[Samba] OpenPVN authentication via Samba AD

Wed Sep 2 12:12:42 UTC 2020

Am 01.09.20 um 23:45 schrieb Marco J Shmerykowsky PE via samba:
> Yes, went thru that page a few times and don't see an obvious error.
> 
> If I leave require strong auth as the default, then nothing works. Setting it to no allows diagnostics->authentication to return a positive result.
> 
> That is also the configuration that would succeed in querying the containers.
> 
> Without the 'no' setting it fails to bind.
> 
> What am i missing?

Here a working snippet of a pfsense-2.4.5p1, anonymized.

This is the authserver-block out of the backup xml, for sure you have to
adapt to your domains DNs etc:

<authserver>
			<refid>5d80cebadc599</refid>
			<type>ldap</type>
			<name>ADS-domain</name>
			<ldap_caref>5dde28401f332</ldap_caref>
			<host>adc2.arbeitsgruppe.my.domain.tld</host>
			<ldap_port>636</ldap_port>
			<ldap_urltype>SSL - Encrypted</ldap_urltype>
			<ldap_protver>3</ldap_protver>
			<ldap_scope>subtree</ldap_scope>

<ldap_basedn><![CDATA[DC=arbeitsgruppe,DC=my.domain,DC=at]]></ldap_basedn>
			<ldap_authcn><![CDATA[OU=mydomain
User,DC=arbeitsgruppe,DC=my.domain,DC=at;CN=Users,CN=Builtin,DC=arbeitsgruppe,DC=my.domain,DC=at]]></ldap_authcn>
			<ldap_extended_enabled>yes</ldap_extended_enabled>

<ldap_extended_query><![CDATA[memberOf=CN=OpenVPNUsers,OU=Gruppen,OU=mydomain
User,DC=arbeitsgruppe,DC=my.domain,DC=at]]></ldap_extended_query>
			<ldap_attr_user><![CDATA[samAccountName]]></ldap_attr_user>
			<ldap_attr_group><![CDATA[cn]]></ldap_attr_group>
			<ldap_attr_member><![CDATA[memberOf]]></ldap_attr_member>
			<ldap_attr_groupobj><![CDATA[posixGroup]]></ldap_attr_groupobj>
			<ldap_binddn><![CDATA[CN=pfsense,OU=pfSense,OU=mydomain
User,DC=arbeitsgruppe,DC=my.domain,DC=at]]></ldap_binddn>
			<ldap_bindpw><![CDATA[pf-I16mTxCBXXXXXXXXYYYYYYYYYYYYYSs]]></ldap_bindpw>
			<ldap_timeout>25</ldap_timeout>
			<ldap_rfc2307></ldap_rfc2307>
		</authserver>

- on the queried AD DC "adc2" I have:

ldap server require strong auth = Yes

btw

-

You write:

> I'm getting TLS handshake failed on the remote client, so I'm still
> doing something wrong.....

To me that sounds as if your OpenVPN client fails? That wouldn't be
samba- or AD-related anymore, I think.