inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.37k stars 287 forks source link

Active directory Join failes because of missing bind DN #8195

Open PejeDK opened 4 months ago

PejeDK commented 4 months ago

Hi

I am experiencing errors when I create a Active Directory Domain ( Joining ), inside packetfence, because anonymous binding is not allowed and somehow packetfence tries with anonymous and not the bind DN of the the admin username and password entered in the UI.

With a ldapsearch commandline i have to specify the bind options with full DN of the user, and it connects. I have tested kinit also with success, so it should not be a port issue.

netcat tests on port 64, 88, 636, 389 are all working.

Is there any way to get this bind setting into packetfence ui or is it possible to create the active directory domain from cli ?

The Connection profile part works like charm, it is only the active Directory part (Configuration - Policies and Access control - Roles - Active Directory Domains)

I get the following error in the UI

    Unable to add machine account with following error:
    {'result': 1, 'description': 'operationsError', 'dn': '', 'message': '000004DC: 
    LdapErr: DSID-0C09128C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c\x00', 'referrals': None, 'type': 'addResponse'}

I have added the LdapEnforceChannelBinding to registry and set it to 0 in value, but that did not fix my issue. This was to see if it was the obvious security setting that was the issue. But i do get the same error in my lab with this setting enabled.

This ldapsearch command works:

    ldapsearch -LLL -x -H ldap://192.168.11.11 -W "CN=Peter Jensen,OU=All-Users,OU=domain.dk,DC=domain,DC=local" -b DC=domain,DC=local -D "domain\user"

If i do not add the bind statement i get this error:

    Operations error (1)
    Additional information: 000004DC: LdapErr: DSID-0C090C78, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c

Basically the samme error without the bind statement.

I am running latest packetfence on debian 11.9 with latest packetfence version.

I am sure that it is a security feature in the Active directory and tha fact that packetfence UI maybe does not include all the needed settings to work in a hardened Active directory domain.

FloFaber commented 2 months ago

We have the same issue here. Did you find a solution in the meantime?

PejeDK commented 2 months ago

@FloFaber Unfortunately not, i have tried multiple solutions without any luck.

Guess i am stuck without the AD integration and only the Authentication Source and not realm and AD.

stgmsa commented 2 months ago

Hi @PejeDK and @FloFaber can you provide some details when trying to join the domain ?

PejeDK commented 2 months ago

@stgmsa The only error i can find i Packetfence logs are the one provided

    Unable to add machine account with following error:
    {'result': 1, 'description': 'operationsError', 'dn': '', 'message': '000004DC: 
    LdapErr: DSID-0C09128C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c\x00', 'referrals': None, 'type': 'addResponse'}
FloFaber commented 2 months ago

@stgmsa For us it works fine when using the default Computer OU. When using a different OU it fails with the same error already mentioned by @PejeDK.

This reddit user seems to have fixed this issue by disabling LdapEnforceChannelBinding: reddit.com/r/PacketFence/comments/1dh938l/comment/lafhz0x/.

However, this is not an option for us.

PejeDK commented 2 months ago

@FloFaber That reddit post does not work either for us.

That reddit user is working on the same system as this one :-) It worked on the test system, but not in production. I disabled the binding requirement, joined packetfence and enabled it again, and it worked.

But the production system did not have the same result in either packetfence or with ldapsearch command. I still needed the bind for it to work..

stgmsa commented 2 months ago

What was the PacketFence version are you using when hitting this error ? And Windows server version?

PejeDK commented 2 months ago

I am running latest packetfence on debian 11.9 with packetfence version 13.2. Tested on Windows 2016 and Windows 2019 domains.

andrew-grasso commented 2 months ago

I ran into this problem trying to upgrade from 13.0 to 13.2. After upgrading I was no longer a member of the domain, and wasn't able to rejoin.

I was getting the same error when attempting to re-sync the machine account by setting a new Machine account Password and providing the "Domain administrator username" and "Domain administrator password" on the Domain Edit screen under Configuration>Policies and Access Control>Domains>Active Directory Domains. As with others, my OU is also different from the default Computers OU.

I was not able to test disabling LdapEnforceChannelBinding at the time and instead rolled back to 13.0.

FloFaber commented 2 months ago

The Domainjoin seems to work in Packetfence 13.1. However when specifying a custom Computer OU the computer object gets created in the default Computer OU. But the domain trust is not affected when moving the Computer Object into the correct OU after joining.

So it seems the issue lies somewhere between 13.1 and 13.2.