[Samba] PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind

Marco Shmerykowsky marco at sce-engineers.com
Wed Sep 16 16:34:58 UTC 2020

I followed the instructions on the OpenVPN site for creating
the bind user:


Following this procedure creates a user, but does not
assign it to any security group other than "Domain Users"
as described on the site.

The bind works sometimes.  I can not track down what
the difference between what causes apparent
success vs failure for the bind.

On 9/16/2020 3:14 AM, L.P.H. van Belle via samba wrote:
>> This is just another user like anyone else in the office.
> No, its offcourse not .. Why do you think you binding user is failing ;-)
> So, on the bind fail.
> Did you set on the "binding" user, : account is trusted and cant not be delegated?
> Password can be changed and never expire need to be ticked also.
> Whats set on the Pfsence server in ldap.conf ?
> Is BASE and URI defined?
> As far i can tell, you certificate setup of fine.
> If your not sure, goto :  testssl.sh  (yes that is a website )
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Marco Shmerykowsky via samba
>> Verzonden: dinsdag 15 september 2020 22:57
>> Aan: Rowland penny
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] PFsense via Samba Authentication
>> Server -> ERROR! ldap_get_groups() could not bind
>> On 2020-09-15 4:19 pm, Rowland penny via samba wrote:
>>> On 15/09/2020 20:53, Marco Shmerykowsky via samba wrote:
>>>> On 2020-09-15 1:13 pm, miguel medalha wrote:
>>>>>> I've tried restarting PHP-FPM and webconfigurator,
>>>>>> but that doesn't seem to solve the problem.
>>>>> This must be done each time after you edit the
>> configuration using
>>>>> the LDAP
>>>>> authentication setup page. Otherwise the changes won't
>> stick. Before
>>>>> I knew
>>>>> this, I did suffer a lot trying to make it work and not
>> understanding
>>>>> why it
>>>>> didn't.
>>>> Yea - I'm lost.  I keep trying the same thing hoping for different
>>>> results.  I think that is the definition of insanity.
>>>> I've tried:
>>>> create new OU called VPNusers and a user within that call
>> bind-user-1
>>>> Also created a user under Users called bind-user-2
>>>> then I set the following:
>>>> extended query =>
>> memberof=OU=vpnusers,DC=internal,DC=external,DC=com
>>>> authentication container =>
>> OU=vpnusers,DC=internal,DC=external,DC=com
>>>> bind user =>
>>>> CN=vpn-bind-user-1,OU=vpnusers,DC=internal,DC=external,DC=com
>>>> no go.  Also tried:
>>>> extended query => memberof=CN=users,DC=internal,DC=external,DC=com
>>>> authentication container => CN=users,DC=internal,DC=external,DC=com
>>>> bind user =>
>>>> CN=vpn-bind-user-2,CN=users,DC=internal,DC=external,DC=com
>>>> After each change I run options 16 (restart php-fpm) and
>> 11 (restart
>>>> webconfigurator)
>>>> Tried Using 389/TCP-Standard, 389-TCP-STARTTLS, & 636/SSL-Encrypted
>>>> Tried using "Global Root CA List & No Client Cert" and "Samba CA &
>>>> cert/key"
>>>> Keeps failing to bind.
>>> OK, AD uses what is known as back-links, that is you create
>> something
>>> and two attributes are created and they sort of point at each other,
>>> for instance when you add a user to a group, the user gets a
>>> 'memberOf' attribute that contains the groups DN and the
>> group gets a
>>> 'member' attribute that contains the users DN.
>>> I think you need to use an existing group (which isn't Domain Users)
>>> or create a new one and use that groups DN in the 'extended query'
>>> Rowland
>> Perhaps I'm mixing terminology in my understanding of how I'm
>> setting things up.  Does the user being used to create the
>> bind need to be part of a "security group" or just part
>> of a different organizational unit?
>> When I use the windows admin tool for "Active Directory Users and
>> Computers"
>> I have a user located in "internal.external.com->users->bind-user-1".
>> This is just another user like anyone else in the office.
>> Under "internal.external.com->users" I also have a number of
>> "Security
>> *Groups*"
>> defined to which I assigned my users to establish access privileges.
>> so the distinguished name for a groups is something like:
>> CN=Group,CN=Users,DC=internal,DC=external,DC=com
>> I also tried creating a new organizational unit and then creating
>> a user within that OU (ie
>> internal.external.com->VPNUsers->bind-user-2)
>> This user, however, was not assigned to a security group.
>> Do either of the scenarios described make sense or does the user
>> need to be part of a Windows "Security Group"?
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list