Hello,
I am running slackware 12.1 with openvpn 2.1.4 with connection to a 2008 R2 server.
In server config i have the following line: plugin /lib/security/openvpn-auth-pam.so openvpn
In /etc/pam.d/openvpn i have:
auth required /lib/security/pam_winbind.so debug
account required /lib/security/pam_winbind.so debug
Winbind is working, wbinfo -t or -u or whatever i try works. But when i connect with openvpn i get this error
AUTH-PAM: BACKGROUND: user 'xxxxxx' failed to authenticate: User not known to the underlying authentication module
debug says
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:auth): getting password (0x00000001)
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:auth): request wbcLogonUser succeeded
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:auth): [pamh: 0x80cc448] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:account): [pamh: 0x80cc448] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:account): [pamh: 0x80cc448] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)
so the auth modules works but account fails.
Any suggestions ?
failed to authenticate: User not known to the underlying aut
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
ikbenut
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jul 06, 2011 9:20 am
-
ikbenut
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jul 06, 2011 9:20 am
Re: failed to authenticate: User not known to the underlying
Solution for now is that i installed ldap and that is working fine.
I use in /etc/openvpn/xxx.conf the line plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
In /etc/openvpn/auth-ldap.conf i edited the search filter to :
SearchFilter "(&(sAMAccountName=%u)(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2"
It checks the Login name on windows2008R2 server (cn does not work) and also checks for account disabled or not. "!" means NOT, so searchfilter checks for username with password and that account is not disabled.
For more info on installing ldap on linux/slack http://code.google.com/p/openvpn-auth-ldap/
Still dont knows why winbind doest work. Only thing is that when i tested ldap with searchfilter "cn=%u" i got the same error as with winbind "unknown user"
I use in /etc/openvpn/xxx.conf the line plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
In /etc/openvpn/auth-ldap.conf i edited the search filter to :
SearchFilter "(&(sAMAccountName=%u)(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2"
It checks the Login name on windows2008R2 server (cn does not work) and also checks for account disabled or not. "!" means NOT, so searchfilter checks for username with password and that account is not disabled.
For more info on installing ldap on linux/slack http://code.google.com/p/openvpn-auth-ldap/
Still dont knows why winbind doest work. Only thing is that when i tested ldap with searchfilter "cn=%u" i got the same error as with winbind "unknown user"