OpenVPN auth via Samba4-ADS / LDAP



  • Yesterday I successfully set up and tested an authentication server in pfsense-2.4.4p3 binding to a samba-4-ADC via LDAP (via STARTTLS). Worked ...
    Same setup fails now. And I don't know why.

    # anonymized config
    <authserver>
    			<refid>5d80cebadc599</refid>
    			<type>ldap</type>
    			<name>ADS</name>
    			<ldap_caref>570b95f0032c8</ldap_caref>
    			<host>10.0.0.230</host>
    			<ldap_port>389</ldap_port>
    			<ldap_urltype>TCP - STARTTLS</ldap_urltype>
    			<ldap_protver>3</ldap_protver>
    			<ldap_scope>subtree</ldap_scope>
    			<ldap_basedn><![CDATA[DC=arbeitsgruppe,DC=mydomain,DC=at]]></ldap_basedn>
    			<ldap_authcn><![CDATA[OU=IKW User,DC=arbeitsgruppe,DC=mydomain,DC=at]]></ldap_authcn>
    			<ldap_extended_enabled>yes</ldap_extended_enabled>
    			<ldap_extended_query><![CDATA[memberOf=CN=OpenVPNUsers,OU=Gruppen,OU=IKW User,DC=arbeitsgruppe,DC=mydomain,DC=at]]></ldap_extended_query>
    			<ldap_attr_user><![CDATA[samAccountName]]></ldap_attr_user>
    			<ldap_attr_group><![CDATA[cn]]></ldap_attr_group>
    			<ldap_attr_member><![CDATA[memberOf]]></ldap_attr_member>
    			<ldap_attr_groupobj><![CDATA[posixGroup]]></ldap_attr_groupobj>
    			<ldap_binddn><![CDATA[CN=Administrator,CN=Users,dc=arbeitsgruppe,dc=mydomain,dc=at]]></ldap_binddn>
    			<ldap_bindpw><![CDATA[some_password]]></ldap_bindpw>
    			<ldap_timeout>25</ldap_timeout>
    		</authserver>
    

    I don't get any containers listed and the samba-DC logs:

    [2019/09/18 19:18:52.181957,  1] ../source4/lib/tls/tls_tstream.c:1439(tstream_tls_retry_handshake)
      TLS ../source4/lib/tls/tls_tstream.c:1439 - A TLS fatal alert has been received.
    [2019/09/18 19:18:52.182031,  1] ../source4/ldap_server/ldap_extended.c:89(ldapsrv_starttls_postprocess_done)
      ldapsrv_starttls_postprocess_done: accept_tls_loop: tstream_tls_accept_recv() - 5:Input/output error => NT_STATUS_IO_DEVICE_ERRORstream_terminate_connection: Terminating connection - 'ldapsrv_call_postprocess_done: call->postprocess_recv() - NT_STATUS_IO_DEVICE_ERROR'
    

    restarted PHP-FPM and webconfigurator on pfsense, restarted even the DC ...

    We tried user "Administrator" and a separate AD-user "pfsense" (both worked yesterday).
    The setting "Peer Certificate Authority" in the webgui is definitely wrong IMO, but even with this setting things worked fine yesterday.

    Did we lose some kerberos ticket? date/time is quite close (in sync), within some seconds maximum.

    I wonder what I miss here.

    EDIT:

    imported the samba-AD-CA (ca.pem) as additional CA into pfsense, used FQDN instead of IP, etc etc

    works now. I wonder for how long ;-)


  • LAYER 8 Moderator

    @sgw said in OpenVPN auth via Samba4-ADS / LDAP:

    imported the samba-AD-CA (ca.pem) as additional CA into pfsense, used FQDN instead of IP, etc etc

    As far as my tests have gone, you always need to import the CA(-chain) of the certificate of your DC/LADP server and select that as CA in your LDAP connection setting. Without it there'll always be errors connecting via TLS. Also when changing that CA be sure to restart PHP-FPM as it can cache the certificate and the Auth Check (under diagnostics) will sometimes flap or show unstable results otherwise. If you're using a self-created CA on the Samba/AD server, be sure it stays the same and that this CA is selected in the LDAP connection setting in pfsense. We had a problem with connections failing after some windows update triggered a reboot and (somehow) re-creation of some certs including the CA and server cert for the AD/LDAP connection. PITA if you can't fix it by dialing in via VPN ;)



  • Yes, sounds scary ;-)
    So far things seem to work: some test-users run their tunnels against the ADS-authed OpenVPN-server since last friday or so ... no issues reported since then. So maybe this is SOLVED.

    Might be worth a small howto section somewhere ("how to bind to Samba-based ADS"), where could I create a related PR or so?
    thanks, Stefan



  • They report problems again, so this doesn't work reliably (for us ...)
    Without editing any setting I opened the pfsense-GUI-page for the ADS auth server and SAVEd again, then restarted PHP-FPM and the web-configurator. After doing that I can auth my tunnel again ... hmmmm

    pls advise if I miss anything


  • LAYER 8 Moderator

    @sgw said in OpenVPN auth via Samba4-ADS / LDAP:

    SAVEd again, then restarted PHP-FPM and the web-configurator

    That should actually do nothing if you have not changed anything. Restarting PHP/webconf was only necessary if you changed the TLS stack (e.g. new CA certificate), anything else works pretty much as it should. Smooth as ever authenticating against our internal AD domain via LDAPS. Very strange. Did you check if the CA or server cert was changes by anything?



  • @JeGr checked on the samba DC right now, the files in /var/lib/samba/private/tls are from Aug 29th and not changed since then. I wonder and don't know if It maybe have to chain them in a way:

    # ls -l /var/lib/samba/private/tls
    insgesamt 12
    -rw-r--r-- 1 root root 2074 Aug 29 14:29 ca.pem
    -rw-r--r-- 1 root root 2078 Aug 29 14:29 cert.pem
    -rw------- 1 root root 3243 Aug 29 14:29 key.pem
    

    So far I only added ca.pem as CA to pfsense, you mentioned the "CA(-chain)" ...?

    Related question here: is it possible to define multiple DCs as auth servers (in case one isn't available temporarily)?


  • LAYER 8 Moderator

    @sgw said in OpenVPN auth via Samba4-ADS / LDAP:

    the "CA(-chain)" ...?

    Yeah but your ca.crt should have that. You can always check whats inside the PEMs but from the file size I would guess those are both 2k certs. And if there would be an intermediate to chain, it possible would be inside the ca.pem as well - or all certs (the whole chain including the host cert) would be in cert.pem. That's what's normally done with certain services. all in one or ca-chain in a separate file.



  • @JeGr said in OpenVPN auth via Samba4-ADS / LDAP:

    @sgw said in OpenVPN auth via Samba4-ADS / LDAP:

    the "CA(-chain)" ...?

    Yeah but your ca.crt should have that. You can always check whats inside the PEMs but from the file size I would guess those are both 2k certs. And if there would be an intermediate to chain, it possible would be inside the ca.pem as well - or all certs (the whole chain including the host cert) would be in cert.pem. That's what's normally done with certain services. all in one or ca-chain in a separate file.

    I am not quite sure what to do or check now ;-)
    From the fact that it works sometimes it should be ok mostly, right?
    What I did today: added the two DC-IPs as NTP-servers to pfsense ... to make sure there is no time drift.


Log in to reply