Hi Fabrice,
Thanks for your answer!
On 07/11/2017 02:07 AM, Durand fabrice via PacketFence-users wrote:
When you start your computer , before login with your user account the
device authenticate with the machine account. (this is what you
configured on the device).
Yes, this I understand. And this is what I expect with usersource
CN=Computers,DC=ad,DC=company,DC=com and with username set to
servicePrincipalName
With that usersource, I would expect only machine account
authentications to work. But machines AND users (are in CN=Users,...)
both work.
It probably works because the machine auth worked on the first time (i
need logs to verify that).
But after the user logged on, the USER is authenticated, as can be seen
from the logs:
Jul 10 19:42:00 pf auth[1892]: (48) Login OK: [host/P002507.ad.company.com]
(from client a.b.c.248 port 134 cli 2c:41:38:90:68:8f via TLS tunnel)
Jul 10 19:42:00 pf auth[1892]: (49) Login OK: [host/P002507.ad.company.com]
(from client a.b.c.248 port 134 cli 2c:41:38:90:68:8f)
Jul 10 19:42:13 pf auth[1892]: rlm_rest (rest): Closing connection (6): Hit
idle_timeout, was idle for 71 seconds
Jul 10 19:42:13 pf auth[1892]: Need 1 more connections to reach min connections
(3)
Jul 10 19:42:13 pf auth[1892]: rlm_rest (rest): Opening additional connection
(8), 1 of 62 pending slots used
Jul 10 19:42:13 pf auth[1892]: rlm_sql (sql): Closing connection (8): Hit
idle_timeout, was idle for 71 seconds
Jul 10 19:42:13 pf auth[1892]: Need 1 more connections to reach min connections
(3)
Jul 10 19:42:13 pf auth[1892]: rlm_sql (sql): Opening additional connection
(10), 1 of 62 pending slots used
Jul 10 19:42:13 pf auth[1892]: (58) Login OK: [DOMAIN\username] (from client
a.b.c.248 port 134 cli 2c:41:38:90:68:8f via TLS tunnel)
Jul 10 19:42:13 pf auth[1892]: (59) Login OK: [DOMAIN\username] (from client
a.b.c.248 port 134 cli 2c:41:38:90:68:8f)
So packetfence seems to be able to authenticate both users and machines.
(both pacetfence and the workstation have been rebooted)
I need to check the config you did. (profiles.conf, authentication.conf)
I will provide them below, though I don't see how the contents of
profiles.conf is relevant..?
Curious to your findings!
root@pf:/usr/local/pf/conf# cat profiles.conf
#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
logo=/common/packetfence.jpg
redirecturl=https://www.company.com
always_use_redirecturl=enabled
login_attempt_limit=5
sources=company-ad-users,email
access_registration_when_registered=enabled
#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
root@pf:/usr/local/pf/conf# cat authentication.conf
[local]
description=Local Users
dynamic_routing_module=AuthModule
type=SQL
stripped_user_name=yes
[file1]
description=Legacy Source
dynamic_routing_module=AuthModule
path=/usr/local/pf/conf/admin.conf
type=Htpasswd
stripped_user_name=yes
[file1 rule admins]
description=All admins
class=administration
match=all
action0=set_access_level=ALL
[email]
description=Email-based registration
email_activation_timeout=20m
allow_localdomain=yes
dynamic_routing_module=AuthModule
type=Email
create_local_account=no
[email rule company]
description=email ends company.com
class=authentication
match=any
action0=set_role=company
action1=set_access_duration=1Y
condition0=user_email,ends,company.com
[email rule university]
description=university
class=authentication
match=any
action0=set_role=university
action1=set_access_duration=1Y
condition0=user_email,ends,university.nl
condition1=user_email,ends,uni.nl
[email rule catchall]
description=anyone, 1 month wifi access
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1M
[sponsor]
description=Sponsor-based registration
type=SponsorEmail
create_local_account=no
dynamic_routing_module=AuthModule
allow_localdomain=yes
email_activation_timeout=30m
[sponsor rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[null]
description=Null Source
dynamic_routing_module=AuthModule
type=Null
email_required=no
[null rule catchall]
description=catchall
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
[company-ad-users]
description=samba4 ad users (via haproxy)
type=AD
scope=one
usernameattribute=sAMAccountName
stripped_user_name=yes
email_attribute=mail
dynamic_routing_module=AuthModule
binddn=cn=search,cn=users,dc=samba,dc=company,DC=com
basedn=CN=Users,DC=samba,DC=company,DC=com
password=secretsecret
connection_timeout=5
host=127.0.0.1
port=636
encryption=ssl
[company-ad-users rule domain_admins_administration]
description=set webadmin access level
class=administration
match=any
action0=set_access_level=ALL
condition0=memberOf,equals,CN=Domain Admins,CN=Users,DC=samba,DC=company,DC=com
[company-ad-users rule domain_admins_authentication]
description=10 jaar, en set role
class=authentication
match=any
action0=set_access_duration=10Y
action1=set_role=unu_company_domain_admins
condition0=memberOf,equals,CN=Domain Admins,CN=Users,DC=samba,DC=company,DC=com
[company-ad-users rule domain_users]
description=company domain users
class=authentication
match=all
action0=set_role=unu_company_domain_users
action1=set_access_duration=1Y
[company-ad-computers]
description=samba4 ad computers (via haproxy)
type=AD
scope=one
usernameattribute=servicePrincipalName
stripped_user_name=yes
email_attribute=mail
dynamic_routing_module=AuthModule
binddn=cn=search,cn=users,dc=samba,dc=company,DC=com
basedn=CN=Computers,DC=samba,DC=company,DC=com
password=secretsecret
connection_timeout=5
host=127.0.0.1
port=636
encryption=ssl
Curious to your comments :-)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
