Hello Steven, On the PacketFence side, it’s winbindd process that is responsible for that AD bind. You need to check if everything is ok with that service with:
systemctl status packetfence-winbindd Then without restarting the process, when it does not work you can try that command: chroot /chroots/DOMAIN_NAME/ ntlm_auth --username=bob --password=bob It should give something like this NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064) If you don’t have that, it means that your AD connection between PF and the AD is broken and thus no 802.1x would work. We have seen that most of the time, it’s a change on the AD side where the PacketFence server object in the AD is moved or altered. You can restart winbindd as well and it can fix the issue, you probably don’t need to re-join it to fix it. Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On May 23, 2023, at 2:47 PM, Steven Spangle via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hello, looking for some assistance as I’m running into an issue that I’m not > sure how to proceed researching the cause of. Sorry for the wall of text, > but want to provide as much information as I can! > > We’ve been using Packetfence for a few years now (around June 2020, since > Cisco ACS went EOL) and sometime last year we started having issues where the > connection to AD would stop working. We would notice it first because 802.1x > authentication would start failing and we’d get calls from users unable to > connect. When this was happening, I would go into the GUI and check Policies > and Access Control-Active Directory Domains-Our Domain and could see it > attempting to update the Domain Join field for a couple of minutes before > failing. I could not get it to reconnect even with proper credentials until > I restarted the Packetfence server, after which I could go in and provide > credentials and it would reconnect fine. I believe initially this was > because we setup password expiration for the root account, because before it > was giving us an unable to update token error. So we made a note to go in > and reset the password monthly before it expired and that seemed to take care > of the issue. > > This past weekend however, we had a similar issue after our patch management > system updated the Packetfence server. This time I wasn’t given any specific > errors from the GUI, but when I would go into the radius log I could see > these messages as clients tried to authenticate: > > May 21 16:09:13 packetfence auth[11877]: Adding client 10.1.247.26/32 > May 21 16:09:13 packetfence auth[11877]: (330510) chrooted_mschap_machine: > ERROR: Program returned code (1) and output 'Reading winbind reply failed! > (0xc0000001)' > May 21 16:09:13 packetfence auth[11877]: (330510) Login incorrect > (chrooted_mschap_machine: Program returned code (1) and output 'Reading > winbind reply failed! (0xc0000001)'): [host/8CG7111XXX.redacted.domain] (from > client 10.1.247.26/32 port 1 cli 00:28:f8:44:c7:8f via TLS tunnel) > May 21 16:09:13 packetfence auth[11877]: (330511) Login incorrect (eap_peap: > The users session was previously rejected: returning reject (again.)): > [host/8CG7111XXX.redacted.domain] (from client 10.1.247.26/32 port 1 cli > 00:28:f8:44:c7:8f) > > Again, I could not connect to the domain until I restarted the server, then I > could provide credentials and join the domain and everything started working > again. I’m really just looking for information as to what I can check to see > what may be happening. I’ve looked through all the logs (current and > compressed) in /usr/local/pf/logs but I really only see the messages I’ve > attached in the radius log. > > Thanks > Steven > > This message and any files transmitted with it are confidential and intended > only for the use of the individual or entity to which it is addressed. If the > reader of this message is not the intended recipient, or the employee or > agent responsible for delivering the message to the intended recipient, you > are hereby notified that any dissemination, distribution or copying of this > message is strictly prohibited. If you have received this communication in > error, please notify us immediately by replying to the sender of this e-mail > and delete this e-mail from your system. > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TkwK9FyYxqx5R8t00A2GmpKUa4HsHCL1KbOfcvpXFeTy89luCglfnQoW7_1XTwbv72Hey9Tz120p-zuj1Xb1yXoNOOWY6UmvMaX7Zg$
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
