|
Title: Join AD EFW 2.3 Post by: ges35 on Wednesday 28 October 2009, 04:56:29 pm Somebody has joined in AD - EFW 2.3
EFW 2.2 it is join into the domain well, and here I do the same customisations on version 2.3 does not want it is entered, writes Failed to join domain. Tell how to win? Title: Re: Join AD EFW 2.3 Post by: imrandanish1 on Thursday 29 October 2009, 06:37:42 pm Somebody has joined in AD - EFW 2.3 EFW 2.2 it is join into the domain well, and here I do the same customisations on version 2.3 does not want it is entered, writes Failed to join domain. Tell how to win? Hi, I am also trying to join ad but it is not joining message displays "Failed to join domain: failed to find DC for domain ENDIAN PROXY SERVER" although i have give it all the info like Host Name DNS please tell me what to do. Title: Re: Join AD EFW 2.3 Post by: ges35 on Friday 30 October 2009, 02:02:40 am The matter is that web the interface does not make change to configuration files, in particular etc/samba/smb.conf
If it configure through putty that efw is entered in AD without problems, but all the same further endian does not see domain groups and users. If who knows what to do prompt, and I as will look that here read a forum more and more instead of respond. Title: Re: Join AD EFW 2.3 Post by: npeterson on Saturday 31 October 2009, 08:38:54 am ges35 is right.
Here is how you can get it to work Setup endian like your going to join it to your domain. hit save on the configuration page. then join domain. This will fail, but it should generate the winbind.conf file. SSH to your server (putty) goto the /etc/samba directory (cd /etc/samba) Edit the winbind.conf file and change the following line: Workgroup = <domain short Name> to Workgroup = <Domain Full name, (the same as your realm)> Save File now run the following to join the domain: net ads join -U<username> -s /etc/samba/winbind.conf you should get back Something like Joined '<computer name>' to realm '<full domain name>' If you have multiple DC's wait up to 15 min for replication you can test the connection by running wbinfo -t Should be joined. So this raises the question why did endian not do a rc2 on 2.3? Authentication was an issue in rc1. I like it but it needed more testing before a final was stamped on this... BTW you can track this bug here: http://bugs.endian.it/view.php?id=2333 Updated, no need to create smb.conf file. Title: Re: Join AD EFW 2.3 Post by: entourage on Thursday 05 November 2009, 08:55:35 am I'm having the same issue with 2.3, but when following your directions, my winbind.conf isn't being generated. Any ideas?
I have the template, but not the newly generated. I've filled out the Authentication portion and tried to join, but still get 'Failed to Join Domain' Title: Re: Join AD EFW 2.3 Post by: nmatese on Saturday 07 November 2009, 08:26:23 am I am also having a similiar issue, I have my time synced with the Domain controller, and it still says failed to join AD every time. No winbind.conf is being generated. Please advise, any help is appreciated.
Title: Re: Join AD EFW 2.3 Post by: entourage on Saturday 07 November 2009, 08:38:04 am The latest message I'm getting is:
Failed to join domain: Invalid configuration and configuration modification was not requested Title: Re: Join AD EFW 2.3 Post by: bodo.olschewski on Sunday 08 November 2009, 01:47:31 am Hello,
the problem can be fixed by editing the /etc/samba/winbind.conf.tmpl file. The line "workgroup = ${AUTH_REALM.split(".")[0].upper()}" has to be changed. For me it was ok to change it to "workgroup = ${NTLM_DOMAIN.upper()}" . Title: Re: Join AD EFW 2.3 Post by: entourage on Tuesday 10 November 2009, 12:35:23 am I just tried that fix, however my winbind.conf is still not being created. I just reloaded from scratch to make sure none of my existing tries were conflicting, but no success.
Other ideas? Is there a log file that would at least point to maybe why it failed? Title: Re: Join AD EFW 2.3 Post by: nmatese on Tuesday 10 November 2009, 03:20:53 am I am also getting "Failed to join domain: Invalid configuration and configuration modification was not requested" right now after trying both things.
Title: Re: Join AD EFW 2.3 Post by: bodo.olschewski on Tuesday 10 November 2009, 04:02:53 am Hello again,
I extra installed a fresh EFW 2.3 under VMWare to try it (again) for you. Here are the steps which I did: 1. Install EFW (without loading backup!) 2. Configure network settings 3. enable SSL 4. copy the changed /etc/samba/winbind.conf.tmpl file with winscp ( http://bugs.endian.it/file_download.php?file_id=301&type=bug ) 5. change to proxy-> authentication 6. Switch to Windows Active Directory (NTLM) 7. enter the long Domain-name in Authentication Realm 8. enter the short domain name in Domainname of AD server 9. enter the server name (without domain) in PDC 10. enter the server adress in PDC IP 11. klick on Save 12. klick on Apply 13. klick on Proxy->AD join 14. enter the domain-administrator name (without domain) and password 15. klick on join ADS 16. ;) 17. Proxy->Access Policy-> edit filter rule 18. switch Authentication to user or group based 19. select ADS-member/group ... Title: Re: Join AD EFW 2.3 Post by: nmatese on Tuesday 10 November 2009, 04:36:43 am I'm making some progress, but now I am getting:
"Failed to join domain: failed to find DC for domain" Title: Re: Join AD EFW 2.3 Post by: entourage on Tuesday 10 November 2009, 06:14:16 am I'm making some progress, but now I am getting: "Failed to join domain: failed to find DC for domain" Mine too. I've done EXACTLY the steps you've posted. Although this time my Winbind.conf has been created. Title: Re: Join AD EFW 2.3 Post by: nmatese on Tuesday 10 November 2009, 06:15:53 am I got mine to work, by changing what bodo.olschewski said, but I set my workgroup manually, and didnt have it set from $variable stuff.
Title: Re: Join AD EFW 2.3 Post by: entourage on Tuesday 10 November 2009, 06:21:27 am What does your password server, realm and workgroup lines look like in winbind.conf? (I'm just trying to figure out the combination of names that go in there.
Mine: password server = DC.domain.local realm = domain.local workgroup = domain.local Title: Re: Join AD EFW 2.3 Post by: npeterson on Tuesday 10 November 2009, 06:23:25 am I've done this 3-4 times now heres what i do:
1. install efw 2. Do the join domain (This will fail, but it saves settings to the server, and creates host entries) 3. Goto console or ssh to server 4. edit the file /var/efw/proxy/settings, remove the NTLM_BDC line 5. run /usr/local/bin/restartsamba.py (this should generate your winbind.conf) 6. Edit /etc/samba/winbind.conf Change the following: Workgroup = <domain short Name> to Workgroup = <Domain Full name, (the same as your realm)> 7. Run: net ads join -U<username> -s /etc/samba/winbind.conf (this will join the pc to the domain. It will say Joined or failed) 8. Wait 15 minutes. This will allow the domain controllers to replicate the new computer login(yes you do have to wait, annoying but take that up with microsoft.) 9. Test by running: wbinfo --configfile=/etc/samba/winbind.conf -t (if it suceeded your golden, you should now be able to see your groups in efw) Title: Re: Join AD EFW 2.3 Post by: bodo.olschewski on Tuesday 10 November 2009, 06:27:07 am this way it works here:
pword server = DC.domain.local realm = domain.local workgroup = domain Title: Re: Join AD EFW 2.3 Post by: njtd on Tuesday 10 November 2009, 06:42:59 am I understand corrent?
realm = FQDN workgroup = NETBIOS Thanks Title: Re: Join AD EFW 2.3 Post by: entourage on Tuesday 10 November 2009, 06:44:47 am Thanks for being patient. This is such a pain, especially when my 2.2 went so smooth.
I'm still not able to join. I know I've run into situations before where it was case sensitive...could that be it? I tried removing my DNS entry just to see what happened and now when I try to join it's back to "Failed to join domain: Invalid configuration and configuration modification was not requested" (Doesn't matter if I run it from ssh or try to join from the web interface.) Putting the DNS entry back I get "Failed to join domain: failed to find DC for domain DOMAIN.LOCAL" This worries me too because I've changed from Uppercase to lower, but it doesn't reflect that. Title: Re: Join AD EFW 2.3 Post by: npeterson on Tuesday 10 November 2009, 06:54:27 am entourage, check your /etc/hosts and make sure your dc's have entries in there, if not create them.
Next go back to the web interface, goto Services->Time Server, Check over ride default time servers, and put the IP addresses of the DC's in there. save, goback to the page, and hit synchronize now. Your Workgroup should be domain.local ex constco.com NOT JUST Constco. Try the net join again from below. If it doesnt work let me know Title: Re: Join AD EFW 2.3 Post by: entourage on Tuesday 10 November 2009, 07:03:06 am Still fail.
I had previously made sure my time was sync'd, but went ahead and sync'd it with the DC, just for good measure. Here's a copy of my /etc/hosts: 10.0.0.1 DC.domain.local DC 127.0.0.1 localhost.localhost localhost 10.0.0.14 EFW23.domain.local EFW23 10.0.0.1 dc.domain.local dc 10.0.0.14 wpad.domain.local wpad I'm still concerned because when I run the restartsamba.py it replaces my domain.local with DOMAIN.LOCAL and I can't for the life of me locate where that's coming from. It's not in smb.conf, it's not in /proxy/settings, I'm just not sure. Title: Re: Join AD EFW 2.3 Post by: npeterson on Tuesday 10 November 2009, 07:13:15 am First we are not using the smb.conf file. if you have it remove it. (winbind.conf is the same format but endian decided to call the configuration something other than the default)
Whats the output of this command: net ads join -U <admin_user> -s winbind.conf -d 5 Title: Re: Join AD EFW 2.3 Post by: entourage on Tuesday 10 November 2009, 07:18:29 am Ok, renamed smb.conf to smb.conf.old
Here's the output: Code: [2009/11/09 15:11:28, 5] lib/debug.c:debug_dump_status(407) INFO: Current debug levels: Title: Re: Join AD EFW 2.3 Post by: npeterson on Tuesday 10 November 2009, 07:26:12 am That is the same error i receive when not setting the workgroup correctly.
copy and paste this config into your winbind.conf, change stuff in <> to match your info: [global] security = ADS password server = <Domain Controller FQDN(make sure its in hosts)> realm = <Domain Name FQ> # handle logging syslog only = Yes log level = 0 winbind:2 syslog = 1 max log size = 1000 local master = no hosts allow = <Allowed Subnets(green)> interfaces = br0 br2 bind interfaces only = yes preferred master = no dns proxy = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 workgroup = <Domain Name FQ> winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = Yes winbind separator = + unix charset = UTF8 ntlm auth = Yes min protocol = NT1 client NTLMv2 auth = Yes lm announce = No run: ads joint -U<username> -s/etc/samba/winbind.conf -d5 Title: Re: Join AD EFW 2.3 Post by: entourage on Tuesday 10 November 2009, 07:46:11 am Unfortunately more of the same.
I copied your winbind.conf and edited the servers. same message. (failed to find DC for domain DOMAIN.LOCAL) I can ping the DC, so I know it sees it, however I still get the same message if I type in an incorrect password when it prompts. (Of course I've tried more than one domain admin account.) I think since this is running on a VM, I'm going to grab the old 2.2 iso and try the installation again, so I can confirm that at least it will connect. I'll report back. Title: Re: Join AD EFW 2.3 Post by: npeterson on Tuesday 10 November 2009, 08:05:27 am Uhh sounds silly, but your not using domain.local for your domain name are you? It should be your domain name.
Otherwise I'de start from a fresh install again and try the config again. Title: Re: Join AD EFW 2.3 Post by: entourage on Tuesday 10 November 2009, 08:08:16 am Nothing sounds silly at this point. ;)
Yeah, I'm just changing it from the real one before I paste. Title: Re: Join AD EFW 2.3 Post by: npeterson on Tuesday 10 November 2009, 09:06:05 am Noticed that after i joined the domain (#7) i missed two steps, you need to stop/start winbind:
I've done this 3-4 times now heres what i do: 1. install efw 2. Do the join domain (This will fail, but it saves settings to the server, and creates host entries) 3. Goto console or ssh to server 4. edit the file /var/efw/proxy/settings, remove the NTLM_BDC line 5. run /usr/local/bin/restartsamba.py (this should generate your winbind.conf) 5.5 Run /etc/init.d/winbind stop 6. Edit /etc/samba/winbind.conf Change the following: Workgroup = <domain short Name> to Workgroup = <Domain Full name, (the same as your realm)> 7. Run: net ads join -U<username> -s /etc/samba/winbind.conf (this will join the pc to the domain. It will say Joined or failed) 7.5 Run /etc/init.d/winbind start 8. Wait 15 minutes. This will allow the domain controllers to replicate the new computer login(yes you do have to wait, annoying but take that up with microsoft.) 9. Test by running: wbinfo --configfile=/etc/samba/winbind.conf -t (if it suceeded your golden, you should now be able to see your groups in efw) Title: Re: Join AD EFW 2.3 Post by: njtd on Tuesday 10 November 2009, 01:39:04 pm I have success join the domain with npeterson step but I must modify line
pword server = <DC Hostname eg: DC1> realm = <Domain Name FQ eg: ABC.COM> workgroup = <NETBIOS eg: ABC> Thank you very much npeterson. Title: Re: Join AD EFW 2.3 Post by: entourage on Wednesday 11 November 2009, 02:05:49 am Ok, well, to prove I'm not crazy I just loaded up a VM with 2.2 and joined the domain successfully the first try.
npeterson, I added the extra step on my clean 2.3 install and it said that /etc/init.d/winbind stop [Failed] Don't know if that matters? Title: Re: Join AD EFW 2.3 Post by: npeterson on Wednesday 11 November 2009, 02:15:24 am No it means that winbind isn't already running, and thats what we are trying to fix.
Title: Re: Join AD EFW 2.3 Post by: entourage on Wednesday 11 November 2009, 02:20:30 am Also, I'm not sure if this helps but it doesn't matter what username/pword combination I use (real or fake) I always get the same "Failed to join domain" message.
Title: Re: Join AD EFW 2.3 Post by: npeterson on Wednesday 11 November 2009, 02:54:26 am yeah it does, the user has to have rights to join computers to the domain. So, Administrator or a domain admin should have rights.
Title: Re: Join AD EFW 2.3 Post by: entourage on Thursday 12 November 2009, 06:28:22 am Well, it looks as though I'll have to stay with 2.2 for a while. Nothing I change seems to have made any difference. I'm going to keep pressing at it to see if I can't figure out what's wrong.
Thanks everyone for all the help! If I come across my solution, I'll be sure to post back, in case I'm not the only one. Title: Re: Join AD EFW 2.3 Post by: blakewp on Friday 27 November 2009, 11:12:22 pm This might be of no help ( im a linux newbie but learning fast) but i finaly got mine to join
If it helps one person, then its worth the post.. I couldnt get it to join for love nor money, until i started routing around in the cwinbind.conf files and found this based around other peoples sugestions you need to set your auth realm to your fqdn you need to set workgroup to netbios name If like me your netbios name is NOT a shorterned version of your fqdn ( i dint do it, honest) then the join process will fail eg fqdn = mydomain.com Netbios = DOMAIN as ( and correct me if im wrong here, im only going by what i see ) when the proxy restarts it uses a template to re-create the winbind.conf file and automatically changes the netbios name to the first part of the fqdn. i resolved it by changing it in the template winbind.conf.tmpl to the netbios name and it joined !! Title: Re: Join AD EFW 2.3 Post by: Tomdarkness on Wednesday 02 December 2009, 11:07:41 am Well I've managed to join and it seems to work (not a very easy process I might add). EFW 2.3 with a Windows Server 2008 (Functional Level 2003) DC.
Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Wednesday 21 April 2010, 10:30:49 pm hi,
I have the same errors.... trying to join in AC. this is my winbond.conf |ced1| is the name of my windows 2003 server DC |icp.it.local| is the FQDN ? I think yes (it is the same FQDN to join windows client in the AC) |icp.it| is my workgroup Quote [global] security = ADS password server = ced1 realm = icp.it.local # handle logging syslog only = Yes log level = 0 winbind:2 syslog = 1 max log size = 1000 local master = no hosts allow = 192.168.1.16/24 interfaces = br0 bind interfaces only = yes preferred master = no dns proxy = no socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 workgroup = icp.it winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = Yes winbind separator = + unix charset = UTF8 ntlm auth = Yes min protocol = NT1 client NTLMv2 auth = Yes lm announce = No and this is my /etc/hosts Quote 192.168.1.3 ced1.icp.it ced1 192.168.2.3 ced2.icp.it ced2 127.0.0.1 localhost.localhost localhost 192.168.1.16 endian.icp.it endian 192.168.1.16 wpad.icp.it wpad when I execute this command I receive net ads join -U administrator -s winbind.conf -d 5 Quote net ads join -U administrator -s winbind.conf -d 5 [2010/04/21 14:33:34, 5] lib/debug.c:debug_dump_status(407) INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 [2010/04/21 14:33:34, 3] param/loadparm.c:lp_load_ex(8753) lp_load_ex: refreshing parameters [2010/04/21 14:33:34, 3] param/loadparm.c:init_globals(4597) Initialising global parameters [2010/04/21 14:33:34, 3] param/params.c:pm_process(569) params.c:pm_process() - Processing configuration file "winbind.conf" [2010/04/21 14:33:34, 3] param/loadparm.c:do_section(7416) Processing section "[global]" doing parameter security = ADS doing parameter password server = ced1 doing parameter realm = icp.it.local doing parameter syslog only = Yes Enter administrator's password: Failed to join domain: failed to connect to AD: Cannot find KDC for requested realm help....please Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Wednesday 21 April 2010, 11:58:22 pm I found something....
AFTER change all the names to UPPERCASE and MODIFY "password server = ced1.ICP.IT.LOCAL" "realm = ICP.IT.LOCAL" "workgroup = ICP.IT" the join works right!!! BUT..... It's only for a bit... IF I read/open the winbind.conf file I can read this line modified: "workgroup = ICP" and the second join test failed!! so... Who change this line instead of me? sing... Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Wednesday 28 April 2010, 10:04:59 pm is it a bug?
Title: Re: Join AD EFW 2.3 Post by: Steve on Wednesday 28 April 2010, 11:05:50 pm It's strange that you called your workgroup ICP.IT
Do you own the domain ICP.IT (which really exists - run a DNS report)? - this could be the problem why it can't connect to your 'workgroup' ICP.IT Title: Re: Join AD EFW 2.3 Post by: mrkroket on Thursday 29 April 2010, 03:45:46 am I found something.... AFTER change all the names to UPPERCASE and MODIFY "password server = ced1.ICP.IT.LOCAL" "realm = ICP.IT.LOCAL" "workgroup = ICP.IT" the join works right!!! BUT..... It's only for a bit... IF I read/open the winbind.conf file I can read this line modified: "workgroup = ICP" and the second join test failed!! so... Who change this line instead of me? sing... Probably the template file. Many config files are rebuilt with template files, so you must modify these templates to make your changes permanent. Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Monday 10 May 2010, 05:48:16 pm It's strange that you called your workgroup ICP.IT Do you own the domain ICP.IT (which really exists - run a DNS report)? - this could be the problem why it can't connect to your 'workgroup' ICP.IT yes. How can I run a DNS report? and paste here the results. Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Monday 10 May 2010, 05:52:45 pm I found something.... AFTER change all the names to UPPERCASE and MODIFY "password server = ced1.ICP.IT.LOCAL" "realm = ICP.IT.LOCAL" "workgroup = ICP.IT" the join works right!!! BUT..... It's only for a bit... IF I read/open the winbind.conf file I can read this line modified: "workgroup = ICP" and the second join test failed!! so... Who change this line instead of me? sing... Probably the template file. Many config files are rebuilt with template files, so you must modify these templates to make your changes permanent. but... wich one template file? where is it? Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Wednesday 12 May 2010, 05:25:38 pm summary:
I have a domain: icp.it.local All the computers in the domain works in a workgroup named: icp.it My primary Domain Controller is: "ced1", "192.168.1.3" (Windows 2003 Std. Server) My endian firewall in the intranet is: "endian", "192.168.1.16" PS: before all... years ago... all the network worked with Windows NT 4.0 Server, so the Domain name (pre-Windows 2000) was: ICP.IT Knowing these details, how can I set up the autentication NTLM? (or LDAP) Others: netdiag.txt Quote Gathering IPX configuration information. Querying status of the Netcard drivers... Passed Testing IpConfig - pinging the Primary WINS server... Passed Testing IpConfig - pinging the Secondary WINS server... Passed Testing Domain membership... Passed Gathering NetBT configuration information. Testing for autoconfiguration... Passed Testing IP loopback ping... Passed Testing default gateways... Passed Enumerating local and remote NetBT name cache... Passed Testing the WINS server Local Area Connection Sending name query to primary WINS server 192.168.1.3 - Passed Sending name query to secondary WINS server 192.168.2.3 - Passed Gathering Winsock information. Testing DNS PASS - All the DNS entries for DC are registered on DNS server '192.168.1.3' and other DCs also have some of the names registered. PASS - All the DNS entries for DC are registered on DNS server '192.168.2.3' and other DCs also have some of the names registered. Testing redirector and browser... Passed Testing DC discovery. Looking for a DC Looking for a PDC emulator Looking for a Windows 2000 DC Gathering the list of Domain Controllers for domain 'ICP.IT' Testing trust relationships... Skipped Testing Kerberos authentication... Passed Testing LDAP servers in Domain ICP.IT ... Gathering routing information Gathering network statistics information. Gathering configuration of bindings. Gathering RAS connection information Gathering Modem information Gathering Netware information Gathering IP Security information Tests complete. Computer Name: CED1 DNS Host Name: ced1.icp.it.local DNS Domain Name: icp.it.local System info : Windows 2000 Server (Build 3790) .......................... Domain membership test . . . . . . : Passed Machine is a . . . . . . . . . : Primary Domain Controller Emulator Netbios Domain name. . . . . . : ICP.IT Dns domain name. . . . . . . . : icp.it.local Dns forest name. . . . . . . . : icp.it.local Domain Guid. . . . . . . . . . : {F92BB039-5A2F-421C-95F9-0AA901C028CC} Domain Sid . . . . . . . . . . : S-1-5-21-915690042-2112626843-142223018 Logon User . . . . . . . . . . : administrator Logon Domain . . . . . . . . . : ICP.IT .............................. DNS test . . . . . . . . . . . . . : Passed Interface {70EF8501-F975-4C2B-B0D4-D7AE54523D4F} DNS Domain: DNS Servers: 192.168.1.3 192.168.2.3 IP Address: Expected registration with PDN (primary DNS domain name): Hostname: ced1.icp.it.local. Authoritative zone: icp.it.local. Primary DNS server: ced1.icp.it.local 192.168.1.3 Authoritative NS:192.168.5.1 192.168.2.3 192.168.1.3 Check the DNS registration for DCs entries on DNS server '192.168.1.3' The Record is different on DNS server '192.168.1.3'. DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain. Your DC entry is one of them on DNS server '192.168.1.3', no need to re-register. +------------------------------------------------------+ The record on your DC is: DNS NAME = _ldap._tcp.icp.it.local. DNS DATA = SRV 0 100 389 ced1.icp.it.local. The record on DNS server 192.168.1.3 is: DNS NAME = _ldap._tcp.icp.it.local DNS DATA = SRV 0 100 389 ced-csm.icp.it.local SRV 0 100 389 ced-fileserver2.icp.it.local SRV 0 100 389 ced2.icp.it.local SRV 0 100 389 ced4.icp.it.local SRV 0 100 389 ced1.icp.it.local +------------------------------------------------------+ Title: Re: Join AD EFW 2.3 Post by: Di4bLo on Wednesday 12 May 2010, 08:34:48 pm I have two separated windows 2003 domains: pippo.local and ita.pluto.it
With the first one I have no problems to connect to the domain. With the second I have all yours problems. This is the configuration (through the GUI): Realm: pippo.local Domain name server AD: pippo Hostname: server IP: 10.3.0.1 I set the routing DNS pippo.local -> 10.3.0.1 and nothing else. I hope this could be helpfull. Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Thursday 13 May 2010, 04:32:12 pm ok, I found the problem!
in the /etc/samba/winbind.conf.tmpl there is a line: workgroup = ${AUTH_REALM.split(".")[0].upper()} well... the command "split"/cut my workgroup in a wrong way... I have to use "ICP.IT" from the realm "icp.it.local", and this line make the workgroup like "ICP" only. So... I modified this line with: workgroup = ICP.IT keeping everything else unchanged. The JOIN AD works fine, and I get all the groups and users from my AD, finally!!! ;) Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Thursday 13 May 2010, 05:36:16 pm well... for blocking pages, is there a file with all URL? Or there is only a phrase check?
Title: Re: Join AD EFW 2.3 Post by: cagnaluia on Wednesday 19 May 2010, 05:07:40 pm hm.... I dont undestand if there is a URLs Database to block the pages.
OR is there only a bad-words counter? example: I need to block pornografy and pages, but if I enable this features in the policy ALSO the web-newspapers will be blocked. It's strange. Title: Re: Join AD EFW 2.3 -solved in 2.4? Post by: SandStorm on Thursday 27 May 2010, 09:03:15 pm Is joining a domain and AD been improved for 2.4?
Title: Re: Join AD EFW 2.3 Post by: Di4bLo on Friday 28 May 2010, 11:09:32 pm Solved (for me).
You have to choose "LDAP" as authentication mode if you your domain hasn't the compatibility to old MS machines. This option is avaible only at the first installation of w2k3 (I guess). If your domain has the compatibility with the old system (NTLM) then you have to choose "Windows Active Directory" as authentication method. I guess there are other people like me who are trying to join an AD domain with NTLM. Try with LDAP and everything works well. This is my configuration: Authentication Realm: .yyy.zzz LDAP Server: 192.168.0.1 Port LDAP server: 389 LDAP type: Active Directory Server Bind DN settings: DC=,DC=yyy,DC=zzz Bind DN username: cn:Administrator,DC=,DC=yyy,DC=zzz Bind DN password: ******** (Administrator's password) user objectClass: person group objectClass: group Save and go to "Access policy" and create e new policy with authentication. You should see users and groups. Title: Re: Join AD EFW 2.3 Post by: SandStorm on Friday 28 May 2010, 11:22:55 pm So a Server 2008 Domain Controller is easily used?
Title: Re: Join AD EFW 2.3 Post by: Di4bLo on Friday 04 June 2010, 07:13:24 pm Quote So a Server 2008 Domain Controller is easily used? I haven't tried it yet, but I think with LDAP should works. Title: Re: Join AD EFW 2.3 Post by: techie on Thursday 10 June 2010, 04:19:38 pm I have Endian 2.4 with authentication against a Windows 2008 domain running without problems so far.
Choose Authentication Method: Windows Active Directory (NTLM) Authentication Realm: opentraining.local Number of Authentication Children: 20 Number of different IP's per user: 2 Authentication cache: 60 User / IP cache: 0 Domainname of AD server: OPENTRAINING PDC Hostname of AD server: dc1 PDC IP address of AD server: 192.168.1.10 BDC Hostname of AD server: dc2 BDC IP address of AD server: 192.168.1.11 One thing that puzzled me in the beginning was that the proxy didnt want to authenticate when it was running in transparant mode. but after changing to non-transparant it all worked like a charm. Title: Re: Join AD EFW 2.3 Post by: Thushara on Thursday 14 October 2010, 06:15:58 pm Hey Guys..........,
I know that this topic is outdated, but I recently checked the AD authentication in Endian firewall and I also end up with same problems you guys got. After few days work I managed to make this work. This is how I did it. Note that in this case I have used E-box as my AD. It also work for windows AD. 1. Install Endian Firewall. 2. Configure the proxy authentication with NTLM settings and save. 3. Now login to the endian firewall via SSH and find the file /etc/samba/winbind.conf 4. Open this file and set the "workgroup" as same as "realm" password server = DC.domain.local realm = domain.local workgroup = domain.local 5. Save the file and stop the winbind service. /etc/init.d/winbind stop 6. Now try to join to AD with following command. Replace the "<username>" area with your domain admin user name. net ads join -U<username> -s /etc/samba/winbind.conf 7. In my case this was failed with following error. "Failed to join domain: Invalid configuration and configuration modification was not requested" 8. If this failed, try following command. The different is that I have changed the "ads" command type to "rpc" command type. net rpc join -U<username> -s /etc/samba/winbind.conf 9. Now you should get a message like follow. This mean that you have successfully connected to the domain. Joined domain domain.local. 10. Now restart the winbind service and check the secret and users by following commands. wbinfo -t wbinfo -u wbinfo -g 11. If you get the users and groups list in AD, now its working. 12. Go to "Access Policy" area and add "Add access policy". Select "User based" from Authentication drop down menu. Now you should see the user list. 13. Enjoy........:D Title: Re: Join AD EFW 2.3 Post by: aneeshjoseph on Saturday 06 October 2012, 07:12:33 pm Hi,
This worked. After reboot it is not connected to the AD automatically. I need to add it again to the AD. Any idea ? I checked the configuration file and the hosts entry. These are not changed , also I can ping to DC hence not a DNS issue. Any Idea ? Thanks Title: Re: Join AD EFW 2.3 Post by: Thushara on Monday 08 October 2012, 02:36:57 pm Hi.....
When you join your EFW to AD via net join command, it should create a Computer object in the AD which the firewall will use to query users next time. Check whether this computer object is created in the AD. If this is not created, give the user you are using to join to AD the administrator privilege and re-try. net rpc join -U admin -s /etc/samba/winbind.conf The second thing you can do to debug this is after rebooting, login to the EFW via ssh and check whether the firewall and AD connection is ok. You can check this by, wbinfo -t Also try restarting winbind service with out joining FW to AD again or doing anything. Title: Re: Join AD EFW 2.3 Post by: dda on Tuesday 09 October 2012, 02:45:31 am You need to edit the winbind.conf.tmpl or you will lose settings on reboot. The winbind file is created at boot from the winbind.conf.tmpl file.
Title: Re: Join AD EFW 2.3 Post by: vaeryl on Friday 23 November 2012, 12:27:11 am Here it connects fine, but I have another problem:
It shows all the users and groups OK, but dont refresh it! I can create or delete users and groups on AD, but it never reflects on Endian automatically, only refreshing the list when I use the /etc/init.d/winbind restart command. There are some configuration I can use so the Endian refreshes the Groups/Users/Passwords on AD from time to time? Title: Re: Join AD EFW 2.3 Post by: jamerson on Tuesday 14 May 2013, 08:06:07 am i am facing the same problem,
can't get it added to the domain Failed to join domain: failed to find DC for domain ICT.LAN |