Issue with AD Authentication Server

m0nKeY · Aug 20, 2018, 5:44 PM

Hi everyone,

I'm new to PfSense and I'm only using it for private usage and interest in it. I set up a AD server based on Ubuntu 18.04 and Samba, to centralize my user management. After a few tries I got it to work and I'm able to bind Windows and Linux machines to my local AD domain.

Unfortunately I'm not able to bind PfSense to it. I set everything up according to the many tutorials online. Here is my configuration:

Descriptive name: Active Directory Domain Controller
Type: LDAP
Hostname or IP address: addc
Port value: 389
Transport: TCP - Standard
Protocol version: 3
Server Timeout: 25
Search scope Level: Entire Subtree
Search scope BaseDN: DC=DOMAIN,DC=LAN
Authentication containers: CN=Users,DC=domain,DC=lan
Extended query: true
Query: memberOf=CN=Administrators,CN=Users,DC=domain,DC=lan
Bind anonymous: false
Bind credentials: pfsense-ad@domain.lan *password*
User naming attribute: sAMAccountName
Group naming attribute: cn
Group member attribute: memberOf
RFC 2307 Groups: false
Group Object Class: posixGroup
UTF8 Encode: false
Username Alterations: false

If save and test my settings i get the following result:

Attempting connection to  - addc - OK
Attempting bind to - addc - OK
Attempting to fetch Organizational Units from - addc - failed

And I'm also unable to use the "Select a container" under "System/User Manager/Authentication Servers/Edit". If try a message in red is displayed at the buttem of the page: "Could not connect to the LDAP server. Please check the LDAP configuration."

I set up the AD Server according to this howto: Link

But I used the command

sudo samba-tool domain provision --use-rfc2307 --interactive

to create the Samba Domain config files. Because, as far as I understand, the "--use-rfc2307" parameter generates POSIX prefixes into the AD configuration and I guessed it is needed for PfSense. In one of my first tries I generated the Samba Domain config with out the "--use-rfc2307" parameter, but I got the same result.

The syslog show entries like this:

Aug 19 09:02:16	php-fpm	17185	/system_authservers.php: ERROR! ldap_get_user_ous() could not bind to server .
Aug 19 09:02:28	php-fpm	17185	/system_authservers.php: ERROR! ldap_get_user_ous() could not bind to server .
Aug 19 09:02:36	php-fpm	17185	/system_usermanager_settings.php: ERROR! ldap_get_groups() could not bind to server Active Directory Domain Controller.
Aug 19 09:02:36	php-fpm	17185	/system_usermanager_settings.php: ERROR! ldap_get_user_ous() could not bind to server Active Directory Domain Controller.

As I already said, Windows 10 and Ubuntu 18.04 don't have problems to bind to the AD server.

I hope someone can help me, because I really don't know to proceed.

Greetings
m0nKeY

m0nKeY · Aug 22, 2018, 6:11 PM

Is no one able to give advice?

mc-amz · Feb 28, 2022, 10:09 PM

hi, were you able to fix this? i am in exact same situation

stephenw10 · Mar 1, 2022, 3:02 PM

Not exactly that same because it's 4 years later and I assume you're using pfSense 2.6? And probably not Ubuntu 18.06.

So what exactly are you seeing now? What have you tried? How is it configured?

Steve

mc-amz · Mar 1, 2022, 3:18 PM

hi Steve, exact situation referred to same error message; fixed it by disabling on the AD LDAP Domain Signing in gpedit. thx for asking!

conejero · Jan 3, 2023, 3:32 PM

@mc-amz Just in case anyone stumbles upon this issue. We were able to fix it by adding the setting
"ldap server require strong auth = no"
to our smb.conf file.