OpenVPN Support Forum

Hello,

I am running slackware 12.1 with openvpn 2.1.4 with connection to a 2008 R2 server.

In server config i have the following line: plugin /lib/security/openvpn-auth-pam.so openvpn

In /etc/pam.d/openvpn i have:
auth required /lib/security/pam_winbind.so debug
account required /lib/security/pam_winbind.so debug

Winbind is working, wbinfo -t or -u or whatever i try works. But when i connect with openvpn i get this error

AUTH-PAM: BACKGROUND: user 'xxxxxx' failed to authenticate: User not known to the underlying authentication module

debug says
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:auth): getting password (0x00000001)
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:auth): request wbcLogonUser succeeded
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:auth): [pamh: 0x80cc448] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:account): [pamh: 0x80cc448] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Jul 6 11:13:49 iboxstw openvpn: pam_winbind(openvpn:account): [pamh: 0x80cc448] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)

so the auth modules works but account fails.

Any suggestions ?

Solution for now is that i installed ldap and that is working fine.

I use in /etc/openvpn/xxx.conf the line plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf

In /etc/openvpn/auth-ldap.conf i edited the search filter to :

SearchFilter "(&(sAMAccountName=%u)(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2"

It checks the Login name on windows2008R2 server (cn does not work) and also checks for account disabled or not. "!" means NOT, so searchfilter checks for username with password and that account is not disabled.

For more info on installing ldap on linux/slack http://code.google.com/p/openvpn-auth-ldap/

Still dont knows why winbind doest work. Only thing is that when i tested ldap with searchfilter "cn=%u" i got the same error as with winbind "unknown user"