Re: [PacketFence-users] Can't link PacketFence with AD Server.

[Adrian Dessaigne via PacketFence-users]

Hi everyone 

Thanks for the replys 

First of all, I've checked the date and it's fine. I'm using a NTP server, and 
both PF and Windows server are using the same time server. 
Then I used NOVASYSPF and NOVASYSPF.COOP has workgroup and domain name. After a 
try, I still got the smae error. Then I checked if the winbind service was 
running, it wasn't. 

So I started it with "service winbind start" 

Then I've got this message: 
Failed to join domain: failed to lookup DC info for domain 'NOVASYSPF.COOP' 
over rpc: The attempted logon is invalid. 
This is either due to a bad username or authentication information. 


I've tryed many syntaxe like: 
Administrateur (French version of Win Server) 
NOVASYSPF.COOP\Administrateur 
Administrateur@ NOVASYSPF.COOP


Then I went on the guide part 13.1.1. "Troubleshooting" and checked the log 
file "/chroots/DomaineAD/var/log/sambaDomaineAD/log.winbindd":
it's full of messages like:
Initialize_minbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join ?
unable to initialize domain list

and it's looping like that for every attempt.

I tried to validate the domain bind with chroot /chroots/DomaineAD wbinfo -u :
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users

With "service winbind status" it show it's active and running !

Last test was the authentication process with "chroot /chroots/DomaineAD 
ntlm_auth --username=administrator"
could not obtain winbind separator !
Reading winbind reply failed! (0x01)

On the web interface, is the "attempted logon is invalid" error due to winbind 
replay failure ?

Best regards

Adrian

----- Mail original -----
De: "packetfence-users" <packetfence-users@lists.sourceforge.net>
À: "packetfence-users" <packetfence-users@lists.sourceforge.net>
Cc: "Durand fabrice" <fdur...@inverse.ca>
Envoyé: Samedi 2 Février 2019 04:04:12
Objet: Re: [PacketFence-users] Can't link PacketFence with AD Server.



Hello Adrian, 

first set the workgroup and the domain name in capital letter NOVASYSPF and 
NOVASYSPF.COOP 

Also check that your packetfence server and the AD doesn't have more than 5 
minutes difference. 

Try to do that and see if you have a ping reply: 
ip netns exec DomaineAD ping 192.168.1.203 




Regards 

Fabrice 





Le 19-02-01 à 15 h 31, Christian McDonald via PacketFence-users a écrit : 



Have you tried the full distinguished name of the bind user? 

On Fri, Feb 1, 2019 at 2:56 PM Adrian Dessaigne via PacketFence-users < [ 
mailto:packetfence-users@lists.sourceforge.net | 
packetfence-users@lists.sourceforge.net ] > wrote: 

BQ_BEGIN
Anyone ? 

I have tryed on many different machine and distribution, with different windows 
server version and I still have this probleme. Anyone ? 

----- Mail original ----- 
De: "packetfence-users" < [ mailto:packetfence-users@lists.sourceforge.net | 
packetfence-users@lists.sourceforge.net ] > 
À: "packetfence-users" < [ mailto:packetfence-users@lists.sourceforge.net | 
packetfence-users@lists.sourceforge.net ] > 
Cc: "ADE" < [ mailto:adrian.dessai...@novasys.coop | 
adrian.dessai...@novasys.coop ] > 
Envoyé: Vendredi 28 Décembre 2018 12:51:08 
Objet: [PacketFence-users] Can't link PacketFence with AD Server. 

Hello everyone, 

I'm a student in IT and I have a study contract. I'm working on a sketch with 
PacketFence to set up 802.1X. 

I'm using an ESXi 6.7 with two VM: 
-CentOS 7 with the last version of PacketFence. 
-Windows Server 2012 with AD. 

I use the network [ http://192.168.1.0/24 | 192.168.1.0/24 ] 
PacketFence IP's: 192.168.1.202 
Windows AD IP's: 192.168.1.203 
Domain: [ http://novasyspf.coop/ | novasyspf.coop ] 

I have followed all the instruction on the Installation Guide: 
-Unique virtual network card 
-Disabled Firewall 
-Disabled SELinux 

-yum update. 

-Explicitly instruct NetworkManager to never interct with my DNS configuration: 
dns=none in 99-no-dns.conf file 

Then adding PF repository and installing it. 

During the configurator, I've choosed the folling option: 
-Step 1 : Radius Only 
-Step 2: Network, Interface set as Management with the IP 192.168.1.202 and 
Gateway 192.168.1.1 
-Step 4 omain: " [ http://novasyspf.coop/ | novasyspf.coop ] " | Hostname 
"radiuspf" |DHCP Server "192.168.1.203" 
-Step 6: No fingerbank 

Launching PF went good. Once on the admin page, I go Configuration->Policies 
and Access Control->Domains->Active Directory Domains. 

Here are the parameters I've choosed for adding new domain: 

ID: DomaineAD 
Workgroup: novasyspf 
DNS name of the domain: [ http://novasyspf.coop/ | novasyspf.coop ] 
This server name: radiuspf 
AD Server: 192.168.1.203 
DNS Server 192.168.1.203 
Username: [ mailto:administra...@novasys.coop | administra...@novasys.coop ] (I 
tried with just "Administrator") 
Password: secret 

Then I click on save and join. After a few moment I get this error: 
"Error ! An error occurred while connecting with the server. Please try again 
later" 

By following the troubleshooting guide, I have this in 
/chroots/DomaineAD/var/log/sambaDomaineAD/log.winbindd: 
[2018/12/28 11:14: [ 38.799687, 0 | 38.799687, 0 ] ] 
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache) 
initialize_winbindd_cache: clearing cache and re-creating with version number 2 
[2018/12/28 11:14: [ 38.804681, 0 | 38.804681, 0 ] ] 
../source3/winbindd/winbindd_util.c:1264(init_domain_list) 
Could not fetch our SID - did we join? 
[2018/12/28 11:14: [ 38.804724, 0 | 38.804724, 0 ] ] 
../source3/winbindd/winbindd.c:1360(winbindd_register_handlers) 
unable to initialize domain list 

The command "chroot /chroots/DomaineAD/ wbinfo -u" return me this: 
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE 
could not obtain winbind domain name! 
Error looking up domain users 

The command chroot /chroots/DomaineAD/ ntlm_auth --username=Administrateur 
return me this: 
could not obtain winbind separator! 
Reading winbind reply failed! (0x01) 
: (0x0) 

Samba and Winbind services are botch Active and running. 

By doing "net ads lookup -S 192.168.1.203" I get all the AD information: 


Information for Domain Controller: 192.168.1.203 




Response Type: LOGON_SAM_LOGON_RESPONSE_EX 

GUID: fc62aa13-7384-4707-99b9-ba7d1008113e 

Flags: 

Is a PDC: yes 

Is a GC of the forest: yes 

Is an LDAP server: yes 

Supports DS: yes 

Is running a KDC: yes 

Is running time services: yes 

Is the closest DC: yes 

Is writable: yes 

Has a hardware clock: yes 

Is a non-domain NC serviced by LDAP server: no 

Is NT6 DC that has some secrets: no 

Is NT6 DC that has all secrets: yes 

Runs Active Directory Web Services: yes 

Runs on Windows 2012 or later: yes 

Forest: [ http://novasyspf.coop/ | novasyspf.coop ] 

Domain: [ http://novasyspf.coop/ | novasyspf.coop ] 

Domain Controller: [ http://win-ad.novasyspf.coop/ | WIN-AD.novasyspf.coop ] 

Pre-Win2k Domain: NOVASYSPF 

Pre-Win2k Hostname: WIN-AD 

Server Site Name : Default-First-Site-Name 

Client Site Name : Default-First-Site-Name 

NT Version: 5 

LMNT Token: ffff 

LM20 Token: ffff 




same with "net ads info -s /etc/samba/DomaineAD.conf" 

LDAP server: 192.168.1.203 


LDAP server name: [ http://win-ad.novasyspf.coop/ | WIN-AD.novasyspf.coop ] 

Realm: [ http://novasyspf.coop/ | NOVASYSPF.COOP ] 

Bind Path: dc=NOVASYSPF,dc=COOP 

LDAP port: 389 

Server time: ven ., 28 déc. 2018 11:59:55 CET 

KDC server: 192.168.1.203 


Server time offset: -22 

Last machine account password change: jeu ., 01 janv. 1970 01:00:00 CET 

The /etc/hosts file have this: 
127.0.0.1 localhost localhost.localdomain 
127.0.0.1 radiuspf [ http://radiuspf.novasyspf.coop/ | radiuspf.novasyspf.coop 
] 
192.168.1.203 WIN-AD [ http://win-ad.novasyspf.coop/ | WIN-AD.novasyspf.coop ] 
192.168.1.202 radiuspf [ http://radiuspf.novasyspf.coop/ | 
radiuspf.novasyspf.coop ] 

The /etc/resolv.conf file have this: 
nameserver 192.168.1.203 
nameserver 192.168.1.1 
search radiuspf 

I'm stuck and I don't know how I can resolve this problem. 

Best regards 

Adrian 


_______________________________________________ 
PacketFence-users mailing list 
[ mailto:PacketFence-users@lists.sourceforge.net | 
PacketFence-users@lists.sourceforge.net ] 
[ https://lists.sourceforge.net/lists/listinfo/packetfence-users | 
https://lists.sourceforge.net/lists/listinfo/packetfence-users ] 



_______________________________________________ 
PacketFence-users mailing list 
[ mailto:PacketFence-users@lists.sourceforge.net | 
PacketFence-users@lists.sourceforge.net ] 
[ https://lists.sourceforge.net/lists/listinfo/packetfence-users | 
https://lists.sourceforge.net/lists/listinfo/packetfence-users ] 



-- 
R. Christian McDonald 
M: (616) 856-9291 
E: [ mailto:rcmcdonal...@gmail.com | rcmcdonal...@gmail.com ] 


_______________________________________________
PacketFence-users mailing list [ mailto:PacketFence-users@lists.sourceforge.net 
| PacketFence-users@lists.sourceforge.net ] [ 
https://lists.sourceforge.net/lists/listinfo/packetfence-users | 
https://lists.sourceforge.net/lists/listinfo/packetfence-users ] 

BQ_END


_______________________________________________ 
PacketFence-users mailing list 
PacketFence-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/packetfence-users 



_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users