Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 29 March 2024, 12:51:11 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14247 Posts in 4376 Topics by 6490 Members
Latest Member: maquino
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  Join AD EFW 2.3
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: 1 2 3 [4] Go Down Print
Author Topic: Join AD EFW 2.3  (Read 183484 times)
cagnaluia
Full Member
***
Offline Offline

Posts: 11


« Reply #45 on: Thursday 13 May 2010, 04:32:12 pm »

ok, I found the problem!


in the /etc/samba/winbind.conf.tmpl there is a line:

workgroup = ${AUTH_REALM.split(".")[0].upper()}

well... the command "split"/cut my workgroup in a wrong way... I have to use "ICP.IT" from the realm "icp.it.local", and this line make the workgroup like "ICP" only.

So... I modified this line with: workgroup = ICP.IT
keeping everything else unchanged.

The JOIN AD works fine, and I get all the groups and users from my AD, finally!!!  Wink



Logged
cagnaluia
Full Member
***
Offline Offline

Posts: 11


« Reply #46 on: Thursday 13 May 2010, 05:36:16 pm »

well... for  blocking pages, is there a file with all  URL? Or there is only a phrase check?
Logged
cagnaluia
Full Member
***
Offline Offline

Posts: 11


« Reply #47 on: Wednesday 19 May 2010, 05:07:40 pm »

hm.... I dont undestand if there is a URLs Database to block the pages.

OR

is there only a bad-words counter?


example:

I need to block pornografy and  pages, but if I enable this features in the policy ALSO the web-newspapers will be blocked.
It's strange.
Logged
SandStorm
Jr. Member
*
Offline Offline

Posts: 4


« Reply #48 on: Thursday 27 May 2010, 09:03:15 pm »

Is joining a domain and AD been improved for 2.4?
Logged
Di4bLo
Full Member
***
Offline Offline

Posts: 39


« Reply #49 on: Friday 28 May 2010, 11:09:32 pm »

Solved (for me).
You have to choose "LDAP" as authentication mode if you your domain hasn't the compatibility to old MS machines. This option is avaible only at the first installation of w2k3 (I guess).
If your domain has the compatibility with the old system (NTLM) then you have to choose "Windows Active Directory" as authentication method.

I guess there are other people like me who are trying to join an AD domain with NTLM. Try with LDAP and everything works well.

This is my configuration:

Authentication Realm:  .yyy.zzz
LDAP Server: 192.168.0.1
Port LDAP server: 389
LDAP type: Active Directory Server
Bind DN settings: DC=,DC=yyy,DC=zzz
Bind DN username: cn:Administrator,DC=,DC=yyy,DC=zzz
Bind DN password: ******** (Administrator's password)
user objectClass: person
group objectClass: group

Save and go to "Access policy" and create e new policy with authentication. You should see users and groups.
Logged
SandStorm
Jr. Member
*
Offline Offline

Posts: 4


« Reply #50 on: Friday 28 May 2010, 11:22:55 pm »

So a Server 2008 Domain Controller is easily used?
Logged
Di4bLo
Full Member
***
Offline Offline

Posts: 39


« Reply #51 on: Friday 04 June 2010, 07:13:24 pm »

Quote
So a Server 2008 Domain Controller is easily used?

I haven't tried it yet, but I think with LDAP should works.
Logged
techie
Jr. Member
*
Offline Offline

Posts: 6


« Reply #52 on: Thursday 10 June 2010, 04:19:38 pm »

I have Endian 2.4 with authentication against a Windows 2008 domain running without problems so far.

Choose Authentication Method: Windows Active Directory (NTLM)
Authentication Realm: opentraining.local
Number of Authentication Children: 20
Number of different IP's per user: 2
Authentication cache: 60
User / IP cache: 0
Domainname of AD server: OPENTRAINING
PDC Hostname of AD server: dc1
PDC IP address of AD server: 192.168.1.10
BDC Hostname of AD server: dc2
BDC IP address of AD server: 192.168.1.11


One thing that puzzled me in the beginning was that the proxy didnt want to authenticate when it was running in transparant mode. but after changing to non-transparant it all worked like a charm.
Logged
Thushara
Jr. Member
*
Offline Offline

Posts: 5


« Reply #53 on: Thursday 14 October 2010, 06:15:58 pm »

Hey Guys..........,

I know that this topic is outdated, but I recently checked the AD authentication in Endian firewall and I also end up with same problems you guys got. After few days work I managed to make this work. This is how I did it.

Note that in this case I have used E-box as my AD. It also work for windows AD.

1. Install Endian Firewall.
2. Configure the proxy authentication with NTLM settings and save.
3. Now login to the endian firewall via SSH and find the file /etc/samba/winbind.conf
4. Open this file and set the "workgroup" as same as "realm"

       password server = DC.domain.local
       realm = domain.local

       workgroup = domain.local

5. Save the file and stop the winbind service.
    /etc/init.d/winbind stop

6. Now try to join to AD with following command. Replace the "<username>" area with your domain admin user name.
    net ads join -U<username> -s /etc/samba/winbind.conf

7. In my case this was failed with following error.
    "Failed to join domain: Invalid configuration and configuration modification was not requested"

8. If this failed, try following command. The different is that I have changed the "ads" command type to "rpc" command type.
    net rpc join -U<username> -s /etc/samba/winbind.conf

9. Now you should get a message like follow. This mean that you have successfully connected to the domain.
    Joined domain domain.local.

10. Now restart the winbind service and check the secret and users by following commands.
     wbinfo -t
     wbinfo -u
     wbinfo -g

11. If you get the users and groups list in AD, now its working.

12. Go to "Access Policy" area and add "Add access policy". Select "User based" from Authentication drop down menu.
      Now you should see the user list.

13. Enjoy........Cheesy
Logged
aneeshjoseph
Jr. Member
*
Offline Offline

Posts: 2


« Reply #54 on: Saturday 06 October 2012, 07:12:33 pm »

Hi,

This worked.  After reboot it is not connected to the AD automatically.  I need to add it again to the AD. Any idea ?

I checked the configuration file and the hosts entry. These are not changed , also I can ping to DC  hence not a DNS issue. Any Idea ?

Thanks
Logged
Thushara
Jr. Member
*
Offline Offline

Posts: 5


« Reply #55 on: Monday 08 October 2012, 02:36:57 pm »

Hi.....

When you join your EFW to AD via net join command, it should create a Computer object in the AD which the firewall will use to query users next time.

Check whether this computer object is created in the AD. If this is not created, give the user you are using to join to AD the administrator privilege and re-try.

net rpc join -U admin -s /etc/samba/winbind.conf

The second thing you can do to debug this is after rebooting, login to the EFW via ssh and check whether the firewall and AD connection is ok.
You can check this by,

wbinfo -t

Also try restarting winbind service with out joining FW to AD again or doing anything.

Logged
dda
Sr. Member
****
Offline Offline

Posts: 227


« Reply #56 on: Tuesday 09 October 2012, 02:45:31 am »

You need to edit the winbind.conf.tmpl or you will lose settings on reboot.  The winbind file is created at boot from the winbind.conf.tmpl file.
Logged
vaeryl
Jr. Member
*
Offline Offline

Posts: 2


« Reply #57 on: Friday 23 November 2012, 12:27:11 am »

Here it connects fine, but I have another problem:

It shows all the users and groups OK, but dont refresh it!

I can create or delete users and groups on AD, but it never reflects on Endian automatically, only refreshing the list when I use the /etc/init.d/winbind restart command.


There are some configuration I can use so the Endian refreshes the Groups/Users/Passwords on AD from time to time?



Logged
jamerson
Full Member
***
Offline Offline

Posts: 24


« Reply #58 on: Tuesday 14 May 2013, 08:06:07 am »

i am facing the same problem,
can't get it added to the domain

Failed to join domain: failed to find DC for domain ICT.LAN
Logged
Pages: 1 2 3 [4] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com