Messages

1

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 08, 2016, 12:31:22 pm »

Hi Guys

It seems to have come right.
I was having issues with time which was odd as both DC and firewall were correct.
I have attached the CLI history for your reference.

Thanks a million for all your help. I learnt a lot from all the digging around.

Will continue to test to see how things go.

Kind regards

2

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 01, 2016, 04:04:21 pm »

Alright, I added that. I get the following:
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)\tadditional info: SASL(-4): no mechanism available: No worthy mechs foundError: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}

I am reading the Wiki page you sent and trying a few things. Will let you know how things go.

3

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 01, 2016, 12:45:26 pm »

So I can confirm the following:
PRT record for the DC: bwx-hilt-dc01.bwt.local. - 192.168.1.254
A record for the firewall: HILT-OPNSENSE.bwt.local - 192.168.1.77

4

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 01, 2016, 12:12:31 pm »

Sorry, thats there too.

5

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 01, 2016, 11:55:17 am »

Ok, as follows:
OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
    Confirmed, set to domain controllers only
OPNsense must have a hostname in AD DNS (A and PTR)
   Confirmed, I can ping the hostname
OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
   Confirmed, syncing with DC
OPNsense must be in same domain as AD (hostname configuration page)
   Confirmed, under settings, General, the hostname is set to HILT-OPNSENSE
Create a new Authorization server with ssoproxyad type
   Confirmed, tested authentication and it works

6

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 01, 2016, 11:05:04 am »

Hi there. Yes I can, everything resolves perfectly. Before I had an issue with DNS which is why I redid the server.

7

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 01, 2016, 09:59:48 am »

Alright, i now the get following:
Nov 1 10:54:56   configd_ctl.py: error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 65, in exec_config_cmd line = sock.recv(65536) timeout: timed out
Nov 1 10:52:56   configd.py: [37a2e8b3-6d6b-41cf-846a-ab9c9bc25f24] SSO Proxy AD module join AD domain
Nov 1 10:52:51   api[43906]: no matching csrf found for request
Nov 1 10:52:48   api[43906]: no matching csrf found for request

8

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 01, 2016, 07:33:40 am »

Sorry Guys, in my stupidity I forgot to setup the proxy itself after a setup the new server.
Running the command now gives the following:
configctl ssoproxyad joinDomain
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Can't contact LDAP server)Error: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}
root@HILT-OPNSENSE:~ # ping bwt.local

9

17.1 Legacy Series / Re: Windows AD and SSO

« on: November 01, 2016, 07:21:47 am »

Ok I ran the command and get the following:
root@HILT-OPNSENSE:~ # configctl ssoproxyad joinDomain
Warning: file_put_contents(/usr/local/etc/ssoproxyad/krb5secret): failed to open                     stream: No such file or directory in /usr/local/opnsense/scripts/OPNsense/SSOPr                    oxyAD/joinDomain.php on line 60

Warning: chmod(): No such file or directory in /usr/local/opnsense/scripts/OPNse                    nse/SSOProxyAD/joinDomain.php on line 61
{"message":"Array"}

10

17.1 Legacy Series / Re: Windows AD and SSO

« on: October 31, 2016, 06:36:11 pm »

Hi Guys

I am sure you are getting sick of me now. 
I am still having issues. I started with a fresh installation this time.
Firstly, I can ping bwx.local and BWX-HILT-DC01.bwx.local from the server with no issues.
Here are the settings I have:

11

17.1 Legacy Series / Re: Windows AD and SSO

« on: October 31, 2016, 08:35:49 am »

Ok I am making small progress.
With the below settings I get a "Test ok!" but a "unable to run config action" when clicking Join Domain. Any ideas?

Domain Name: HILT-OPNSENSE
Domain Controller: BWX-HILT-DC01.bwx.local
Version: 2012
Domain user: rgemmell
Password: ....

12

17.1 Legacy Series / Re: Windows AD and SSO

« on: October 30, 2016, 06:19:21 pm »

Hi Guys

Thanks for the update.
I am attempting to join the server to the domain but I get the error "no configuration file found" when testing the settings. Could you provide an example list of settings that I should be using?

Kind regards
Robert

13

17.1 Legacy Series / Re: Windows AD and SSO

« on: October 28, 2016, 10:11:50 am »

Hi Fabian

I see there was an update, but I dont see the SSO package.

14

17.1 Legacy Series / Re: Windows AD and SSO

« on: October 24, 2016, 04:37:21 pm »

Brilliant.
Thats perfect, at this stage we just running within a test environment so it suits me perfectly.
Thanks so much for the assistance.

15

17.1 Legacy Series / Re: Windows AD and SSO

« on: October 24, 2016, 11:29:13 am »

Great news, thanks Franco.

When is 16.7.7 due to be released?