troubleshooting LDAP authentication

adamw

Hello,

I'm trying to make OpenVPN authenticate users against an external Samba AD / LDAP.

Under system_authservers.php I've set up an LDAP server connection to the best of my knowledge.

When I test authentication through diag_authentication.php all I can see is:

The following input errors were detected:
Authentication failed.

System.log only produces one line:

php-fpm: /diag_authentication.php: Search resulted in error: Operations error

Is it possible to see more details (e.g. increase verbosity / debug level)?

Thanks,
Adam

adamw

It started working when I added an empty "Users" group (which matched the name of my AD group) to local pfSense groups.
It would still be useful for pfSense logs to be a bit more specific though.

adamw

Now I'm stuck a bit on "bind credentials to resolve distinguished names" option.

I have 2 accounts which, as far as I can tell, look identical from AD perspective.

One of them successfully connects (Samba logs):

[2019/06/12 14:34:41.517364,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2019/06/12 14:34:41.520731,  3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [MATRIX_SCIENCE]\[account1]@[(null)]
  auth_check_password_send: mapped user is: [MATRIX_SCIENCE]\[account1]@[(null)]
[2019/06/12 14:34:41.521510,  4] ../source4/auth/sam.c:183(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user account1

The other one fails:

[2019/06/12 15:09:56.215000,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2019/06/12 15:09:56.217871,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2019/06/12 15:09:56.217941,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

Any idea what the second account is missing?

The difference must be restricted to what's replicated between domain controllers as the behavior is identical against the primary and secondary one.

KOM

@adamw said in troubleshooting LDAP authentication:

It started working when I added an empty "Users" group (which matched the name of my AD group) to local pfSense groups.

The Troubleshooting LDAP document had that tip:

https://docs.netgate.com/pfsense/en/latest/usermanager/ldap-troubleshooting.html

Other links to tutorials that seem to have some meat to them:

https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/

https://www.linkedin.com/pulse/setting-up-pfsense-openvpn-using-user-authentication-trevor-tye

adamw

Thank you KOM.

The first link brought me one step closer to a solution.

I got authentication (bind credentials) working for account2 on the old DC (Samba 4.0.9):

CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK
CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL
MATRIXSCIENCE.CO.UK\account1 ---> OK
MATRIXSCIENCE.CO.UK\account2 ---> OK

but it's still failing on the new DC (Samba 4.5.16):

CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK
CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL
MATRIXSCIENCE.CO.UK\account1 ---> FAIL
MATRIXSCIENCE.CO.UK\account2 ---> FAIL

I suspected this might be due to some difference in smb.conf files on both controllers.
They are now almost identical to no joy and I'm running out of ideas...

KOM

Sorry, I don't have any other specific solutions as I don't use LDAP auth here.

mcury

Try to set this at your smb.conf in your AD, at global parameters
ldap server require strong auth = no

then set a password without any special character

adamw

@mcury that didn't help

adamw

@KOM

I'm also seeking help on Samba mailing lists and one of Samba guys has asked "It might also help if you can show how pfsense is trying to connect to AD."

Can you provide some more details on what exactly happens to /system_authservers.php -> "Bind credentials" ?

KOM

@adamw I'd love to help you but I'm not a coder and I have no idea how any of that works. I was just trying to help with references you might have missed.

adamw

I've solved my problem but can't post my (short) reply:

ERROR
Post content was flagged as spam by Akismet.com

KOM

I bumped your reputation by 1. Try again.

adamw

The harder I try the fussier the antispam engine gets.
Now I can't even post 4 lines with a single code quote, no links or email addresses :(
Maybe I'll let it cool down a bit and try again on Monday.

KOM

OK now you're at 5. I think I remember that 5 was the lucky number. Please try again.

adamw

LDAP browser tool helped a bit and allowed me to see a more specific error:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]

After a bit of research I've managed to connect using account@domain.co.uk format in "Bind credentials" username.

This might be worth adding to the pfSense-LDAP troubleshooting guide.