AD authentication using samba or OpenLDAP?

[idl0r]

Hey,

 

I've been trying to setup AD authentication using our samba AD replica but there are weird errors so, first of all I'm curious whether samba or OpenLDAP  methods are supported/tested at all?

 

Just adding it seems to be fine at first, but e.g. adding security groups fails. The groups are listed properly but adding it throws an error with like no details

nfortunately an error has occurred within the Passwordstate web site, for which we apologize for the inconvenience.

If Passwordstate is able to communicate with the database, then the error will be logged on the screen Administration -> Passwordstate Administration -> Error Console.
 
If you are unable to view the Error Console screen for any reason, you can ask your Database Administrator to run the following SQL Query, which will show the same data from the Error Console Screen:

USE Passwordstate
SELECT * FROM DebugInfo
 
If you need some assistance from Click Studios in troubleshooting this error, please ask your Passwordstate Security Administrators to contact us for help.

 

Error console:

A more secure authentication method is required for this server. , StackTrace = at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_AdsObject() at System.DirectoryServices.PropertyValueCollection.PopulateList() at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName) at System.DirectoryServices.PropertyCollection.get_Item(String propertyName) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.GroupPrincipal.FindByIdentity(PrincipalContext context, String identityValue) at admin_securitygroups_addadsg.CountNumberOfRequiredLicenses(String strSecurityGroup, String DomainName, String FQDN, String ObjectSID) at admin_securitygroups_addadsg.SaveSecurityGroup(String Button) at System.Web.UI.WebControls.LinkButton.OnClick(EventArgs e) at System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

 

Thing is, it's already LDAPS so I'm not sure what that means and why it's fine to fetch the groups, accounts etc. but adding it fails.

Adding a user seems to work as well as the login.

 

Another, even more weird error:

Trying to add a security group using the right arrow results in:

It appears an error has occured trying to query Active Directory for user information.
 
Please check the 'Active Directory Domain Name' value specified below is correct. If not, please update in the 'Active Directory Domains' screen.
 
Active Directory Information
NetBIOS Name: office
FQDN: ad.dc.somecompany.com
LDAP Query String: 

How can the LDAP query string be empty?

 

Any ideas?

[idl0r]

Ok, it looks like it was a samba issue. Even though there could have been more debug infos.

https://wiki.samba.org/index.php/Samba_4.4_Features_added/changed#ldap_server_require_strong_auth_.28G.29

[support]

Hello IdlOr,

 

We're really sorry, but Passwordstate is only designed to work with Active Directory store, and not the other two directories you've mentioned.

Regards
Click Studios