- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x
Which requirements are needed for a successful domain join with MS-CHAP?
There are several settings needed to provide a working MS-CHAP authentication.
Configuration at "Config" > "Box" > "Infrastructure Service" > "Authentication Service":
- The "MS-CHAP" authentication configuration must use the "MSAD" helper scheme;
- The "MSAD" authentication configuration must set the option "Use MSAD-groups with NTLM" to "yes";
- If you have more than one AD-servers configured in the MSAD scheme, just the first will be used for MSCHAP
- The MSAD server IP, the MSCHAP server IP and the WINS server IP are normaly equal;
- The MSAD/MSCHAP/WINS server and the NG firewall must have the same system time;
- Use the MSAD itself as DNS-server for your NG firewall if possible;
Checking the firewall history and command line interface:
- There must not be communcation-drops or timeouts between box and AD-server(s) on port 389 and 3268;
- The NG firewall must be able to resolve the MSAD/MSCHAP/WINS server (forward and reverse direction);
ping <IP of MSAD/MSCHAP/WINS server>
host <hostname of MSAD/MSCHAP/WINS server>
- The MSAD/MSCHAP/WINS server must be able to resolve the NG firewall (forward and reverse direction);
ping <IP of the NG firewall>
nslookup <hostname of the NG firewall>
- the command "hostname -fi" must return the IP which the DNS-record points to;
- The NG firewall must be able to resolve the following FQDN: _ldap._tcp.dc._msdcs.<domain-realm>
Check this with the following commands on the box:
nslookup
set type=srv
_ldap._tcp.dc._msdcs.<domain-realm>
You should see an answer like this:
_ldap._tcp.dc._msdcs.<domain-realm> service = 0 100 389 <FQDN of MSCHAP server>
- Sometimes after failed domain joins a "hard" reset of the on box stored configuration is necessary. To do so enter the following commands in CLI:
rm -rf /var/lib/samba/*
mkdir /var/lib/samba/private
chmod 700 /var/lib/samba/private
mkdir /var/lib/samba/winbindd_privileged
chmod 750 /var/lib/samba/winbindd_privileged
chgrp logs /var/lib/samba/winbindd_privileged
mkdir /var/lib/samba/scripts
/etc/init.d/winbind restart
phionctrl box block phibs
- Ensure that there are no winbind-processes running:
ps -A grep winbind
... if so, kill it:
killall -9 winbind
phionctrl box start phibs
You also have to delete the created computer account on your MS-AD.
- If domain join is still not successful do the above described "hard reset" and join the box with debugging enabled. To do so use the command below; after that analyse the netjoin.txt which is now located in your working directory.
net ads join -U <join-user>%<join-password> -d 5 >& netjoin.txt
- another way, if it still fails:
net ads join -I <DC-IP> -U <join-user>%<join-password> -d 5 >& netjoin.txt