Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 4012 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG AD Join for WebProxy SSO

Marco Hald

Hi,

I'm currently evaluating the XG as a Replacment for our SG Cluster.

My Problem is that the NTLM and Keberos Authentication is not working and I'm redirected to the Captive Portal.

I tried to find a Logfile where the AD Join is logged but I ha no success.
Where are the Logfiles for the AD Join or Kerberos Auth ?

I already tied the "chroot /content/nasm" from this https://community.sophos.com/sophos-xg-firewall/f/discussions/118573/set-up-kerberos-in-v18/447987?ReplyOffsetId=451033&ReplyOffsetDirection=Next&ReplySortBy=CreatedDate&ReplySortOrder=Descending Post.

To check the Kerberos Files, but the chroot does not work it reports: "chroot: can't execute '/bin/sh': Permission denied"



This thread was automatically locked due to age.
  • 0

    The chroot Command seems to be removed from Documentation.

    In 18.0 it is present https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/de-de/webhelp/onlinehelp/nsg/sfos/learningContent/ts_KerberosNTLMTroubleshooting.html
    but in 19.0 it is removed docs.sophos.com/.../index.html

    Edit 16:20:

    Found the Authentication Log in the WebUI there is the Errror Cannot establish NTLM authentication channel with

    nasm.log

    Sophos Firewall
===============
(C) Copyright 2000-2022 Sophos Limited and others. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group.
All other product and company names mentioned are trademarks or registered
trademarks of their respective owners.

For Sophos End User Terms of Use - https://www.sophos.com/en-us/legal/sophos-end-user-terms-of-use.aspx
May 04 14:16:46.706839Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
May 04 14:16:47.159047Z  [nasm]  channel established successfully
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
May 04 14:16:49.159191Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
May 04 14:17:09.378342Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
May 04 14:17:09.836417Z  [nasm]  channel established successfully
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
May 04 14:17:11.836557Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
May 04 14:17:32.060890Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
May 04 14:17:32.515675Z  [nasm]  channel established successfully
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
May 04 14:17:34.515818Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
May 04 14:17:54.719991Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
May 04 14:17:55.078665Z  [nasm]  connection closed, verify baby's health :)
May 04 14:17:55.177373Z  [nasm]  channel established successfully
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
May 04 14:17:57.177511Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
May 04 14:18:17.399436Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
May 04 14:18:17.852561Z  [nasm]  channel established successfully
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
May 04 14:18:19.852705Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
May 04 14:18:40.076535Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
May 04 14:18:40.531998Z  [nasm]  channel established successfully
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
May 04 14:18:42.532146Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'

    In the File /content/nasm/tmp/smb.conf the netbios name = XG-TEST

    In the Active Directory is no Computer Account with the Name XG-TEST

    The Account for the AD Authentication User has the rights to join new computers but is not a Domain Admin (which shouldn't be necessary)



    Edit 16:20: added logs an smb conf
    [edited by: Marco Hald at 2:25 PM (GMT -7) on 4 May 2022]
  • 0

    I set the Debug Level with service -ds nosync nasm:debug
    Then I changed the Hostname which triggered a Rejoin.
    These Event were generated on the DC

    A Kerberos authentication ticket (TGT) was requested.

Account Information:
	Account Name:		testfwservice
	Supplied Realm Name:	DOMAIN.EXAMPLE.COM
	User ID:			DOMAIN\testfwservice

Service Information:
	Service Name:		krbtgt
	Service ID:		DOMAIN\krbtgt

Network Information:
	Client Address:		::ffff:10.0.0.55
	Client Port:		53280

Additional Information:
	Ticket Options:		0x40010010
	Result Code:		0x0
	Ticket Encryption Type:	0x12
	Pre-Authentication Type:	2

Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number:	
	Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.



An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		
	Account Domain:		

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000035B
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	-
	Source Network Address:	10.0.0.55
	Source Port:		45580

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    This is in the nasm.log

    May 04 14:30:12.144604Z  [nasm]  populate_servers
May 04 14:30:12.144611Z  [nasm]  display_servers
May 04 14:30:12.144614Z  [nasm]  Server->DOMAIN, ID: 4
		Username: 'testfwservice'
		Password: 'XXX'
		Address: '10.0.0.178'
		Realm: 'DOMAIN.EXAMPLE.COM'
May 04 14:30:12.144616Z  [nasm]  display_servers
May 04 14:30:12.144636Z  [nasm]  ads_config
May 04 14:30:12.144639Z  [nasm]  Popped Server->DOMAIN
		Username: 'testfwservice'
		Password: 'XXX'
		Address: '10.0.0.178'
		Realm: 'DOMAIN.EXAMPLE.COM'
May 04 14:30:12.144642Z  [nasm]  pre_channel
May 04 14:30:12.144648Z  [nasm]  is_ad_join_required() check smb.conf [ /cfs/smb.conf.4 ]
May 04 14:30:12.452281Z  [nasm]  calculate_md5sum() calculated md5sum of "/cfs/smb.conf.4" [line=6] = aa1108526ab1ab16cd5b5573144dc0b4
May 04 14:30:12.452302Z  [nasm]  calculate_md5sum() calculated md5sum of "/tmp/smb.conf" [line=6] = a4ea66ef69212470c7ba4918a5725158
May 04 14:30:12.452305Z  [nasm]  is_ad_join_required() AD join required due to detected change in smb.conf
May 04 14:30:12.452308Z  [nasm]  remove_previous_footprint: execute '/bin/ntlm_krb5_teardown.sh testfwservice XXX DOMAIN.EXAMPLE.COM'
May 04 14:30:12.452310Z  [nasm]  execute_command
May 04 14:30:12.452314Z  [nasm]  imaginary_baby
May 04 14:30:12.452430Z  [nasm]  waiting for '/bin/ntlm_krb5_teardown.sh' to complete its job
May 04 14:30:12.453347Z  [nasm]  hi_i_m_child
May 04 14:30:12.453373Z  [nasm]  executing '/bin/ntlm_krb5_teardown.sh'
May 04 14:30:12.454919Z  [nasm]  execute_command (done)
May 04 14:30:12.454942Z  [nasm]  execute_command
May 04 14:30:12.454944Z  [nasm]  parsing arguments for '/bin/samba_reset.sh'
May 04 14:30:12.454947Z  [nasm]  argument '/bin/samba_reset.sh' processed
May 04 14:30:12.454949Z  [nasm]  transferring over to imaginary_baby to execute '/bin/samba_reset.sh'
May 04 14:30:12.454951Z  [nasm]  imaginary_baby
May 04 14:30:12.455032Z  [nasm]  waiting for '/bin/samba_reset.sh' to complete its job
May 04 14:30:12.455060Z  [nasm]  hi_i_m_child
May 04 14:30:12.455070Z  [nasm]  executing '/bin/samba_reset.sh'
May 04 14:30:12.459429Z  [nasm]  execute_command (done)
May 04 14:30:12.459435Z  [nasm]  execute_command
May 04 14:30:12.459437Z  [nasm]  parsing arguments for 'cp -f /cfs/smb.conf.4 /tmp/smb.conf'
May 04 14:30:12.459439Z  [nasm]  argument 'cp' processed
May 04 14:30:12.459441Z  [nasm]  argument '-f' processed
May 04 14:30:12.459443Z  [nasm]  argument '/cfs/smb.conf.4' processed
May 04 14:30:12.459446Z  [nasm]  argument '/tmp/smb.conf' processed
May 04 14:30:12.459447Z  [nasm]  transferring over to imaginary_baby to execute 'cp -f /cfs/smb.conf.4 /tmp/smb.conf'
May 04 14:30:12.459449Z  [nasm]  imaginary_baby
May 04 14:30:12.459523Z  [nasm]  waiting for 'cp' to complete its job
May 04 14:30:12.459547Z  [nasm]  hi_i_m_child
May 04 14:30:12.459558Z  [nasm]  executing 'cp'
May 04 14:30:12.768970Z  [nasm]  execute_command (done)
May 04 14:30:12.768987Z  [nasm]  execute_command
May 04 14:30:12.768990Z  [nasm]  parsing arguments for 'cp -f /cfs/ldap.conf.4 /tmp/ldap.conf'
May 04 14:30:12.768993Z  [nasm]  argument 'cp' processed
May 04 14:30:12.768995Z  [nasm]  argument '-f' processed
May 04 14:30:12.768997Z  [nasm]  argument '/cfs/ldap.conf.4' processed
May 04 14:30:12.768999Z  [nasm]  argument '/tmp/ldap.conf' processed
May 04 14:30:12.769001Z  [nasm]  transferring over to imaginary_baby to execute 'cp -f /cfs/ldap.conf.4 /tmp/ldap.conf'
May 04 14:30:12.769003Z  [nasm]  imaginary_baby
May 04 14:30:12.769118Z  [nasm]  waiting for 'cp' to complete its job
May 04 14:30:12.769149Z  [nasm]  hi_i_m_child
May 04 14:30:12.769160Z  [nasm]  executing 'cp'
May 04 14:30:13.038049Z  [nasm]  execute_command (done)
May 04 14:30:13.038061Z  [nasm]  net_ads_info
May 04 14:30:13.038064Z  [nasm]  over to real_baby to get info regarding AD DC
May 04 14:30:13.038067Z  [nasm]  real_baby
May 04 14:30:13.038193Z  [nasm]  __parent
May 04 14:30:13.038222Z  [nasm]  __child
May 04 14:30:13.038237Z  [nasm]  executing '/oss/net'
May 04 14:30:13.150757Z  [nasm]  read event on STDOUT_FILENO for '/oss/net'
May 04 14:30:13.151149Z  [nasm]  read event on STDERR_FILENO for '/oss/net'
May 04 14:30:13.151154Z  [nasm]  connection closed, verify baby's health :)
May 04 14:30:13.151204Z  [nasm]  __parent
May 04 14:30:13.151207Z  [nasm]  real_baby
May 04 14:30:13.151209Z  [nasm]  real_baby done, let's verify baby's exit status
May 04 14:30:13.151211Z  [nasm]  /oss/net exited successfully, does it left anything for us ??
May 04 14:30:13.151213Z  [nasm]  Looking out for DC name from net ads info result
May 04 14:30:13.151215Z  [nasm]  we have 'LDAP server: 10.0.0.178' from net ads info
May 04 14:30:13.151217Z  [nasm]  Comparing 'LDAP server: 10.0.0.178'
May 04 14:30:13.151219Z  [nasm]  unable to locate DC name
May 04 14:30:13.151221Z  [nasm]  Looking out for DC name from net ads info result
May 04 14:30:13.151223Z  [nasm]  we have 'LDAP server name: dc03.DOMAIN.EXAMPLE.COM' from net ads info
May 04 14:30:13.151224Z  [nasm]  Comparing 'LDAP server name: dc03.DOMAIN.EXAMPLE.COM'
May 04 14:30:13.151226Z  [nasm]  V to locate DC name
May 04 14:30:13.151229Z  [nasm]  DC hostname for server->DOMAIN is 'dc03.DOMAIN.EXAMPLE.COM'
May 04 14:30:13.151239Z  [nasm]  net_ads_info
May 04 14:30:13.151241Z  [nasm]  we've DC hostname 'dc03.DOMAIN.EXAMPLE.COM' for server->DOMAIN
May 04 14:30:13.151255Z  [nasm]  throw
May 04 14:30:13.151264Z  [nasm]  throw
May 04 14:30:13.151266Z  [nasm]  /etc/hosts generated successfully with '127.0.0.1	localhost
10.0.0.178	dc03.DOMAIN.EXAMPLE.COM
' contents
May 04 14:30:13.151270Z  [nasm]  parse_address() returned [0] for [10.0.0.178]
May 04 14:30:13.151287Z  [nasm]  throw
May 04 14:30:13.151292Z  [nasm]  throw
May 04 14:30:13.151294Z  [nasm]  lmhosts generated successfully with '10.0.0.178	DOMAIN
' contents
May 04 14:30:13.151298Z  [nasm]  execute_command
May 04 14:30:13.151300Z  [nasm]  parsing arguments for 'rm -f /tmp/krb5.conf'
May 04 14:30:13.151302Z  [nasm]  argument 'rm' processed
May 04 14:30:13.151304Z  [nasm]  argument '-f' processed
May 04 14:30:13.151306Z  [nasm]  argument '/tmp/krb5.conf' processed
May 04 14:30:13.151308Z  [nasm]  transferring over to imaginary_baby to execute 'rm -f /tmp/krb5.conf'
May 04 14:30:13.151310Z  [nasm]  imaginary_baby
May 04 14:30:13.151417Z  [nasm]  waiting for 'rm' to complete its job
May 04 14:30:13.151438Z  [nasm]  hi_i_m_child
May 04 14:30:13.151458Z  [nasm]  executing 'rm'
May 04 14:30:13.151807Z  [nasm]  execute_command (done)
May 04 14:30:13.151810Z  [nasm]  execute_command
May 04 14:30:13.151812Z  [nasm]  parsing arguments for '/bin/cp /cfs/krb5.conf.4 /tmp/krb5.conf'
May 04 14:30:13.151814Z  [nasm]  argument '/bin/cp' processed
May 04 14:30:13.151816Z  [nasm]  argument '/cfs/krb5.conf.4' processed
May 04 14:30:13.151819Z  [nasm]  argument '/tmp/krb5.conf' processed
May 04 14:30:13.151820Z  [nasm]  transferring over to imaginary_baby to execute '/bin/cp /cfs/krb5.conf.4 /tmp/krb5.conf'
May 04 14:30:13.151822Z  [nasm]  imaginary_baby
May 04 14:30:13.151885Z  [nasm]  waiting for '/bin/cp' to complete its job
May 04 14:30:13.151904Z  [nasm]  hi_i_m_child
May 04 14:30:13.151920Z  [nasm]  executing '/bin/cp'
May 04 14:30:13.358291Z  [nasm]  execute_command (done)
May 04 14:30:13.358305Z  [nasm]  net_ads_join
May 04 14:30:13.358309Z  [nasm]  over to imaginary_baby to JOIN with AD
May 04 14:30:13.358311Z  [nasm]  imaginary_baby
May 04 14:30:13.358434Z  [nasm]  waiting for '/oss/net' to complete its job
May 04 14:30:13.358454Z  [nasm]  hi_i_m_child
May 04 14:30:13.358472Z  [nasm]  executing '/oss/net'
dos charset 'CP850' unavailable - using ASCII
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc03.DOMAIN.EXAMPLE.COM with user[testfwservice] realm[DOMAIN.EXAMPLE.COM]: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials
May 04 14:30:13.454172Z  [nasm]  '/oss/net' exited with invalid status '255'
May 04 14:30:13.454187Z  [nasm]  net_ads_join (done)
May 04 14:30:13.454190Z  [nasm]  net_ads_join failed to join with server->DOMAIN
May 04 14:30:13.454193Z  [nasm]  pre_channel (done)
May 04 14:30:13.454203Z  [nasm]  throwing logs on garner
May 04 14:30:13.454214Z  [nasm]  all servers traversed, but still not able to setup channel, will try again in 20 seconds
May 04 14:30:13.454217Z  [nasm]  setup_channel (done)
May 04 14:30:13.454219Z  [nasm]  reload_channel (done)
May 04 14:30:13.454221Z  [nasm]  process_tlv_reconfig (done)
May 04 14:30:13.454223Z  [nasm]  process_tlv_channel_status
May 04 14:30:13.454227Z  [nasm]  sending channel down to ntlm server
May 04 14:30:13.454229Z  [nasm]  sendto_ntlmserver: TLV [type=DOWN]
May 04 14:30:13.454236Z  [nasm]  sendto_ntlmserver: [bytes sent=8]
May 04 14:30:13.454239Z  [nasm]  process_tlv_channel_status (done)
May 04 14:30:13.454242Z  [nasm]  process_protocol_event (done)
May 04 14:30:13.454244Z  [nasm]  waiting for an event on PROTOCOL fd [up to 20s]
May 04 14:30:13.454247Z  [ntlmserver]  fasm_processor(): processing nasm-to-server TLV [type=DOWN] message
May 04 14:30:13.454259Z  [ntlmserver]  ntlm_server() ---> epoll_wait() waiting 10s for events
May 04 14:30:23.455112Z  [ntlmserver]  ntlm_server() ---> looping through employ'd [elasped=12s]
May 04 14:30:23.455129Z  [ntlmserver]  ntlm_server() ---> epoll_wait() waiting 10s for events

    Where the Error kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/dc03.DOMAIN.EXAMPLE.COM with user[testfwservice] realm[DOMAIN.EXAMPLE.COM]: Invalid credentials
    Failed to join domain: failed to connect to AD: Invalid credentials seem to be relevant

  • 0 in reply to Marco Hald

    Even with the Domain Administrator the Message is still Invalid credentials
    Failed to join domain: failed to connect to AD: Invalid credentials

    The Connection Test from the Authentication Server is working fine

  • 0 in reply to Marco Hald

    Found https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/0xc000035b-when-you-use-lmcompatibility

    which indicates that the XG uses NLMv1 to try to join the AD which is disabled in our enviroment.

    Is there a way to edit the /cfs/smb.conf.4 or is it entirely managed by the csc daemon ?

  • 0 in reply to Marco Hald

    post with links seems to get all blocked

    If you search for "

    Terminal Services client connection error 0xC000035B when you use LmCompatibility"

    you should be able to find the Microsoft Article.

    It says that this error is thrown when the client tries to use NTLMv1 but this is blocked in our environment.

    Is there a way to edit the /cfs/smb.conf.4 or is it entirely managed by the csc daemon

  • 0 in reply to Marco Hald

    chroot is still possible for development, however is not easily available for customers due to additional security measures in place.
    While it is occasionally useful for debugging issue, it cannot really be used to solve issue.
    Files such as smb.conf are completely generated by the XG (nasm in this case). Any manual changes made will be overwritten by the system.

    The following is correct, the most useful thing for you.
    service -ds nosync nasm:debug
    /log/nasm.log

    Both the XG and the UTM support TYPE1 and TYPE3. Though it is a different implementation, a brief inspection of the code suggests the support is the same.

    While I agree that googling 0xC000035B does suggest that one cause is unsupported TYPE1 I suspect this is the not the root cause of the problem.

    Is is possible for you to temporarily enable Type1 on the AD server and see if it resolves the issue?

    Either way, I suggest you raise this issue with support.

Unfiltered HTML