Using LDAP/AD Authentication in V6 ERA

Megachip · January 12, 2015

Where to setup external authentication sources?

Megachip · January 22, 2015

Noone?

Not possible? But why the "mapped domain security groups" entry?

wind-e · January 22, 2015

When you click the SELECT box next to GROUP SID [found under ADMIN-->ACCESS RIGHTS-->MAPPED DOMAIN SECURITY GROUPS-->NEW], do you not get a list of all the groups in your domain?

Megachip · January 23, 2015

When you click the SELECT box next to GROUP SID [found under ADMIN-->ACCESS RIGHTS-->MAPPED DOMAIN SECURITY GROUPS-->NEW], do you not get a list of all the groups in your domain?

Nope, i got an error. Thats why I ask where I can configure it.

Or is it a windows only feature which uses the local windows settings? (Running the appliance on centos)

wind-e · January 23, 2015

Not familiar with LDAP for Centos. Could you just enter the group's SID manually?

Megachip · January 26, 2015

Not familiar with LDAP for Centos. Could you just enter the group's SID manually?

I could, but this has no effects.

Cause it is an appliance, i think it is not recommended to chance anything on the hostsystem?

No official statements? Guides?

Megachip · February 12, 2015

So it looks like I have to join the appliance via winbindd to the existent samba domain?

Is this anywhere documented?

bootsoft · February 12, 2015

* standard domain joining process via winbind

* make sure ldapsearch utility is in place, openldap-clients package on centos

* tasks like "Static Group Synchronization" will have some hidden gems like LOGIN, takes form similar to "CN=connect-user,CN=Users,DC=your-domain,DC=com" depends on your LDAP structure.

Megachip · February 16, 2015

* standard domain joining process via winbind

* make sure ldapsearch utility is in place, openldap-clients package on centos

* tasks like "Static Group Synchronization" will have some hidden gems like LOGIN, takes form similar to "CN=connect-user,CN=Users,DC=your-domain,DC=com" depends on your LDAP structure.

Thx, will try a domain join later.

A LDAP only user backend isn't possible?

Megachip · March 20, 2015

***PUSH***

A LDAP only user backend isn't possible?

Any how to use ldap (openldap) as a direct authentication/syncronisation backend?

Edited March 24, 2015 by Megachip

michalp · March 23, 2015

On CentOS (or any Linux), Domain Mapped Groups will only work through Winbind. LDAP auth can only be used with static group synchronisation.

ERA uses 'wbinfo' and 'ntlm_auth' commands to communicate with Winbind daemon and do the authentication. If you are able to configure Winbind to use LDAP, then it will work.

Megachip · March 23, 2015

Can't get winbind running complete.

wbinfo -u works, ntlm_auth works, but

wbinfo -i meg
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user meg

wbinfo -g
failed to call wbcListGroups: WBC_ERR_INVALID_RESPONSE
Error looking up domain groups

Winbindd Version: 3.6.23-14.el6_6

OS: CentOS, ESET Appliance

Any ideas or conclusions?

Samba Settings:

[global]
	workgroup = RZ
	server string = Samba Server Version %v
	security = DOMAIN
	log file = /var/log/samba/log.%m
	max log size = 50
	wins server = 1xx.1x.1xx.1xx
	idmap config * : backend = tdb
	cups options = raw

michalp · March 26, 2015

It is hard to say what is wrong. Winbind is very picky about its configuration. My experience is only with joining AD on domain controller and that requires:

1. DNS needs to be configured correctly.

2. Time needs to be synchronised with domain controller.

3. Kerberos needs to be configured.

4. Samba needs to be configured.

5. Domain join is necessary.

All these steps are done automatically in ERA Server Appliance. If you want, you can deploy it as a test in VirtualBox (or VMWare Player) and go through manual installation. Afterwards you can look at created configuration files. There is also '/root/help-with-domain.txt' file that in more details explains all steps.

Megachip · March 26, 2015

It is hard to say what is wrong. Winbind is very picky about its configuration. My experience is only with joining AD on domain controller and that requires:

Mine to, and there works all fine But this is no AD.

1. DNS needs to be configured correctly.

It is.

2. Time needs to be synchronised with domain controller.

It is.

3. Kerberos needs to be configured.

There is no Kerberos, it's an Samba 3 Domain.

4. Samba needs to be configured.

It is.

5. Domain join is necessary.

Join works fine. Missed to mentioned it in the post above.

All these steps are done automatically in ERA Server Appliance.

I'm using the Appliance. How can you automatically join the domain?!

If you want, you can deploy it as a test in VirtualBox (or VMWare Player) and go through manual installation. Afterwards you can look at created configuration files. There is also '/root/help-with-domain.txt' file that in more details explains all steps.

There is no such file in the appliance. Appliance was installed on 2015/01/08. Are there different versions?

setting

winbind use default domain = Yes

let wbinfo -i <username> works, but wbinfo -g (which is used by eras) still not work.

Megachip · April 29, 2015

Why ESET not using the net (rpc/ads) group command?

Edited April 29, 2015 by Megachip

Sign In

Using LDAP/AD Authentication in V6 ERA

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics