[Samba] OpenPVN authentication via Samba AD

Marco Shmerykowsky marco at sce-engineers.com
Tue Sep 1 17:57:46 UTC 2020

On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote:
> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba:
>> A little off topic, but this does revolve around
>> Samaba.
>> I'm hoping someone can help me get to a working aolution.
>> I haven't been able to find a clear quide, but it must
>> have been done by others.
>> I'm trying to use setup a VPN using OpenVPN on Pfsense
>> with authentication via my Samba AD (Version 4.9.4-Debian)
>> I keep getting a "Could not connect to LDAP server" error
>> when tying to configure the authentication server. When
>> I try to test the server I get a "Attempting to fetch Organizational
>> Units from XXXX failed" error.
>> The "button" in the gui that allows for "selecting a container"
>> for setting the authentication container doesn't work so
>> I set it manually (CN=users;DC=internal,DC=company,DC=com)
>> I've copied the ca.pem, cert.pem and key.pem files over to
>> pfsense to create the certificates.
>> The authentication server is set to type "LDAP" using a
>> transport of "TCP - standard" and a port of 389.  The
>> Peer Certificate Authority uses the cert created from
>> importing ca.pem.  The client certificate uses the cert
>> created from importing cert.pem and key.pem.
>> The base DN is correct (DN=internal,DN=company,DN=com).
>> The pfsense box can resolve the host name of the Samaba
>> machine  (machine.internal.company.com).
>> I have it set to use anonymous binds.
>> Some kind of connection issue I gather with connecting
>> to the Samba internal LDAP server.
>> Can anyone please point me in the correct direction? Thanks.
> I hit that as well, you might be able to find it in the ML archive.
> For me it was crucial to import the CA certs of the Samba AD DCs into
> pfsense.
> Additionally it was super important to use the correct and matching 
> of one (I didn't yet manage to set up some redundant alias yet) AD DC 
> in
> the "Authentication Server" setup on pfsense.
> I created a separate bind-user for pfsense, not anonymous.
> And SSL-encrypted via Port 636 ... while using the imported CA there.
> This as a start, feel free to ask more, I have at least 3 such
> installations working.

Thanks.  Some progress.  I changed the Transport to SSL-encrypted
via 636 and created a a separate bind user.  The bind user is
entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com.

The server checks out.  However, when I run Diagnostics->Authentication
although the user is checks out as authenticated, the groups the
user belongs to are not listed.

Must be still missing something.


More information about the samba mailing list