www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

VPN with AD authentication

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
ultimoblaze



Joined: 30 Oct 2013
Posts: 14

PostPosted: Tue Oct 13, 2015 11:09 pm    Post subject: VPN with AD authentication Reply with quote

Hi,

I'm trying to set up Zeroshell OpenVPN using my local domain controller for user authentication, I just don't understand how to do it. Can anybody walk me through the steps?


Thanks,
Ultimoblaze
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 89

PostPosted: Wed Oct 14, 2015 1:16 pm    Post subject: Would like help here myself Reply with quote

I've managed to make some third-party things authenticate against Active Directory using Lightweight Directory Access Protocol. For instance I got Openfire Chat to work, and I got some photocopiers to allow access based on AD accounts. Zeroshell isn't as straight forward; my first attempt didn't work well.

I think (though I don't know) that you could use either LDAP or Kerberos Protocol, but not both. You would make the local LDAP or Kerberos server a proxy for your Active Directory domain, much like you could make ZS DNS use your domain controllers as DNS forwarders. Actually, making K5 or LDAP work right would first require making DNS forwarding work, at least for your AD domain.
--
Back to top
View user's profile Send private message
ultimoblaze



Joined: 30 Oct 2013
Posts: 14

PostPosted: Thu Oct 22, 2015 11:43 pm    Post subject: Reply with quote

I've gotten the DNS forwarding to work. That wasn't as difficult to figure out. I'm a novice though at authentication protocols. I don't understand how to get the cross authentication to work.

My configuration is as follows. The Zeroshell box has the K5 realm as ABC.com. It's hostname is zeroshell. the LDAP base is dc=ABC,dc=com. I don't understand what each of these do, other than hostname. My AD domain is ABC.com and the AD controller is server1.ABC.com.

Given this information, how can I have the zeroshell box accept openVPN connections authenticated against the AD accounts? Is there something I have to do on the AD controller side?


Thanks,
Ultimoblaze
Back to top
View user's profile Send private message
ultimoblaze



Joined: 30 Oct 2013
Posts: 14

PostPosted: Fri Jan 15, 2016 1:34 am    Post subject: Reply with quote

I found out I need to create a trust relationship on the AD side. I did this and entered the same password as on the Zeroshell machine. I still cannot get it to authenticate against the AD though. Has anybody done this successfully?


Thanks,
Ultimoblaze
Back to top
View user's profile Send private message
ultimoblaze



Joined: 30 Oct 2013
Posts: 14

PostPosted: Fri Jan 29, 2016 8:56 pm    Post subject: Reply with quote

Here is some more information. First are my realm setup and cross authentication setup. Then my VPN setup and then the VPN log when trying to login.





Code:
15:47:38    Re-using SSL/TLS context
15:47:38    LZO compression initialized
15:47:38    TCP connection established with 24.33.70.89:56504
15:47:38    TCPv4_SERVER link local: [undef]
15:47:38    TCPv4_SERVER link remote: 24.33.70.89:56504
15:47:40    24.33.70.89:56504 [administrator@SLI.COM] Trying Kerberos 5 (Trusted KDC) authentication
15:47:40    24.33.70.89:56504 [administrator@SLI.COM] Kerberos 5 authentication failed: host/zeroshell.sli.lan@SLI.LAN: Server not found in Kerberos database while getting credentials
15:47:40    24.33.70.89:56504 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 11
15:47:40    24.33.70.89:56504 TLS Auth Error: Auth Username/Password verification failed for peer


Does anybody have any suggestions?

Thanks,
Ultimoblaze
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group