Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN auth via Samba4-ADS / LDAP

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 1.7k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sgw
      last edited by sgw

      Yesterday I successfully set up and tested an authentication server in pfsense-2.4.4p3 binding to a samba-4-ADC via LDAP (via STARTTLS). Worked ...
      Same setup fails now. And I don't know why.

      # anonymized config
      <authserver>
      			<refid>5d80cebadc599</refid>
      			<type>ldap</type>
      			<name>ADS</name>
      			<ldap_caref>570b95f0032c8</ldap_caref>
      			<host>10.0.0.230</host>
      			<ldap_port>389</ldap_port>
      			<ldap_urltype>TCP - STARTTLS</ldap_urltype>
      			<ldap_protver>3</ldap_protver>
      			<ldap_scope>subtree</ldap_scope>
      			<ldap_basedn><![CDATA[DC=arbeitsgruppe,DC=mydomain,DC=at]]></ldap_basedn>
      			<ldap_authcn><![CDATA[OU=IKW User,DC=arbeitsgruppe,DC=mydomain,DC=at]]></ldap_authcn>
      			<ldap_extended_enabled>yes</ldap_extended_enabled>
      			<ldap_extended_query><![CDATA[memberOf=CN=OpenVPNUsers,OU=Gruppen,OU=IKW User,DC=arbeitsgruppe,DC=mydomain,DC=at]]></ldap_extended_query>
      			<ldap_attr_user><![CDATA[samAccountName]]></ldap_attr_user>
      			<ldap_attr_group><![CDATA[cn]]></ldap_attr_group>
      			<ldap_attr_member><![CDATA[memberOf]]></ldap_attr_member>
      			<ldap_attr_groupobj><![CDATA[posixGroup]]></ldap_attr_groupobj>
      			<ldap_binddn><![CDATA[CN=Administrator,CN=Users,dc=arbeitsgruppe,dc=mydomain,dc=at]]></ldap_binddn>
      			<ldap_bindpw><![CDATA[some_password]]></ldap_bindpw>
      			<ldap_timeout>25</ldap_timeout>
      		</authserver>
      

      I don't get any containers listed and the samba-DC logs:

      [2019/09/18 19:18:52.181957,  1] ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake)
        TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been received.
      [2019/09/18 19:18:52.182031,  1] ../source4/ldap_server/ldap_extended.c:89(ldapsrv_starttls_postprocess_done)
        ldapsrv_starttls_postprocess_done: accept_tls_loop: tstream_tls_accept_recv() - 5:Input/output error => NT_STATUS_IO_DEVICE_ERRORstream_terminate_connection: Terminating connection - 'ldapsrv_call_postprocess_done: call->postprocess_recv() - NT_STATUS_IO_DEVICE_ERROR'
      

      restarted PHP-FPM and webconfigurator on pfsense, restarted even the DC ...

      We tried user "Administrator" and a separate AD-user "pfsense" (both worked yesterday).
      The setting "Peer Certificate Authority" in the webgui is definitely wrong IMO, but even with this setting things worked fine yesterday.

      Did we lose some kerberos ticket? date/time is quite close (in sync), within some seconds maximum.

      I wonder what I miss here.

      EDIT:

      imported the samba-AD-CA (ca.pem) as additional CA into pfsense, used FQDN instead of IP, etc etc

      works now. I wonder for how long ;-)

      1 Reply Last reply Reply Quote 0
      • JeGrJ Offline
        JeGr LAYER 8 Moderator
        last edited by

        @sgw said in OpenVPN auth via Samba4-ADS / LDAP:

        imported the samba-AD-CA (ca.pem) as additional CA into pfsense, used FQDN instead of IP, etc etc

        As far as my tests have gone, you always need to import the CA(-chain) of the certificate of your DC/LADP server and select that as CA in your LDAP connection setting. Without it there'll always be errors connecting via TLS. Also when changing that CA be sure to restart PHP-FPM as it can cache the certificate and the Auth Check (under diagnostics) will sometimes flap or show unstable results otherwise. If you're using a self-created CA on the Samba/AD server, be sure it stays the same and that this CA is selected in the LDAP connection setting in pfsense. We had a problem with connections failing after some windows update triggered a reboot and (somehow) re-creation of some certs including the CA and server cert for the AD/LDAP connection. PITA if you can't fix it by dialing in via VPN ;)

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • S Offline
          sgw
          last edited by

          Yes, sounds scary ;-)
          So far things seem to work: some test-users run their tunnels against the ADS-authed OpenVPN-server since last friday or so ... no issues reported since then. So maybe this is SOLVED.

          Might be worth a small howto section somewhere ("how to bind to Samba-based ADS"), where could I create a related PR or so?
          thanks, Stefan

          1 Reply Last reply Reply Quote 0
          • S Offline
            sgw
            last edited by

            They report problems again, so this doesn't work reliably (for us ...)
            Without editing any setting I opened the pfsense-GUI-page for the ADS auth server and SAVEd again, then restarted PHP-FPM and the web-configurator. After doing that I can auth my tunnel again ... hmmmm

            pls advise if I miss anything

            1 Reply Last reply Reply Quote 0
            • JeGrJ Offline
              JeGr LAYER 8 Moderator
              last edited by

              @sgw said in OpenVPN auth via Samba4-ADS / LDAP:

              SAVEd again, then restarted PHP-FPM and the web-configurator

              That should actually do nothing if you have not changed anything. Restarting PHP/webconf was only necessary if you changed the TLS stack (e.g. new CA certificate), anything else works pretty much as it should. Smooth as ever authenticating against our internal AD domain via LDAPS. Very strange. Did you check if the CA or server cert was changes by anything?

              Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                sgw @JeGr
                last edited by

                @JeGr checked on the samba DC right now, the files in /var/lib/samba/private/tls are from Aug 29th and not changed since then. I wonder and don't know if It maybe have to chain them in a way:

                # ls -l /var/lib/samba/private/tls
                insgesamt 12
                -rw-r--r-- 1 root root 2074 Aug 29 14:29 ca.pem
                -rw-r--r-- 1 root root 2078 Aug 29 14:29 cert.pem
                -rw------- 1 root root 3243 Aug 29 14:29 key.pem
                

                So far I only added ca.pem as CA to pfsense, you mentioned the "CA(-chain)" ...?

                Related question here: is it possible to define multiple DCs as auth servers (in case one isn't available temporarily)?

                1 Reply Last reply Reply Quote 0
                • JeGrJ Offline
                  JeGr LAYER 8 Moderator
                  last edited by

                  @sgw said in OpenVPN auth via Samba4-ADS / LDAP:

                  the "CA(-chain)" ...?

                  Yeah but your ca.crt should have that. You can always check whats inside the PEMs but from the file size I would guess those are both 2k certs. And if there would be an intermediate to chain, it possible would be inside the ca.pem as well - or all certs (the whole chain including the host cert) would be in cert.pem. That's what's normally done with certain services. all in one or ca-chain in a separate file.

                  Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                  S 1 Reply Last reply Reply Quote 0
                  • S Offline
                    sgw @JeGr
                    last edited by

                    @JeGr said in OpenVPN auth via Samba4-ADS / LDAP:

                    @sgw said in OpenVPN auth via Samba4-ADS / LDAP:

                    the "CA(-chain)" ...?

                    Yeah but your ca.crt should have that. You can always check whats inside the PEMs but from the file size I would guess those are both 2k certs. And if there would be an intermediate to chain, it possible would be inside the ca.pem as well - or all certs (the whole chain including the host cert) would be in cert.pem. That's what's normally done with certain services. all in one or ca-chain in a separate file.

                    I am not quite sure what to do or check now ;-)
                    From the fact that it works sometimes it should be ok mostly, right?
                    What I did today: added the two DC-IPs as NTP-servers to pfsense ... to make sure there is no time drift.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.