[Samba] OpenPVN authentication via Samba AD

Marco Shmerykowsky marco at sce-engineers.com
Tue Sep 1 21:03:08 UTC 2020

On 2020-09-01 4:04 pm, Marco Shmerykowsky via samba wrote:
> On 2020-09-01 1:57 pm, Marco Shmerykowsky via samba wrote:
>> On 2020-09-01 1:36 pm, Stefan G. Weichinger via samba wrote:
>>> Am 01.09.20 um 19:07 schrieb Marco Shmerykowsky via samba:
>>>> A little off topic, but this does revolve around
>>>> Samaba.
>>>> I'm hoping someone can help me get to a working aolution.
>>>> I haven't been able to find a clear quide, but it must
>>>> have been done by others.
>>>> I'm trying to use setup a VPN using OpenVPN on Pfsense
>>>> with authentication via my Samba AD (Version 4.9.4-Debian)
>>>> I keep getting a "Could not connect to LDAP server" error
>>>> when tying to configure the authentication server. When
>>>> I try to test the server I get a "Attempting to fetch Organizational
>>>> Units from XXXX failed" error.
>>>> The "button" in the gui that allows for "selecting a container"
>>>> for setting the authentication container doesn't work so
>>>> I set it manually (CN=users;DC=internal,DC=company,DC=com)
>>>> I've copied the ca.pem, cert.pem and key.pem files over to
>>>> pfsense to create the certificates.
>>>> The authentication server is set to type "LDAP" using a
>>>> transport of "TCP - standard" and a port of 389.  The
>>>> Peer Certificate Authority uses the cert created from
>>>> importing ca.pem.  The client certificate uses the cert
>>>> created from importing cert.pem and key.pem.
>>>> The base DN is correct (DN=internal,DN=company,DN=com).
>>>> The pfsense box can resolve the host name of the Samaba
>>>> machine  (machine.internal.company.com).
>>>> I have it set to use anonymous binds.
>>>> Some kind of connection issue I gather with connecting
>>>> to the Samba internal LDAP server.
>>>> Can anyone please point me in the correct direction? Thanks.
>>> I hit that as well, you might be able to find it in the ML archive.
>>> For me it was crucial to import the CA certs of the Samba AD DCs into
>>> pfsense.
>>> Additionally it was super important to use the correct and matching 
>>> FQDN
>>> of one (I didn't yet manage to set up some redundant alias yet) AD DC 
>>> in
>>> the "Authentication Server" setup on pfsense.
>>> I created a separate bind-user for pfsense, not anonymous.
>>> And SSL-encrypted via Port 636 ... while using the imported CA there.
>>> This as a start, feel free to ask more, I have at least 3 such
>>> installations working.
>> Thanks.  Some progress.  I changed the Transport to SSL-encrypted
>> via 636 and created a a separate bind user.  The bind user is
>> entered as "CN=binduser,CN=users,DC=internal,DC=company,DC=com.
>> The server checks out.  However, when I run 
>> Diagnostics->Authentication
>> although the user is checks out as authenticated, the groups the
>> user belongs to are not listed.
>> Must be still missing something.
> UGH. It was working & then it stopped working.
> No clue what I could have changed.
> Does "ldap server require strong auth" need to be set to 'no'
> or is that currently required?

I get only get the tests in Pfsense working consistently if I
set the following:

Protocol TCP - Standard on Port 389
"ldap server require strong auth = no" in smb.conf

I'm getting TLS handshake failed on the remote client, so I'm still
doing something wrong.....

More information about the samba mailing list