Fabrice, Excuse me, but if I were to hear that I would not have contacted the mailing list support. There is a problem with packetfence 9.3 linked to the domain that it does not recognize users and computers. So much so that there is a problem that by inserting the node manually it manages to search for the user and authenticate the node.
Em seg., 23 de mar. de 2020 às 15:42, Fabrice Durand <[email protected]> escreveu: > Hello Wagner, > > so it mean that there is no user with the attribute sAMAccountName=iran in > OU=Usuarios,OU=Tabajara Sede,DC=tabajara,DC=com,DC=br > > So if there is no user then there is no role returned. > > Regards > > Fabrice > > > Le 20-03-23 à 14 h 13, Wagner Liegio a écrit : > > Fabrice, > > Below is the return of the command: > > version: 1 > > # > # LDAPv3 > # base <OU=Usuarios,OU=Tabajara Sede,DC=tabajara,DC=com,DC=br> with scope > subtree > # filter: sAMAccountName=iran > # requesting: ALL > # > > # search result > > # numResponses: 1 > > I want to inform you that I will perform the same procedure in packtefence > 8, which has self-registration enabled and working, the output of the > command was the same. > > Em seg., 23 de mar. de 2020 às 11:48, Fabrice Durand <[email protected]> > escreveu: > >> Hello Wagner, >> >> do the search with sAMAccountName=iran not sAMAccountName = packetfence >> >> Regards >> >> Fabrice >> >> >> Le 20-03-23 à 10 h 45, Wagner Liegio a écrit : >> >> Good morning Fabrice, >> >> Follows return of the informed command: >> >> version: 1 >> >> # >> # LDAPv3 >> # base <OU = Users, OU = Tabajara Headquarters, DC = tabajara, DC = com, >> DC = br> with scope subtree >> # filter: sAMAccountName = packetfence >> # requesting: ALL >> # >> >> # packetfence, PacketFence, Service, Users, Tabajara Headquarters, >> tabajara.com.br >> dn: CN = packetfence, OU = PacketFence, OU = Service, OU = Users, OU = >> Tabajara Sede, DC = taba >> jara, DC = com, DC = br >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: packetfence >> givenName: packetfence >> distinguishedName: CN = packetfence, OU = PacketFence, OU = Service, OU = >> Users, OU = Table >> jara Headquarters, DC = tabajara, DC = com, DC = br >> instanceType: 4 >> whenCreated: 20190522175834.0Z >> whenChanged: 20200314212343.0Z >> displayName: packetfence >> uSNCreated: 332707737 >> memberOf: CN = Domain Admins, CN = Users, DC = tabajara, DC = com, DC = us >> uSNChanged: 354881720 >> name: packetfence >> objectGUID :: Gtp8SctV30ObE156O9onWA == >> userAccountControl: 66048 >> badPwdCount: 0 >> codePage: 0 >> countryCode: 0 >> badPasswordTime: 134565121389590252 >> lastLogon: 133465121436547757 >> pwdLastSet: 132030215143488213 >> primaryGroupID: 513 >> objectSid :: AQUAAAAAAAUVAAAAOEkycmN9EhxnEvQ3io7GNA == >> adminCount: 1 >> accountExpires: 9223372036854775807 >> logonCount: 0 >> sAMAccountName: packetfence >> sAMAccountType: 805306368 >> userPrincipalName: [email protected] >> objectCategory: CN = Person, CN = Schema, CN = Configuration, DC = >> tabajara, DC = com, DC = us >> dSCorePropagationData: 16010101000000.0Z >> mS-DS-ConsistencyGuid :: Gtp8SctV30ObE156O9onWA == >> lastLogonTimestamp: 132286946239647914 >> >> # search result >> >> # numResponses: 2 >> # numEntries: 1 >> >> Sincerely, >> >> Wagner >> >> Em qui., 19 de mar. de 2020 às 23:45, Durand fabrice <[email protected]> >> escreveu: >> >>> If you stripped in radius in the realm ANA, it mean that packetfence is >>> doing a ldap search with sAMAccountName=iran >>> >>> So try that from the cli: >>> >>> ldapsearch -h 10.10.10.70 -s sub -b "OU=Usuarios,OU=Tabajara >>> Sede,DC=tabajara,DC=com,DC=br" -D >>> "CN=packetfence,OU=PacketFence,OU=Servico,OU=Usuarios,OU=Tabajara >>> Sede,DC=tabajara,DC=com,DC=br" -w whatyouarelookingfor -L >>> "sAMAccountName=iran" >>> >>> and see if it return something. >>> >>> Regards >>> >>> Fabrice >>> >>> >>> Le 20-03-19 à 14 h 42, Wagner Liegio a écrit : >>> >>> Good afternoon, >>> >>> I made the suggested adjustments by activating the strip in radius, >>> created a new realm, and the error persists. User authentication searching >>> for the domain only works, manually registering the node in the >>> packetfence. Therefore, the error still remains in the database when trying >>> to register auto. >>> Below is the database error log: >>> >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> INFO: [mac:d0:94:66:db:ae:77] handling radius autz request: from switch_ip >>> => (10.95.10.1), connection_type => Ethernet-EAP,switch_mac => >>> (c8:0c:c8:f1:25:20), mac => [d0:94:66:db:ae:77], port => 78774, username => >>> "ANA\iran" (pf::radius::authorize) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> INFO: [mac:d0:94:66:db:ae:77] Instantiate profile 802.1x >>> (pf::Connection::ProfileFactory::_from_profile) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> INFO: [mac:d0:94:66:db:ae:77] Found authentication source(s) : 'Ana' for >>> realm 'default' (pf::config::util::filter_authentication_sources) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> INFO: [mac:d0:94:66:db:ae:77] Using sources Ana for matching >>> (pf::authentication::match2) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> INFO: [mac:d0:94:66:db:ae:77] LDAP testing connection (pf::LDAP::expire_if) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> WARN: [mac:d0:94:66:db:ae:77] No category computed for autoreg >>> (pf::role::getNodeInfoForAutoReg) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> WARN: [mac:d0:94:66:db:ae:77] No role specified or found for pid ANA\iran >>> (MAC d0:94:66:db:ae:77); assume maximum number of registered nodes is >>> reached (pf::node::is_max_reg_nodes_reached) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> ERROR: [mac:d0:94:66:db:ae:77] max nodes per pid met or exceeded - >>> registration of d0:94:66:db:ae:77 to ANA\iran failed >>> (pf::registration::setup_node_for_registration) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> ERROR: [mac:d0:94:66:db:ae:77] auto-registration of node failed max nodes >>> per pid met or exceeded (pf::radius::authorize) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> ERROR: [mac:d0:94:66:db:ae:77] Database query failed with non retryable >>> error: Cannot add or update a child row: a foreign key constraint fails >>> (`pf`.`node`, CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES >>> `person` (`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: >>> 1452) [INSERT INTO `node` ( `autoreg`, `bandwidth_balance`, >>> `bypass_role_id`, `bypass_vlan`, `category_id`, `computername`, >>> `detect_date`, `device_class`, `device_manufacturer`, `device_score`, >>> `device_type`, `device_version`, `dhcp6_enterprise`, `dhcp6_fingerprint`, >>> `dhcp_fingerprint`, `dhcp_vendor`, `last_arp`, `last_dhcp`, `last_seen`, >>> `lastskip`, `mac`, `machine_account`, `notes`, `pid`, `regdate`, >>> `sessionid`, `status`, `tenant_id`, `time_balance`, `unregdate`, >>> `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, >>> ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE KEY >>> UPDATE `autoreg` = ?, `last_seen` = NOW(), `pid` = ?, `status` = ?, >>> `tenant_id` = ?]{yes, NULL, NULL, NULL, NULL, NULL, 2020-03-19 18:15:11, >>> NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0000-00-00 00:00:00, >>> 0000-00-00 00:00:00, 0000-00-00 00:00:00, d0:94:66:db:ae:77, NULL, NULL, >>> ANA\iran, 0000-00-00 00:00:00, NULL, reg, 1, NULL, 0000-00-00 00:00:00, >>> NULL, no, yes, ANA\iran, reg, 1} (pf::dal::db_execute) >>> Mar 19 18:15:11 aplpcktfpdin01 packetfence_httpd.aaa: httpd.aaa(6759) >>> ERROR: [mac:d0:94:66:db:ae:77] Cannot save d0:94:66:db:ae:77 error (500) >>> (pf::radius::authorize) >>> >>> Em qua., 18 de mar. de 2020 às 21:34, Durand fabrice via >>> PacketFence-users <[email protected]> escreveu: >>> >>>> Try that: >>>> >>>> pftest authentication ANA\pereira "" >>>> >>>> and >>>> >>>> pftest authentication pereira "" >>>> >>>> to see if the user is found and if it match a rule. >>>> >>>> If the second one works then in the ANA realm enable strip in radius. >>>> >>>> Regards >>>> >>>> Fabrice >>>> >>>> >>>> Le 20-03-18 à 20 h 13, Zacharry Williams via PacketFence-users a écrit : >>>> >>>> Gonna take a wild guess here, in your realms config turn on strip >>>> radius for null and your domain and and try logging on with just your >>>> username and password. I'm guessing your realms config isn't matching. For >>>> us we had three domains and we had to add them all. For example >>>> COMPANY.ORG, COMPANY.LAN, COMPANY.COM. >>>> >>>> On Wed, Mar 18, 2020, 12:43 PM Wagner Liegio via PacketFence-users < >>>> [email protected]> wrote: >>>> >>>>> Good afternoon, >>>>> >>>>> Follow the requested files attached. >>>>> >>>>> Em ter., 17 de mar. de 2020 às 14:16, Ludovic Zammit < >>>>> [email protected]> escreveu: >>>>> >>>>>> Hello, >>>>>> >>>>>> Could you post the result fo those two commands: >>>>>> >>>>>> cat /usr/local/pf/conf/authentication.conf >>>>>> >>>>>> cat /usr/local/pf/conf/profiles.conf >>>>>> >>>>>> remove your informations. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ludovic [email protected] :: +1.514.447.4918 (x145) :: >>>>>> www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mar 17, 2020, at 9:42 AM, Wagner Liegio via PacketFence-users < >>>>>> [email protected]> wrote: >>>>>> >>>>>> Good Morning, >>>>>> >>>>>> The rules, functions are standard on the Zen packetfence 9.3 that I >>>>>> downloaded from the site, I will send some images of how the >>>>>> configuration >>>>>> is through the webgui, so I noticed everything is correct, what is >>>>>> happening is that the function and the rule is not being applied for some >>>>>> reason that I don't know. >>>>>> >>>>>> <image.png> >>>>>> >>>>>> <image.png> >>>>>> >>>>>> <image.png> >>>>>> >>>>>> >>>>>> >>>>>> Em ter., 17 de mar. de 2020 às 00:04, Zacharry Williams via >>>>>> PacketFence-users <[email protected]> escreveu: >>>>>> >>>>>>> Check and make sure your realms are defined also. >>>>>>> >>>>>>> On Mon, Mar 16, 2020, 4:58 PM Brandt Winchell via PacketFence-users < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I know when I ran into this issue, it had to do with the >>>>>>>> authorization source for AD. In the source, I had an authentication >>>>>>>> rule >>>>>>>> that matched the sAMAccountName is member of “group name”. The group >>>>>>>> name >>>>>>>> must be the AD DN (distinguished name) of the group. CN=%security >>>>>>>> group >>>>>>>> you want%,OU=%OU the object resides in%,DC=%your domain%,DC=%domain >>>>>>>> suffix% >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *From:* Wagner Liegio via PacketFence-users < >>>>>>>> [email protected]> >>>>>>>> *Sent:* Monday, March 16, 2020 1:08 PM >>>>>>>> *To:* [email protected] >>>>>>>> *Cc:* Wagner Liegio <[email protected]> >>>>>>>> *Subject:* [PacketFence-users] authentication sources packetfence >>>>>>>> 9.3 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Good afternoon, I'm facing the same problem only in version 9.3. I >>>>>>>> have done everything I can think of, reconfigured the domain, the >>>>>>>> connection profile, checked the rules and functions. The error >>>>>>>> follows: No >>>>>>>> role specified or found for pid ANA \ pereira (MAC d0: 94: 66: db: ee: >>>>>>>> 7d); >>>>>>>> assumes maximum number of registered nodes is reached (pf :: node :: >>>>>>>> is_max_reg_nodes_reached) >>>>>>>> plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac: >>>>>>>> d0: 94: 66: db: ee: 7d] max nodes per pid met or exceeded - >>>>>>>> registration of >>>>>>>> d0: 94: 66: db: ae: 7d to ANA \ pereira failed >>>>>>>> (pf :: registration :: setup_node_for_registration) >>>>>>>> plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac: >>>>>>>> d0: 94: 66: db: ee: 7d] auto-registration of node failed max nodes per >>>>>>>> pid >>>>>>>> met or exceeded (pf :: radius :: authorize) >>>>>>>> plpcktfpdin01 packetfence_httpd.aaa: httpd.aaa (9837) ERROR: [mac: >>>>>>>> d0: 94: 66: db: ee: 7d] Database query failed with non retryable error: >>>>>>>> Cannot add or update a child row: a foreign key constraint fails >>>>>>>> (pf.node, CONSTRAINT 0_57 FOREIGN KEY (tenant_id, pid) REFERENCES >>>>>>>> person (tenant_id, pid) ON DELETE CASCADE ON UPDATE CASCADE) (errno: >>>>>>>> 1452) >>>>>>>> [INSERT INTO node >>>>>>>> (autoreg, bandwidth_balance, bypass_role_id, bypass_vlan, >>>>>>>> category_id, computername, detect_date, device_class, >>>>>>>> device_manufacturer, >>>>>>>> device_score, device_type, >>>>>>>> device_version, dhcp6_enterprise, dhcp6_fingerprint, >>>>>>>> dhcp_fingerprint, dhcp_vendor, last_arp, last_dhcp, last_seen, >>>>>>>> lastskip, >>>>>>>> mac, machine_account, notes, regdate, sessionid, status, tenant_id, >>>>>>>> time_balance, void, user? ?,?,?,?,?,?,?,?,?,?,?,?,?,?, NOW >>>>>>>> (),?,?,?,?,?,?,?,?,?, ?,?,?,?) ON DUPLICATE KEY UPDATE autoreg = ?, >>>>>>>> Last_seen = NOW (), pid = ?, Status = ?, Tenant_id` =?] {Yes, NULL, >>>>>>>> NULL, >>>>>>>> NULL, NULL, NULL, 2020 - 03-13 19:08:50, NULL, NULL, NULL, NULL, NULL, >>>>>>>> NULL, NULL, NULL, NULL, >>>>>>>> 0000-00-00 00:00:00, 0000-00-00 00:00:00, 0000-00-00 00:00:00, d0: >>>>>>>> 94: 66: db: ae: 7d, NULL, NULL, ANA \ pereira, 0000-00-00 00:00:00, >>>>>>>> NULL, >>>>>>>> reg, 1, NULL, 0000-00-00 00:00:00, NULL, no, yes, ANA \ pereira, reg, >>>>>>>> 1} >>>>>>>> (pf :: dal :: db_execute) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> [email protected] >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> [email protected] >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing >>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>> -- >> Fabrice [email protected] :: +1.514.447.4918 (x135) :: >> www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> -- > Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
