Open PejeDK opened 4 months ago
We have the same issue here. Did you find a solution in the meantime?
@FloFaber Unfortunately not, i have tried multiple solutions without any luck.
Guess i am stuck without the AD integration and only the Authentication Source and not realm and AD.
Hi @PejeDK and @FloFaber can you provide some details when trying to join the domain ?
@stgmsa The only error i can find i Packetfence logs are the one provided
Unable to add machine account with following error:
{'result': 1, 'description': 'operationsError', 'dn': '', 'message': '000004DC:
LdapErr: DSID-0C09128C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c\x00', 'referrals': None, 'type': 'addResponse'}
@stgmsa For us it works fine when using the default Computer OU. When using a different OU it fails with the same error already mentioned by @PejeDK.
This reddit user seems to have fixed this issue by disabling LdapEnforceChannelBinding: reddit.com/r/PacketFence/comments/1dh938l/comment/lafhz0x/.
However, this is not an option for us.
@FloFaber That reddit post does not work either for us.
That reddit user is working on the same system as this one :-) It worked on the test system, but not in production. I disabled the binding requirement, joined packetfence and enabled it again, and it worked.
But the production system did not have the same result in either packetfence or with ldapsearch command. I still needed the bind for it to work..
What was the PacketFence version are you using when hitting this error ? And Windows server version?
I am running latest packetfence on debian 11.9 with packetfence version 13.2. Tested on Windows 2016 and Windows 2019 domains.
I ran into this problem trying to upgrade from 13.0 to 13.2. After upgrading I was no longer a member of the domain, and wasn't able to rejoin.
I was getting the same error when attempting to re-sync the machine account by setting a new Machine account Password and providing the "Domain administrator username" and "Domain administrator password" on the Domain Edit screen under Configuration>Policies and Access Control>Domains>Active Directory Domains. As with others, my OU is also different from the default Computers
OU.
I was not able to test disabling LdapEnforceChannelBinding at the time and instead rolled back to 13.0.
The Domainjoin seems to work in Packetfence 13.1. However when specifying a custom Computer OU the computer object gets created in the default Computer OU. But the domain trust is not affected when moving the Computer Object into the correct OU after joining.
So it seems the issue lies somewhere between 13.1 and 13.2.
Hi
I am experiencing errors when I create a Active Directory Domain ( Joining ), inside packetfence, because anonymous binding is not allowed and somehow packetfence tries with anonymous and not the bind DN of the the admin username and password entered in the UI.
With a ldapsearch commandline i have to specify the bind options with full DN of the user, and it connects. I have tested kinit also with success, so it should not be a port issue.
netcat tests on port 64, 88, 636, 389 are all working.
Is there any way to get this bind setting into packetfence ui or is it possible to create the active directory domain from cli ?
The Connection profile part works like charm, it is only the active Directory part (Configuration - Policies and Access control - Roles - Active Directory Domains)
I get the following error in the UI
I have added the LdapEnforceChannelBinding to registry and set it to 0 in value, but that did not fix my issue. This was to see if it was the obvious security setting that was the issue. But i do get the same error in my lab with this setting enabled.
This ldapsearch command works:
If i do not add the bind statement i get this error:
Basically the samme error without the bind statement.
I am running latest packetfence on debian 11.9 with latest packetfence version.
I am sure that it is a security feature in the Active directory and tha fact that packetfence UI maybe does not include all the needed settings to work in a hardened Active directory domain.