Update 4.3.6 - erreur connexion LDAP sous domaine

There is no log you can export that contains the "join" process.. you would need to open a support case. but here are some additional things to try.

#1

Create a new additional policy when you have the option to select users/groups you should see the sub domain users and or groups in the drop down. If you do not see them the appliance can not pull down the domain info.  You could go one step further and create a new group on the subdomain, wait for it to replicate and then re-sync the appliance to and verify it was created.

that will verify if the appliance can actually pull down and update the ad information.

If this fails then the appliance can not access the domain.

#2

configure the appliance to export the sophos_log file under syslog server.

then on the sub domain, configure a user browser to "use proxy settings"  set it to the ip of the appliance directly.. on port 8080 .. then try surfing .. 

what happens? does it work..

verify your been filtered by the appliance at http://sophostest.com/  click on categories that should be blocked.. do you get a block page?

do the same test without using the proxy settings.

then check out this post on how to read the log files and verify the user is authenticated..  

ie:

http://swa.sophos.com/webhelp/swa/concepts/InterpretingLogFiles.html

h=10.99.115.13 u="DOMAIN\\johnsmith"  = correct
h=10.99.115.13 u="-" = unauthenticated

#3

there are some port requirements assuming one or more appliance  or the sub domain is on a different network / location. 

http://swa.sophos.com/webhelp/swa/concepts/PortConfig.html?hl=ports

its also important to make sure each appliance and the respected ad servers can resolve each other via short and FQDN  failed dns.  You may wish to verify they can, and they resolve to the correct ip addresses.  It may be possible settings like dns were reset / lost when your power went out.

Bonjour,

J’ai déjà fait un ticket au support (8106106), mais je n’ai actuellement aucune réponse. Un deuxième ticket vient d’être lancé (8128248).

#1 - J’ai une relation d’approbation entre le domaine1 et domaine2. Sophos Web Appliance est configuré pour joindre le domaine1 mais n’arrive pas à vérifier les informations LDAP du domaine 2 : ( voir image )

Si je crée un groupe local sur le domaine 1 (celui configuré sur l’Appliance) avec un compte du domaine 2, le filtrage sur le groupe est fonctionnel.

La synchronisation avec le Domaine 1 ne pose aucun problème.

#3 - Aucun souci de DNS ou de port. Chaque AD de tous les domaines sont fonctionnelles.

Pour information, lorsque j’installe un nouveau Web Appliance virtuel (sur le même serveur physique) je retombe en version 4.1.1.1. AUCUN problème de connexion sur les domaines. J’arrive a joindre le domaine avec le sous domaine. Je pense réellement qu’il y a un soucie avec la dernière version 4.3.6

I had a look at your support ticket and made some notes.

ensure the user you are using exists in both domains with the same password (you could try using the administrator account as a test) 

If this works have a look at https://community.sophos.com/kb/en-us/52548

the specific error is that samba can not create the appropriate record for the sub domain.. this would seem to indicate the request is been rejected.. This could also be something like an invalid/expired ssl cert. (granted that would normally cause more than just this issue)

also ensure there is a SRV dns record within the network .. It looks like its resolving correctly, but there could be a stale record somewhere.

Lastly:  Ensure the time is within 2 mins between the subdomain and the appliance ..  MS will reject any request that is out by more than a few mins.

Cheers

Merci Red_Warrior pour le temps passé sur mon problème.

Le compte utilisateur existe dans les deux domaines avec le même mot de passe.
Comme expliqué, en réinstallant un nouveau Web Appliance elle s'installe en version 4.1.1.1, et avec les mêmes configurations et le même compte utilisateur la connexion ainsi que la synchronisation est fonctionnelle sur les domaines.

Côté DNS, les enregistrements sont corrects, aucun doublon où d'enregistrements obsolète.

Le serveur de temps est configuré sur tous les Appliances en utilisant le contrôleur de domaine (PDC) comme source de temps. (Si c'est une erreur d'horloge, un autre message d'avertissement est présent lors de la vérification des paramètres).

Avons-nous la possibilité de repasser en version précédente ? La version 4.3.5.1 ne posée aucun souci.

The only way you will be able to downgrade is if you have a previous snapshot.  You can replace the new VM and under the networking menu select "re-register this device" 

Unfortunately there is not much else that can be done via the forums, however there are a couple of other things you can try.

#1 remove the current user and password, replace it with the administrator account and re-sync

#2 create a brand new account following the above KB I posted for you.  (confirm you can create a computer object)

#3 remove the current and secondary primary DC's .. then reverse the order (make the current primary the secondary and the secondary the primary)  then re run the join / tests  

You will need to work with your engineer to real time smb query the dc and secondary. 

If that still fails you may wish to request your case to be escalated.

the escalations engineer may have incite into any current issues if there are any.. as well they may be able to help you set up a new vm and move it to an older repository.  As well work closer with you directly to ensure that there is no connection issues and monitor the smb connection its self.

I added some additional notes and a back end change that could be tried.

In short: when the appliance was upgraded to smb v2 .. this introduced some changes with kerberos..  The suggested change should be live monitored and the command is in your ticket. 

I added some additional notes and a back end change that could be tried.

In short: when the appliance was upgraded to smb v2 .. this introduced some changes with kerberos..  The suggested change should be live monitored and the command is in your ticket.