[Samba] OpenPVN authentication via Samba AD

Stefan G. Weichinger lists at xunil.at
Tue Sep 1 17:36:30 UTC 2020

Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba:
> A little off topic, but this does revolve around
> Samaba.
> I'm hoping someone can help me get to a working aolution.
> I haven't been able to find a clear quide, but it must
> have been done by others.
> I'm trying to use setup a VPN using OpenVPN on Pfsense
> with authentication via my Samba AD (Version 4.9.4-Debian)
> I keep getting a "Could not connect to LDAP server" error
> when tying to configure the authentication server. When
> I try to test the server I get a "Attempting to fetch Organizational
> Units from XXXX failed" error.
> The "button" in the gui that allows for "selecting a container"
> for setting the authentication container doesn't work so
> I set it manually (CN=users;DC=internal,DC=company,DC=com)
> I've copied the ca.pem, cert.pem and key.pem files over to
> pfsense to create the certificates.
> The authentication server is set to type "LDAP" using a
> transport of "TCP - standard" and a port of 389.  The
> Peer Certificate Authority uses the cert created from
> importing ca.pem.  The client certificate uses the cert
> created from importing cert.pem and key.pem.
> The base DN is correct (DN=internal,DN=company,DN=com).
> The pfsense box can resolve the host name of the Samaba
> machine  (machine.internal.company.com).
> I have it set to use anonymous binds.
> Some kind of connection issue I gather with connecting
> to the Samba internal LDAP server.
> Can anyone please point me in the correct direction? Thanks.

I hit that as well, you might be able to find it in the ML archive.

For me it was crucial to import the CA certs of the Samba AD DCs into

Additionally it was super important to use the correct and matching FQDN
of one (I didn't yet manage to set up some redundant alias yet) AD DC in
the "Authentication Server" setup on pfsense.

I created a separate bind-user for pfsense, not anonymous.

And SSL-encrypted via Port 636 ... while using the imported CA there.

This as a start, feel free to ask more, I have at least 3 such
installations working.

More information about the samba mailing list