[Samba] OpenPVN authentication via Samba AD
Marco Shmerykowsky
marco at sce-engineers.com
Tue Sep 1 20:04:07 UTC 2020
On 2020-09-01 1:57 pm, Marco Shmerykowsky via samba wrote:
> On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote:
>> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba:
>>> A little off topic, but this does revolve around
>>> Samaba.
>>>
>>> I'm hoping someone can help me get to a working aolution.
>>> I haven't been able to find a clear quide, but it must
>>> have been done by others.
>>>
>>> I'm trying to use setup a VPN using OpenVPN on Pfsense
>>> with authentication via my Samba AD (Version 4.9.4-Debian)
>>>
>>> I keep getting a "Could not connect to LDAP server" error
>>> when tying to configure the authentication server. When
>>> I try to test the server I get a "Attempting to fetch Organizational
>>> Units from XXXX failed" error.
>>>
>>> The "button" in the gui that allows for "selecting a container"
>>> for setting the authentication container doesn't work so
>>> I set it manually (CN=users;DC=internal,DC=company,DC=com)
>>>
>>> I've copied the ca.pem, cert.pem and key.pem files over to
>>> pfsense to create the certificates.
>>>
>>> The authentication server is set to type "LDAP" using a
>>> transport of "TCP - standard" and a port of 389. The
>>> Peer Certificate Authority uses the cert created from
>>> importing ca.pem. The client certificate uses the cert
>>> created from importing cert.pem and key.pem.
>>>
>>> The base DN is correct (DN=internal,DN=company,DN=com).
>>>
>>> The pfsense box can resolve the host name of the Samaba
>>> machine (machine.internal.company.com).
>>>
>>> I have it set to use anonymous binds.
>>>
>>> Some kind of connection issue I gather with connecting
>>> to the Samba internal LDAP server.
>>>
>>> Can anyone please point me in the correct direction? Thanks.
>>
>> I hit that as well, you might be able to find it in the ML archive.
>>
>> For me it was crucial to import the CA certs of the Samba AD DCs into
>> pfsense.
>>
>> Additionally it was super important to use the correct and matching
>> FQDN
>> of one (I didn't yet manage to set up some redundant alias yet) AD DC
>> in
>> the "Authentication Server" setup on pfsense.
>>
>> I created a separate bind-user for pfsense, not anonymous.
>>
>> And SSL-encrypted via Port 636 ... while using the imported CA there.
>>
>> This as a start, feel free to ask more, I have at least 3 such
>> installations working.
>
> Thanks. Some progress. I changed the Transport to SSL-encrypted
> via 636 and created a a separate bind user. The bind user is
> entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com.
>
> The server checks out. However, when I run Diagnostics->Authentication
> although the user is checks out as authenticated, the groups the
> user belongs to are not listed.
>
> Must be still missing something.
UGH. It was working & then it stopped working.
No clue what I could have changed.
Does "ldap server require strong auth" need to be set to 'no'
or is that currently required?
More information about the samba
mailing list