It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda NextGen Firewall X
Overview Documentation Materials

Back to Knowledgebase

Requirements for a successful MS-CHAP domain join

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00005263 
 
Scope:
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x

 
Symptoms:

Which requirements are needed for a successful domain join with MS-CHAP?


 
Solution:

There are several settings needed to provide a working MS-CHAP authentication.

 

Configuration at "Config" > "Box" > "Infrastructure Service" > "Authentication Service":

- The "MS-CHAP" authentication configuration must use the "MSAD" helper scheme;

- The "MSAD" authentication configuration must set the option "Use MSAD-groups with NTLM" to "yes";

 - If you have more than one AD-servers configured in the MSAD scheme, just the first will be used for MSCHAP

 - The MSAD server IP, the MSCHAP server IP and the WINS server IP are normaly equal;

 - The MSAD/MSCHAP/WINS server and the NG firewall must have the same system time;

 - Use the MSAD itself as DNS-server for your NG firewall if possible;


Checking the firewall history and command line interface:

 - There must not be communcation-drops or timeouts between box and AD-server(s) on port 389 and 3268;

 - The NG firewall must be able to resolve the MSAD/MSCHAP/WINS server (forward and reverse direction);
  

  ping <IP of MSAD/MSCHAP/WINS server>

  host <hostname of MSAD/MSCHAP/WINS server>

 - The MSAD/MSCHAP/WINS server must be able to resolve the NG firewall (forward and reverse direction);

  ping <IP of the NG firewall>
  nslookup <hostname of the NG firewall>

 

 - the command "hostname -fi" must return the IP which the DNS-record points to;

- The NG firewall must be able to resolve the following FQDN: _ldap._tcp.dc._msdcs.<domain-realm>
   Check this with the following commands on the box:

 

  nslookup
    set type=srv
    _ldap._tcp.dc._msdcs.<domain-realm>

 

    You should see an answer like this: 

  _ldap._tcp.dc._msdcs.<domain-realm> service = 0 100 389 <FQDN of MSCHAP server>

 

- Sometimes after failed domain joins a "hard" reset of the on box stored configuration is necessary. To do so enter the following commands in CLI:

 

  rm -rf /var/lib/samba/*
  mkdir /var/lib/samba/private
  chmod 700 /var/lib/samba/private
  mkdir /var/lib/samba/winbindd_privileged
  chmod 750 /var/lib/samba/winbindd_privileged
  chgrp logs /var/lib/samba/winbindd_privileged
  mkdir /var/lib/samba/scripts
  /etc/init.d/winbind restart
  phionctrl box block phibs

  

- Ensure that there are no winbind-processes running:


  ps -A grep winbind  

        

    ... if so, kill it:

 

  killall -9 winbind
  phionctrl box start phibs 

 

    You also have to delete the created computer account on your MS-AD.

 

- If domain join is still not successful do the above described "hard reset" and join the box with debugging enabled. To do so use the command below; after that analyse the netjoin.txt which is now located in your working directory.

 

  net ads join -U <join-user>%<join-password> -d 5 >& netjoin.txt

 

- another way, if it still fails:


  net ads join -I <DC-IP> -U <join-user>%<join-password> -d 5 >& netjoin.txt

 

 

Link to This Page:
https://campus.barracuda.com/solution/50160000000IKauAAG