I guess we can see just how intermittent this issue is, as it just happened
again this weekend. I’ve provided the output of the commands you suggested in
the previous email, however, it looks like ntlm_auth is successful while this
issue is occurring. When I got on the Packetfence GUI, under
Configuration-Policies and Access Control-Active Directory Domains, under
Domain Join it would fail after a few minutes. I did not get a screenshot of
that error, but it was something like no AD servers available, we have 3
configured in the PF AD Domain, and they have not changed in years. I did
confirm that the Packetfence computer account is still sitting in the default
Computer OU in AD. This time, I was able to just reboot the Packetfence server
and it was able to join the domain in the gui on it’s own without me having to
provide credentials. Are there some other logs I can look at to see what may
be going on with this? I’ve looked at all the ones under /usr/local/pf/logs
but I’m not seeing anything other than failed radius logins when this is
happening.
[infosec@packetfence ~]$ systemctl status packetfence-winbindd
● packetfence-winbindd.service - PacketFence SAMBA winbind Service
Loaded: loaded (/usr/lib/systemd/system/packetfence-winbindd.service; enable>
Active: active (running) since Mon 2023-07-24 07:48:49 EDT; 4 weeks 0 days a>
Main PID: 9947 (winbindd-wrappe)
Status: "Ready"
Tasks: 4 (limit: 100628)
Memory: 196.1M
CGroup: /packetfence.slice/packetfence-winbindd.service
├─ 9947 winbindd-wrapper
├─10375 /usr/sbin/winbindd -s /etc/samba/RMIC.conf -l /var/log/samba>
├─10478 /usr/sbin/winbindd -s /etc/samba/RMIC.conf -l /var/log/samba>
└─10479 /usr/sbin/winbindd -s /etc/samba/RMIC.conf -l /var/log/samba>
Warning: Journal has been rotated since unit was started. Log output is incompl
[infosec@packetfence ~]$ sudo chroot /chroots/RMIC/ ntlm_auth
--username=ldapquery --password=*****
: (0x0)
[infosec@packetfence ~]$ systemctl restart packetfence-winbindd
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====
Authentication is required to restart 'packetfence-winbindd.service'.
Authenticating as: infosec
Password:
==== AUTHENTICATION COMPLETE ====
From: Zammit, Ludovic <luza...@akamai.com>
Sent: Wednesday, May 24, 2023 9:13 AM
To: Steven Spangle <steven_span...@rmic.com>
Cc: PacketFence-users <packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Intermittent Winbind Issues
Hello Steven,
On the PacketFence side, it’s winbindd process that is responsible for that AD
bind. You need to check if everything is ok with that service with:
systemctl status packetfence-winbindd
Then without restarting the process, when it does not work you can try that
command:
chroot /chroots/DOMAIN_NAME/ ntlm_auth --username=bob --password=bob
It should give something like this
NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)
If you don’t have that, it means that your AD connection between PF and the AD
is broken and thus no 802.1x would work.
We have seen that most of the time, it’s a change on the AD side where the
PacketFence server object in the AD is moved or altered.
You can restart winbindd as well and it can fix the issue, you probably don’t
need to re-join it to fix it.
Thanks,
Ludovic Zammit
Product Support Engineer Principal Lead
[https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png]
Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:
[https://www.akamai.com/us/en/multimedia/images/custom/community.jpg]<https://community.akamai.com/>[https://www.akamai.com/us/en/multimedia/images/custom/rss.png]<http://blogs.akamai.com/>[https://www.akamai.com/us/en/multimedia/images/custom/twitter.png]<https://twitter.com/akamai>[https://www.akamai.com/us/en/multimedia/images/custom/fb.png]<http://www.facebook.com/AkamaiTechnologies>[https://www.akamai.com/us/en/multimedia/images/custom/in.png]<http://www.linkedin.com/company/akamai-technologies>[https://www.akamai.com/us/en/multimedia/images/custom/youtube.png]<http://www.youtube.com/user/akamaitechnologies?feature=results_main>
On May 23, 2023, at 2:47 PM, Steven Spangle via PacketFence-users
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
wrote:
Hello, looking for some assistance as I’m running into an issue that I’m not
sure how to proceed researching the cause of. Sorry for the wall of text, but
want to provide as much information as I can!
We’ve been using Packetfence for a few years now (around June 2020, since Cisco
ACS went EOL) and sometime last year we started having issues where the
connection to AD would stop working. We would notice it first because 802.1x
authentication would start failing and we’d get calls from users unable to
connect. When this was happening, I would go into the GUI and check Policies
and Access Control-Active Directory Domains-Our Domain and could see it
attempting to update the Domain Join field for a couple of minutes before
failing. I could not get it to reconnect even with proper credentials until I
restarted the Packetfence server, after which I could go in and provide
credentials and it would reconnect fine. I believe initially this was because
we setup password expiration for the root account, because before it was giving
us an unable to update token error. So we made a note to go in and reset the
password monthly before it expired and that seemed to take care of the issue.
This past weekend however, we had a similar issue after our patch management
system updated the Packetfence server. This time I wasn’t given any specific
errors from the GUI, but when I would go into the radius log I could see these
messages as clients tried to authenticate:
May 21 16:09:13 packetfence auth[11877]: Adding client 10.1.247.26/32
May 21 16:09:13 packetfence auth[11877]: (330510) chrooted_mschap_machine:
ERROR: Program returned code (1) and output 'Reading winbind reply failed!
(0xc0000001)'
May 21 16:09:13 packetfence auth[11877]: (330510) Login incorrect
(chrooted_mschap_machine: Program returned code (1) and output 'Reading winbind
reply failed! (0xc0000001)'): [host/8CG7111XXX.redacted.domain] (from client
10.1.247.26/32 port 1 cli 00:28:f8:44:c7:8f via TLS tunnel)
May 21 16:09:13 packetfence auth[11877]: (330511) Login incorrect (eap_peap:
The users session was previously rejected: returning reject (again.)):
[host/8CG7111XXX.redacted.domain] (from client 10.1.247.26/32 port 1 cli
00:28:f8:44:c7:8f)
Again, I could not connect to the domain until I restarted the server, then I
could provide credentials and join the domain and everything started working
again. I’m really just looking for information as to what I can check to see
what may be happening. I’ve looked through all the logs (current and
compressed) in /usr/local/pf/logs but I really only see the messages I’ve
attached in the radius log.
Thanks
Steven
This message and any files transmitted with it are confidential and intended
only for the use of the individual or entity to which it is addressed. If the
reader of this message is not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this message
is strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the sender of this e-mail and
delete this e-mail from your system.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TkwK9FyYxqx5R8t00A2GmpKUa4HsHCL1KbOfcvpXFeTy89luCglfnQoW7_1XTwbv72Hey9Tz120p-zuj1Xb1yXoNOOWY6UmvMaX7Zg$<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TkwK9FyYxqx5R8t00A2GmpKUa4HsHCL1KbOfcvpXFeTy89luCglfnQoW7_1XTwbv72Hey9Tz120p-zuj1Xb1yXoNOOWY6UmvMaX7Zg$>
This message and any files transmitted with it are confidential and intended
only for the use of the individual or entity to which it is addressed. If the
reader of this message is not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this message
is strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the sender of this e-mail and
delete this e-mail from your system.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
