[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

Marco Shmerykowsky marco at sce-engineers.com
Tue Sep 15 17:12:31 UTC 2020


On 2020-09-15 11:42 am, Rowland penny via samba wrote:
> On 15/09/2020 16:33, Marco Shmerykowsky via samba wrote:
>> I've been trying to setup OPENVPN on a Netgate appliance
>> running pfsense.
>> 
>> Initially, the authentication server I created appears
>> to function.  A connection is made, the "bind" is completed
>> and the organizational units are fetched from the server
>> and returned.
>> 
>> A few minutes later - without making any changes -
>> the same test returns the following errors:
>> 
>> php-fpm     67757     /system_usermanager_settings.php: ERROR! 
>> ldap_get_groups() could not bind to server ADS-server.
>> php-fpm     67757     /system_usermanager.php: ERROR! 
>> ldap_get_groups() could not bind to server ADS-server.
>> 
>> I've tried restarting PHP-FPM and webconfigurator,
>> but that doesn't seem to solve the problem.
>> 
>> I've configured an authentication server as follows:
>> 
>> hostname: samba.internal.external.com
>>           (This resolves to the IP with a hostname entry)
>> port: 636
>> Transport: SSL-Encrypted
>> Peer Certificate Authority: Samba-CA (imported from samba's ca.pem 
>> file)
>> Client Certificate: Samaba-server-cert (imported from samba's cert.pem 
>> and key.pem files)
>> Protocol: 3
>> Server Timeout: 25
>> Search Scope: Entire Subtree
>> Base DN: DC=internal,DC=external,DC=com
>> Auth. Container: CN=Users,DC-internal,DC=external,DC=com
>> Enable Extended Query:
>>   Query: memberof=CN=Domain 
>> Users,CN=Users,DC-internal,DC=external,DC=com
>> Bind credentials:
>>   user: CN=binduser,CN=Users,DC-internal,DC=external,DC=com
>>   passwd: apassword
>> User naming attribute: samAccountName
>> Group naming attribute: cn
>> Group member attribute: memberof
>> 
>> This seems like it should be straight forward.  What am I missing?
>> 
>> Thanks
> 
> Not entirely sure, but 'Query: memberof=CN=Domain
> Users,CN=Users,DC-internal,DC=external,DC=com' is unlikely to work.
> All AD users are members of Domain Users, but not one of them has the
> 'memberof' attribute and the group object doesn't show any 'member'
> attributes.
> 
> So if the users are being searched for as members of the Domain Users
> group by the 'memberof' attribute, I do not think it will work, try
> another group.
> 
> Rowland

I removed 'CN=Domain Users' from the query. I'm using the default tree
that was created when I setup the samba AD, so I think I'm matching
everything correctly:

Active Directory Users and Computers (samba.internal.external.com)
+ Saved queries
+ internal.external.com
   + Users
     + binduser
     + john_doe
     + Jane_doe
     + Domain Users
     + Domain Guests
   + Computers
   + System
   + Builtin
   + Domain Controllers



More information about the samba mailing list