Author Topic: Zentyal 5.0.8 not fully compatible active directory integration  (Read 2099 times)

netrace80

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Hi,
I have a brand new clean installation of latest zentyal, everything up to date.
AD integration works great with every device except Aerohive access point.
Aerohive access point act as radius server, they support AD integration. This integration works great on Zentyal 3.5, not with zentyal 5.
I can join the AP to the AD, but can't login with the user used for LDAP search.

No logs found on zentyal machine, a simple "access denied" on Aerohive.

Any advice where I can debug this issue?

Any others have experienced this?

Thanks.


UPDATE
These are the samba.log rows logged when I try to authenticate the user, they seems pretty normal:

Code: [Select]
[2017/05/24 00:03:40.696609,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 343 of length 108 (0 toread)
[2017/05/24 00:03:40.696723,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBntcreateX (pid 28773) conn 0x55fd3b0dee90
[2017/05/24 00:03:40.698691,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 344 of length 158 (0 toread)
[2017/05/24 00:03:40.698778,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBtrans (pid 28773) conn 0x55fd3b0dee90
[2017/05/24 00:03:40.698821,  3] ../source3/smbd/ipc.c:591(handle_trans)
  trans <\PIPE\> data=72 params=0 setup=2
[2017/05/24 00:03:40.698889,  3] ../source3/smbd/ipc.c:542(named_pipe)
  named pipe command on <> name
[2017/05/24 00:03:40.698949,  3] ../source3/smbd/ipc.c:506(api_fd_reply)
  Got API command 0x26 on pipe "NETLOGON" (pnum 4957)
[2017/05/24 00:03:40.700667,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 345 of length 214 (0 toread)
[2017/05/24 00:03:40.700788,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBtrans (pid 28773) conn 0x55fd3b0dee90
[2017/05/24 00:03:40.700830,  3] ../source3/smbd/ipc.c:591(handle_trans)
  trans <\PIPE\> data=128 params=0 setup=2
[2017/05/24 00:03:40.700871,  3] ../source3/smbd/ipc.c:542(named_pipe)
  named pipe command on <> name
[2017/05/24 00:03:40.700908,  3] ../source3/smbd/ipc.c:506(api_fd_reply)
  Got API command 0x26 on pipe "NETLOGON" (pnum 4957)
[2017/05/24 00:03:40.702851,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 346 of length 250 (0 toread)
[2017/05/24 00:03:40.702963,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBtrans (pid 28773) conn 0x55fd3b0dee90
[2017/05/24 00:03:40.703013,  3] ../source3/smbd/ipc.c:591(handle_trans)
  trans <\PIPE\> data=164 params=0 setup=2
[2017/05/24 00:03:40.703070,  3] ../source3/smbd/ipc.c:542(named_pipe)
  named pipe command on <> name
[2017/05/24 00:03:40.703163,  3] ../source3/smbd/ipc.c:506(api_fd_reply)
  Got API command 0x26 on pipe "NETLOGON" (pnum 4957)
[2017/05/24 00:03:40.704879,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 347 of length 214 (0 toread)
[2017/05/24 00:03:40.704963,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBtrans (pid 28773) conn 0x55fd3b0dee90
[2017/05/24 00:03:40.705022,  3] ../source3/smbd/ipc.c:591(handle_trans)
  trans <\PIPE\> data=128 params=0 setup=2
[2017/05/24 00:03:40.705068,  3] ../source3/smbd/ipc.c:542(named_pipe)
  named pipe command on <> name
[2017/05/24 00:03:40.705096,  3] ../source3/smbd/ipc.c:506(api_fd_reply)
  Got API command 0x26 on pipe "NETLOGON" (pnum 4957)
[2017/05/24 00:03:40.706972,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 348 of length 250 (0 toread)
[2017/05/24 00:03:40.707053,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBtrans (pid 28773) conn 0x55fd3b0dee90
[2017/05/24 00:03:40.707199,  3] ../source3/smbd/ipc.c:591(handle_trans)
  trans <\PIPE\> data=164 params=0 setup=2
[2017/05/24 00:03:40.707254,  3] ../source3/smbd/ipc.c:542(named_pipe)
  named pipe command on <> name
[2017/05/24 00:03:40.707302,  3] ../source3/smbd/ipc.c:506(api_fd_reply)
  Got API command 0x26 on pipe "NETLOGON" (pnum 4957)
[2017/05/24 00:03:40.708845,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 349 of length 45 (0 toread)
[2017/05/24 00:03:40.708927,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBclose (pid 28773) conn 0x55fd3b0dee90
[2017/05/24 00:03:40.708983,  3] ../source3/smbd/reply.c:5364(reply_close)
  Close file fd=-1 fnum 18775 (numopen=1)
[2017/05/24 00:03:41.640462,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 76 of length 222 (0 toread)
[2017/05/24 00:03:41.659186,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBtrans (pid 28302) conn 0x55fd3c3d5cd0
[2017/05/24 00:03:41.659319,  3] ../source3/smbd/ipc.c:591(handle_trans)
  trans <\PIPE\> data=136 params=0 setup=2
[2017/05/24 00:03:41.659363,  3] ../source3/smbd/ipc.c:542(named_pipe)
  named pipe command on <> name
[2017/05/24 00:03:41.659392,  3] ../source3/smbd/ipc.c:506(api_fd_reply)
  Got API command 0x26 on pipe "NETLOGON" (pnum 567c)

UPDATE 2
I guess I found the issue, aerohive radius server (like freeradius) uses NTLMv1 which is disabled by default in recent samba versions.
I'll try to enable NTLMv1 and see if everything works.

« Last Edit: May 24, 2017, 05:35:00 pm by netrace80 »

netrace80

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Zentyal 5.0.8 not fully compatible active directory integration
« Reply #1 on: May 24, 2017, 06:46:09 pm »
Yes, it's about NTLMv1 disabled by default.

I enabled it in [global] section putting the following line on /usr/share/zentyal/stubs/samba/smb.conf.mas

ntlm auth = yes

then

zs samba restart


Everything working good now

digideus

  • Zen Apprentice
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: Zentyal 5.0.8 not fully compatible active directory integration
« Reply #2 on: May 26, 2017, 11:45:14 am »
Thats good to know.  Ive had all sorts of problems integrating Ricoh printers with Zentyal 5 as the version of Samba has changed and the Ricoh's dont support it.  Not exactly the same issue i know but its always good to know where to look for these things :)

netrace80

  • Zen Apprentice
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Zentyal 5.0.8 not fully compatible active directory integration
« Reply #3 on: May 26, 2017, 04:52:48 pm »
the new samba already disable the lanman auth to no.

I dont know how and what is you issue, but if it's related to authentication (mschapv2 or lanman) could be because of this.