[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

Rowland penny rpenny at samba.org
Tue Sep 15 15:42:13 UTC 2020 

On 15/09/2020 16:33, Marco Shmerykowsky via samba wrote:
> I've been trying to setup OPENVPN on a Netgate appliance
> running pfsense.
>
> Initially, the authentication server I created appears
> to function.  A connection is made, the "bind" is completed
> and the organizational units are fetched from the server
> and returned.
>
> A few minutes later - without making any changes -
> the same test returns the following errors:
>
> php-fpm     67757     /system_usermanager_settings.php: ERROR! 
> ldap_get_groups() could not bind to server ADS-server.
> php-fpm     67757     /system_usermanager.php: ERROR! 
> ldap_get_groups() could not bind to server ADS-server.
>
> I've tried restarting PHP-FPM and webconfigurator,
> but that doesn't seem to solve the problem.
>
> I've configured an authentication server as follows:
>
> hostname: samba.internal.external.com
>           (This resolves to the IP with a hostname entry)
> port: 636
> Transport: SSL-Encrypted
> Peer Certificate Authority: Samba-CA (imported from samba's ca.pem file)
> Client Certificate: Samaba-server-cert (imported from samba's cert.pem 
> and key.pem files)
> Protocol: 3
> Server Timeout: 25
> Search Scope: Entire Subtree
> Base DN: DC=internal,DC=external,DC=com
> Auth. Container: CN=Users,DC-internal,DC=external,DC=com
> Enable Extended Query:
>   Query: memberof=CN=Domain Users,CN=Users,DC-internal,DC=external,DC=com
> Bind credentials:
>   user: CN=binduser,CN=Users,DC-internal,DC=external,DC=com
>   passwd: apassword
> User naming attribute: samAccountName
> Group naming attribute: cn
> Group member attribute: memberof
>
> This seems like it should be straight forward.  What am I missing?
>
> Thanks

Not entirely sure, but 'Query: memberof=CN=Domain 
Users,CN=Users,DC-internal,DC=external,DC=com' is unlikely to work. All 
AD users are members of Domain Users, but not one of them has the 
'memberof' attribute and the group object doesn't show any 'member' 
attributes.

So if the users are being searched for as members of the Domain Users 
group by the 'memberof' attribute, I do not think it will work, try 
another group.

Rowland

More information about the samba mailing list