Hello

Further to this, and probably related to the domain join issue. I receive the below error in chroots/domain/var/log/sambaDOMAIN/log.winbindd

[2016/12/12 06:42:09.877160, 0] winbindd/winbindd_cache.c:3204(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2016/12/12 06:42:09.878252, 0] winbindd/winbindd_util.c:630(init_domain_list)
Could not fetch our SID - did we join?
[2016/12/12 06:42:09.878410, 0] winbindd/winbindd.c:1142(winbindd_register_handlers)
unable to initialize domain list
[2016/12/12 06:43:21, 0] winbindd/winbindd.c:1382(main)

Any ideas?

Thanks




Grant Hathaway
Network and Infrastructure Analyst

Certas Energy UK Limited
The Switch
1-7 The Grove - Slough - SL1 1QP
Phone : 01753756965 - Mobile : 07920075818
***@certasenergy.co.uk<mailto:***@certasenergy.co.uk>

[cid:certas_76080deb-6dcc-42fd-a96d-7a823f6a7a45.gif][cid:safetyf1rst_50886216-b7ea-4c50-abc3-78998a1b9b88.gif] [cid:finalist-logo_c2180ca4-c389-40e0-a9d4-ca51ef41c8ff.gif]
From: Grant Hathaway
Sent: Tuesday, January 24, 2017 9:54 AM
To: packetfence-***@lists.sourceforge.net
Subject: RE: [PacketFence-users] packetfence registering devices

Hello Fabrice,

Thank you for this... I'm still struggling to get past adding the Domain.

Done - first i recommend to create a a portal profile with a filter connection type = Ethernet-EAP and add your AD source in this profile.

Done - Next enable autoregistration on this portal.

For 802.1x:

Can you advise how I troubleshoot this further, is there a log file for the domain join? - you have to fix your issue with Test join failed.

The following file from the pf administration guide doesn't exists when I check: In order to troubleshoot unsuccessful binds, please refer to the following file : /chroots/<mydomain>/var/log/samba<mydomain>/log.winbindd. Replace <mydomain>

The computer account isn't in AD and ip_forward was already enabled- Check in the AD is the PacketFence server appear (remove it), check that you enabled ip_forward of the PF server.
And retry.

For the pftest:

I will look into this - it's not normal that an LDAP bind isn't working, what you can do is to capture the ldap traffic and check what is the answer of the AD when you do the pftest command.
Regards,



Grant Hathaway
Network and Infrastructure Analyst

Certas Energy UK Limited
The Switch
1-7 The Grove - Slough - SL1 1QP
Phone : 01753756965 - Mobile : 07920075818
***@certasenergy.co.uk<mailto:***@certasenergy.co.uk>

[cid:***@01D27657.7FF65C90][cid:***@01D27657.7FF65C90] [cid:***@01D27657.7FF65C90]
From: Fabrice Durand [mailto:***@inverse.ca]
Sent: Monday, January 23, 2017 2:20 PM
To: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Subject: Re: [PacketFence-users] packetfence registering devices


Hello Grant,

For the portal:

first i recommend to create a a portal profile with a filter connection type = Ethernet-EAP and add your AD source in this profile.

Next enable autoregistration on this portal.

For 802.1x:

you have to fix your issue with Test join failed.

Check in the AD is the PacketFence server appear (remove it), check that you enabled ip_forward of the PF server.

Check that you are able to reach the AD dns server from PacketFence.

And retry.

For the pftest:

it's not normal that an LDAP bind isn't working, what you can do is to capture the ldap traffic and check what is the answer of the AD when you do the pftest command.

Regards

Fabrice



Le 2017-01-23 à 06:25, Grant Hathaway a écrit :
Hello,

Thanks in advance to anyone who can help me.

AD is successfully added as a user source and there are basic rules added, the rule conditions are for AD group membership so if an AD user account is in a group which matches the rule then its assigned a role.
We are only interested in 802.1x wired connections not wifi, the portal profile is set as the default (not sure if I need to change this to automatically register devices?)

If I connect a windows client to the packetfence switch the device appears in packetfence as "unregistered" and so it appears its not registering the user/device based on the roles.

So the rules aren't working and I'm unsure how to troubleshoot it further. I noticed that our domain isn't added in Radius/Domains and get an error "Test join failed". Could this be the reason why its failing?

I used the pftest script to check the authentication and I get the below output.

[***@PacketFence-6_4_0 ~]# sudo /usr/local/pf/bin/pftest authentication my_domain_user "password"
Testing authentication for " my_domain_user "

Authenticating against local
Authentication FAILED against local (Invalid login or password)
Did not match against local
Did not match against local

Authenticating against file1
Authentication FAILED against file1 ()
Did not match against file1
Did not match against file1

Authenticating against sms
Authentication FAILED against sms ()
Matched against sms for 'authentication' rules
set_role : guest
set_access_duration : 1D
Did not match against sms

Authenticating against email
Authentication SUCCEEDED against email ()
Matched against email for 'authentication' rules
set_role : guest
set_access_duration : 1D
Did not match against email

Authenticating against sponsor
Authentication SUCCEEDED against sponsor ()
Matched against sponsor for 'authentication' rules
set_role : guest
set_access_duration : 1D
Did not match against sponsor

Authenticating against null
Authentication SUCCEEDED against null ()
Matched against null for 'authentication' rules
set_role : guest
set_access_duration : 1D
Did not match against null

Authenticating against AD
Authentication FAILED against AD (Invalid login or password)
Did not match against AD
Did not match against AD

Grant Hathaway
Network and Infrastructure Analyst

Certas Energy UK Limited
The Switch
1-7 The Grove - Slough - SL1 1QP
Phone : 01753756965 - Mobile : 07920075818
***@certasenergy.co.uk<mailto:***@certasenergy.co.uk>

[cid:***@01D27657.7FF65C90][cid:***@01D27657.7FF65C90] [cid:***@01D27657.7FF65C90]

­­


------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most

engaging tech sites, SlashDot.org! http://sdm.link/slashdot



_______________________________________________

PacketFence-users mailing list

PacketFence-***@lists.sourceforge.net<mailto:PacketFence-***@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users


--

Fabrice Durand

***@inverse.ca<mailto:***@inverse.ca> :: +1.514.447.4918 (x135) :: www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)