[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

Marco Shmerykowsky marco at sce-engineers.com
Tue Sep 15 20:57:05 UTC 2020

On 2020-09-15 4:19 pm, Rowland penny via samba wrote:
> On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
>> On 2020-09-15 1:13 pm, miguel medalha wrote:
>>>> I've tried restarting PHP-FPM and webconfigurator,
>>>> but that doesn't seem to solve the problem.
>>> This must be done each time after you edit the configuration using 
>>> the LDAP
>>> authentication setup page. Otherwise the changes won't stick. Before 
>>> I knew
>>> this, I did suffer a lot trying to make it work and not understanding 
>>> why it
>>> didn't.
>> Yea - I'm lost.  I keep trying the same thing hoping for different
>> results.  I think that is the definition of insanity.
>> I've tried:
>> create new OU called VPNusers and a user within that call bind-user-1
>> Also created a user under Users called bind-user-2
>> then I set the following:
>> extended query => memberof=OU=vpnusers,DC=internal,DC=external,DC=com
>> authentication container => OU=vpnusers,DC=internal,DC=external,DC=com
>> bind user => 
>> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
>> no go.  Also tried:
>> extended query => memberof=CN=users,DC=internal,DC=external,DC=com
>> authentication container => CN=users,DC=internal,DC=external,DC=com
>> bind user => 
>> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
>> After each change I run options 16 (restart php-fpm) and 11 (restart 
>> webconfigurator)
>> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted
>> Tried using "Global Root CA List & No Client Cert" and "Samba CA & 
>> cert/key"
>> Keeps failing to bind.
> OK, AD uses what is known as back-links, that is you create something
> and two attributes are created and they sort of point at each other,
> for instance when you add a user to a group, the user gets a
> 'memberOf' attribute that contains the groups DN and the group gets a
> 'member' attribute that contains the users DN.
> I think you need to use an existing group (which isn't Domain Users)
> or create a new one and use that groups DN in the 'extended query'
> Rowland

Perhaps I'm mixing terminology in my understanding of how I'm
setting things up.  Does the user being used to create the
bind need to be part of a "security group" or just part
of a different organizational unit?

When I use the windows admin tool for "Active Directory Users and 
I have a user located in "internal.external.com->users->bind-user-1".
This is just another user like anyone else in the office.

Under "internal.external.com->users" I also have a number of "Security 
defined to which I assigned my users to establish access privileges.
so the distinguished name for a groups is something like:

I also tried creating a new organizational unit and then creating
a user within that OU (ie internal.external.com->VPNUsers->bind-user-2)
This user, however, was not assigned to a security group.

Do either of the scenarios described make sense or does the user
need to be part of a Windows "Security Group"?

More information about the samba mailing list