between them.  I don't think that Sites will work with pure
> > DNS lookups.  This is also with DNSMasq, and not Unbound.
>
> Thanks! I will check back with the admin there if the connections have
> been stable since then ... and also make sure to not accidentally ask
> the 2nd DC while there is the CA.pem of the 1st in place.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>