troubleshooting LDAP authentication
-
Thank you KOM.
The first link brought me one step closer to a solution.
I got authentication (bind credentials) working for account2 on the old DC (Samba 4.0.9):
CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL MATRIXSCIENCE.CO.UK\account1 ---> OK MATRIXSCIENCE.CO.UK\account2 ---> OK
but it's still failing on the new DC (Samba 4.5.16):
CN=account1,CN=Users,DC=matrixscience,DC=co,DC=uk ---> OK CN=account2,CN=Users,DC=matrixscience,DC=co,DC=uk ---> FAIL MATRIXSCIENCE.CO.UK\account1 ---> FAIL MATRIXSCIENCE.CO.UK\account2 ---> FAIL
I suspected this might be due to some difference in smb.conf files on both controllers.
They are now almost identical to no joy and I'm running out of ideas... -
Sorry, I don't have any other specific solutions as I don't use LDAP auth here.
-
Try to set this at your smb.conf in your AD, at global parameters
ldap server require strong auth = nothen set a password without any special character
-
@mcury that didn't help
-
I'm also seeking help on Samba mailing lists and one of Samba guys has asked "It might also help if you can show how pfsense is trying to connect to AD."
Can you provide some more details on what exactly happens to /system_authservers.php -> "Bind credentials" ?
-
@adamw I'd love to help you but I'm not a coder and I have no idea how any of that works. I was just trying to help with references you might have missed.
-
I've solved my problem but can't post my (short) reply:
ERROR Post content was flagged as spam by Akismet.com
-
I bumped your reputation by 1. Try again.
-
The harder I try the fussier the antispam engine gets.
Now I can't even post 4 lines with a single code quote, no links or email addresses :(
Maybe I'll let it cool down a bit and try again on Monday. -
OK now you're at 5. I think I remember that 5 was the lucky number. Please try again.
-
LDAP browser tool helped a bit and allowed me to see a more specific error:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
After a bit of research I've managed to connect using account@domain.co.uk format in "Bind credentials" username.
This might be worth adding to the pfSense-LDAP troubleshooting guide.