WindowsNTLM, AD and EWF2.4

[Guest]

[uros]

Hello,

I had some problems to join EFW2.4 to AD, after long night I find the solution:

my configuration:
domain FQDN: domain-fullname.com
short domain name (workgroup): domain
AD server: sbs2003
IP of AD: 192.168.1.100
IP of EFW: 192.168.1.15

EFW: Endian Firewall Community release 2.4.0
Server: SBS2003 with AD

1. install EWF
2. make sure, that the time is the same on EWF and AD: SERVICES->TIMESERVER: overvride default NTP services, put AD server name (sbs2003)
3. NETWORK->EDIT HOST->ADD HOST: ip:192.168.1.100; hostname: sbs2003; domain name: domain-fullname.com;
4. after that, goto PROXY-> enable it and try to join to AD... probably will fall 
5. go to SSH :nano /var/efw/proxy/settings and modify as is bellow:

AUTH_METHOD=ntlm
AUTH_REALM=domain-fullname.com
FORWARD_USERNAME=
GREEN_ENABLED=transparent
HAVP_ENABLED=on
LOGUSERAGENT=
NTLM_DOMAIN=domain

NTLM_PDC=sbs2003
OFFLINE_MODE=off
PDC_ADDRESS=192.168.1.100
PROXY_ENABLED=on

6. nano /etc/samba/winbind.conf

[global]
security = ADS
password server = sbs2003.domain
realm = domain-fullname.com

# handle logging
syslog only = Yes
log level = 0 winbind:2
syslog = 1
max log size = 1000

local master = no
hosts allow = 192.168.1.15/24
interfaces = br0
bind interfaces only = yes
preferred master = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

workgroup = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = Yes
winbind separator = +
unix charset = UTF8

ntlm auth = Yes
min protocol = NT1
client NTLMv2 auth = Yes
lm announce = No

7. /etc/init.d/winbind start
8. net ads join –U<ADadminusername> -s /etc/samba/winbind.conf
Enter the password and it should be OK…

Hope, that this manuals help someone ; please for feedback

[pwizard]

please update bug by #efw-upgrade

[oakleeman]

I'm trying to use 2.4 with an SME Server 7 domain controller. This config was working with EFW 2.1.2 but after we upgraded to 2.4 we can't join the domain.

Server root: dc=bps,dc=local
Windows workgroup: BPS
Server Name: dctl1
Server IP: 192.168.100.15
EFW IP: 192.168.100.254


root@efw:~ # cat /var/efw/proxy/settings
AUTH_METHOD=ntlm
AUTH_REALM=BPS
BLUE_ENABLED=transparent
BYPASS_SOURCE=
CACHE_SIZE=10000
DANSGUARDIAN_ENABLED=on
DANSGUARDIAN_LOGGING=on
DST_NOCACHE=
FORWARD_USERNAME=
HAVP_ENABLED=on
LOGGING=on
LOGUSERAGENT=
NTLM_DOMAIN=BPS.LOCAL
NTLM_PDC=DCTL1
OFFLINE_MODE=off
PDC_ADDRESS=192.168.100.15
PROXY_ENABLED=on


root@efw:~ # cat /etc/samba/winbind.conf
[global]
security = ADS
password server = DCTL1.BPS.LOCAL
realm = BPS

# handle logging
syslog only = Yes
log level = 0 winbind:2
syslog = 1
max log size = 1000

local master = no
hosts allow = 192.168.100.254/24
interfaces = br0 br2
bind interfaces only = yes
preferred master = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

workgroup = BPS
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = Yes
winbind separator = +
unix charset = UTF8

ntlm auth = Yes
min protocol = NT1
client NTLMv2 auth = Yes
lm announce = No


root@efw:~ # net ads join -Uadmin -s /etc/samba/winbind.conf
Enter admin's password:
Failed to join domain: Invalid configuration and configuration modification was not requested


root@efw:~ # cat /var/efw/proxy/settings
AUTH_METHOD=ntlm
AUTH_REALM=BPS.LOCAL
BLUE_ENABLED=transparent
BYPASS_SOURCE=
CACHE_SIZE=10000
DANSGUARDIAN_ENABLED=on
DANSGUARDIAN_LOGGING=on
DST_NOCACHE=
FORWARD_USERNAME=
HAVP_ENABLED=on
LOGGING=on
LOGUSERAGENT=
NTLM_DOMAIN=BPS
NTLM_PDC=DCTL1
OFFLINE_MODE=off
PDC_ADDRESS=192.168.100.15
PROXY_ENABLED=on


root@efw:~ # cat /etc/samba/winbind.conf
[global]
security = ADS
password server = DCTL1.BPS
realm = BPS.LOCAL

# handle logging
syslog only = Yes
log level = 0 winbind:2
syslog = 1
max log size = 1000

local master = no
hosts allow = 192.168.100.254/24
interfaces = br0 br2
bind interfaces only = yes
preferred master = no
dns proxy = no
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

workgroup = BPS
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = Yes
winbind separator = +
unix charset = UTF8

ntlm auth = Yes
min protocol = NT1
client NTLMv2 auth = Yes
lm announce = No


root@efw:~ # net ads join -Uadmin -s /etc/samba/winbind.conf
Enter admin's password:
Failed to join domain: failed to find DC for domain BPS.LOCAL


root@efw:~ # /etc/init.d/winbind start
Starting Winbind services:                                 [  OK  ]
root@efw:~ # /etc/init.d/winbind status
winbindd dead but subsys locked


root@efw:~ # efw-upgrade
Loading cache...
Updating cache...                  ############################################# [100%]

Fetching information for 'efw-community'...                                           
-> <myemailaddress>:*@forum_complaining_about_clickable_link   
repomd.xml                         ############################################# [ 50%]

Updating cache...                  ############################################# [100%]

Channels have no new packages.
Loading cache...
Updating cache...                  ############################################# [100%]

Computing transaction...
No interesting upgrades available.
/etc/upgrade/upgrade.d/migration:
---
Found: 0
OK: 0


root@efw:/var/log/samba # tail samba.log
Aug  6 00:04:56 efw winbindd[15638]: [2010/08/06 00:04:56,  0] winbindd/winbindd_util.c:init_domain_list(740)
Aug  6 00:04:56 efw winbindd[15638]:   Could not fetch our SID - did we join?
Aug  6 00:04:56 efw winbindd[15638]: [2010/08/06 00:04:56,  0] winbindd/winbindd.c:main(1286)
Aug  6 00:04:56 efw winbindd[15638]:   unable to initialize domain list
Aug  6 00:05:28 efw winbindd[16107]: [2010/08/06 00:05:28,  0] winbindd/winbindd_cache.c:initialize_winbindd_cache(2379)
Aug  6 00:05:28 efw winbindd[16107]:   initialize_winbindd_cache: clearing cache and re-creating with version number 1
Aug  6 00:05:28 efw winbindd[16107]: [2010/08/06 00:05:28,  0] winbindd/winbindd_util.c:init_domain_list(740)
Aug  6 00:05:28 efw winbindd[16107]:   Could not fetch our SID - did we join?
Aug  6 00:05:28 efw winbindd[16107]: [2010/08/06 00:05:28,  0] winbindd/winbindd.c:main(1286)
Aug  6 00:05:28 efw winbindd[16107]:   unable to initialize domain list



root@efw:/var/log/samba # tail log.winbindd
[2010/08/06 00:03:19,  0] winbindd/winbindd.c:main(1138)  winbindd version 3.2.14-2.endian8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/08/06 00:03:52,  0] winbindd/winbindd.c:main(1138)  winbindd version 3.2.14-2.endian8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/08/06 00:04:24,  0] winbindd/winbindd.c:main(1138)  winbindd version 3.2.14-2.endian8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/08/06 00:04:56,  0] winbindd/winbindd.c:main(1138)  winbindd version 3.2.14-2.endian8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/08/06 00:05:28,  0] winbindd/winbindd.c:main(1138)  winbindd version 3.2.14-2.endian8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009

[uros]

Did you made step 3?

3. NETWORK->EDIT HOST->ADD HOST: ip:192.168.1.100; hostname: sbs2003; domain name: domain-fullname.com;

[oakleeman]

Yeah, I added the domain controller to the network hosts. I'm able to ping the DCTL so the EFW knows the IP for it at least.

I even tried adding BPS.LOCAL to the /etc/hosts file too just for kicks and that didn't work either.

[jamerson]

i am on 2.5 and still fighting to get it connected to the domain,
can someone please advise?