Join AD EFW 2.3

[Guest]

[cagnaluia]

ok, I found the problem!


in the /etc/samba/winbind.conf.tmpl there is a line:

workgroup = ${AUTH_REALM.split(".")[0].upper()}

well... the command "split"/cut my workgroup in a wrong way... I have to use "ICP.IT" from the realm "icp.it.local", and this line make the workgroup like "ICP" only.

So... I modified this line with: workgroup = ICP.IT
keeping everything else unchanged.

The JOIN AD works fine, and I get all the groups and users from my AD, finally!!!  

[cagnaluia]

well... for  blocking pages, is there a file with all  URL? Or there is only a phrase check?

[cagnaluia]

hm.... I dont undestand if there is a URLs Database to block the pages.

OR

is there only a bad-words counter?


example:

I need to block pornografy and  pages, but if I enable this features in the policy ALSO the web-newspapers will be blocked.
It's strange.

[SandStorm]

Is joining a domain and AD been improved for 2.4?

[Di4bLo]

Solved (for me).
You have to choose "LDAP" as authentication mode if you your domain hasn't the compatibility to old MS machines. This option is avaible only at the first installation of w2k3 (I guess).
If your domain has the compatibility with the old system (NTLM) then you have to choose "Windows Active Directory" as authentication method.

I guess there are other people like me who are trying to join an AD domain with NTLM. Try with LDAP and everything works well.

This is my configuration:

Authentication Realm:  .yyy.zzz
LDAP Server: 192.168.0.1
Port LDAP server: 389
LDAP type: Active Directory Server
Bind DN settings: DC=,DC=yyy,DC=zzz
Bind DN username: cn:Administrator,DC=,DC=yyy,DC=zzz
Bind DN password: ******** (Administrator's password)
user objectClass: person
group objectClass: group

Save and go to "Access policy" and create e new policy with authentication. You should see users and groups.

[SandStorm]

So a Server 2008 Domain Controller is easily used?

[Di4bLo]

So a Server 2008 Domain Controller is easily used?

I haven't tried it yet, but I think with LDAP should works.

[techie]

I have Endian 2.4 with authentication against a Windows 2008 domain running without problems so far.

Choose Authentication Method: Windows Active Directory (NTLM)
Authentication Realm: opentraining.local
Number of Authentication Children: 20
Number of different IP's per user: 2
Authentication cache: 60
User / IP cache: 0
Domainname of AD server: OPENTRAINING
PDC Hostname of AD server: dc1
PDC IP address of AD server: 192.168.1.10
BDC Hostname of AD server: dc2
BDC IP address of AD server: 192.168.1.11


One thing that puzzled me in the beginning was that the proxy didnt want to authenticate when it was running in transparant mode. but after changing to non-transparant it all worked like a charm.

[Thushara]

Hey Guys..........,

I know that this topic is outdated, but I recently checked the AD authentication in Endian firewall and I also end up with same problems you guys got. After few days work I managed to make this work. This is how I did it.

Note that in this case I have used E-box as my AD. It also work for windows AD.

1. Install Endian Firewall.
2. Configure the proxy authentication with NTLM settings and save.
3. Now login to the endian firewall via SSH and find the file /etc/samba/winbind.conf
4. Open this file and set the "workgroup" as same as "realm"

       password server = DC.domain.local
       realm = domain.local

       workgroup = domain.local

5. Save the file and stop the winbind service.
    /etc/init.d/winbind stop

6. Now try to join to AD with following command. Replace the "<username>" area with your domain admin user name.
    net ads join -U<username> -s /etc/samba/winbind.conf

7. In my case this was failed with following error.
    "Failed to join domain: Invalid configuration and configuration modification was not requested"

8. If this failed, try following command. The different is that I have changed the "ads" command type to "rpc" command type.
    net rpc join -U<username> -s /etc/samba/winbind.conf

9. Now you should get a message like follow. This mean that you have successfully connected to the domain.
    Joined domain domain.local.

10. Now restart the winbind service and check the secret and users by following commands.
     wbinfo -t
     wbinfo -u
     wbinfo -g

11. If you get the users and groups list in AD, now its working.

12. Go to "Access Policy" area and add "Add access policy". Select "User based" from Authentication drop down menu.
      Now you should see the user list.

13. Enjoy........

[aneeshjoseph]

Hi,

This worked.  After reboot it is not connected to the AD automatically.  I need to add it again to the AD. Any idea ?

I checked the configuration file and the hosts entry. These are not changed , also I can ping to DC  hence not a DNS issue. Any Idea ?

Thanks

[Thushara]

Hi.....

When you join your EFW to AD via net join command, it should create a Computer object in the AD which the firewall will use to query users next time.

Check whether this computer object is created in the AD. If this is not created, give the user you are using to join to AD the administrator privilege and re-try.

net rpc join -U admin -s /etc/samba/winbind.conf

The second thing you can do to debug this is after rebooting, login to the EFW via ssh and check whether the firewall and AD connection is ok.
You can check this by,

wbinfo -t

Also try restarting winbind service with out joining FW to AD again or doing anything.

[dda]

You need to edit the winbind.conf.tmpl or you will lose settings on reboot.  The winbind file is created at boot from the winbind.conf.tmpl file.

[vaeryl]

Here it connects fine, but I have another problem:

It shows all the users and groups OK, but dont refresh it!

I can create or delete users and groups on AD, but it never reflects on Endian automatically, only refreshing the list when I use the /etc/init.d/winbind restart command.


There are some configuration I can use so the Endian refreshes the Groups/Users/Passwords on AD from time to time?

[jamerson]

i am facing the same problem,
can't get it added to the domain

Failed to join domain: failed to find DC for domain ICT.LAN