Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG AD Join for WebProxy SSO

Hi,

I'm currently evaluating the XG as a Replacment for our SG Cluster.

My Problem is that the NTLM and Keberos Authentication is not working and I'm redirected to the Captive Portal.

I tried to find a Logfile where the AD Join is logged but I ha no success.
Where are the Logfiles for the AD Join or Kerberos Auth ?

I already tied the "chroot /content/nasm" from this https://community.sophos.com/sophos-xg-firewall/f/discussions/118573/set-up-kerberos-in-v18/447987?ReplyOffsetId=451033&ReplyOffsetDirection=Next&ReplySortBy=CreatedDate&ReplySortOrder=Descending Post.

To check the Kerberos Files, but the chroot does not work it reports: "chroot: can't execute '/bin/sh': Permission denied"



This thread was automatically locked due to age.
Parents
  • The chroot Command seems to be removed from Documentation.

    In 18.0 it is present https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/de-de/webhelp/onlinehelp/nsg/sfos/learningContent/ts_KerberosNTLMTroubleshooting.html
    but in 19.0 it is removed docs.sophos.com/.../index.html

    Edit 16:20:

    Found the Authentication Log in the WebUI there is the Errror Cannot establish NTLM authentication channel with

    nasm.log

    Sophos Firewall
    ===============
    (C) Copyright 2000-2022 Sophos Limited and others. All rights reserved.
    Sophos is a registered trademark of Sophos Limited and Sophos Group.
    All other product and company names mentioned are trademarks or registered
    trademarks of their respective owners.
    
    For Sophos End User Terms of Use - https://www.sophos.com/en-us/legal/sophos-end-user-terms-of-use.aspx
    May 04 14:16:46.706839Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:16:47.159047Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:16:49.159191Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:17:09.378342Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:17:09.836417Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:17:11.836557Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:17:32.060890Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:17:32.515675Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:17:34.515818Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:17:54.719991Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:17:55.078665Z  [nasm]  connection closed, verify baby's health :)
    May 04 14:17:55.177373Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:17:57.177511Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:18:17.399436Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:18:17.852561Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:18:19.852705Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:18:40.076535Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:18:40.531998Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:18:42.532146Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    

    In the File /content/nasm/tmp/smb.conf the netbios name = XG-TEST

    In the Active Directory is no Computer Account with the Name XG-TEST

    The Account for the AD Authentication User has the rights to join new computers but is not a Domain Admin (which shouldn't be necessary)



    Edit 16:20: added logs an smb conf
    [edited by: Marco Hald at 2:25 PM (GMT -7) on 4 May 2022]
Reply
  • The chroot Command seems to be removed from Documentation.

    In 18.0 it is present https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/de-de/webhelp/onlinehelp/nsg/sfos/learningContent/ts_KerberosNTLMTroubleshooting.html
    but in 19.0 it is removed docs.sophos.com/.../index.html

    Edit 16:20:

    Found the Authentication Log in the WebUI there is the Errror Cannot establish NTLM authentication channel with

    nasm.log

    Sophos Firewall
    ===============
    (C) Copyright 2000-2022 Sophos Limited and others. All rights reserved.
    Sophos is a registered trademark of Sophos Limited and Sophos Group.
    All other product and company names mentioned are trademarks or registered
    trademarks of their respective owners.
    
    For Sophos End User Terms of Use - https://www.sophos.com/en-us/legal/sophos-end-user-terms-of-use.aspx
    May 04 14:16:46.706839Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:16:47.159047Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:16:49.159191Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:17:09.378342Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:17:09.836417Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:17:11.836557Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:17:32.060890Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:17:32.515675Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:17:34.515818Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:17:54.719991Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:17:55.078665Z  [nasm]  connection closed, verify baby's health :)
    May 04 14:17:55.177373Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:17:57.177511Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:18:17.399436Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:18:17.852561Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:18:19.852705Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    May 04 14:18:40.076535Z  [nasm]  is_ad_join_required() AD join NOT required due to no change in smb.conf
    May 04 14:18:40.531998Z  [nasm]  channel established successfully
    winbindd version 4.7.4 started.
    Copyright Andrew Tridgell and the Samba Team 1992-2017
    initialize_winbindd_cache: clearing cache and re-creating with version number 2
    Could not fetch our SID - did we join?
    unable to initialize domain list
    May 04 14:18:42.532146Z  [nasm]  is_ad_server_alive: waitpid() failed for 'No child processes'
    

    In the File /content/nasm/tmp/smb.conf the netbios name = XG-TEST

    In the Active Directory is no Computer Account with the Name XG-TEST

    The Account for the AD Authentication User has the rights to join new computers but is not a Domain Admin (which shouldn't be necessary)



    Edit 16:20: added logs an smb conf
    [edited by: Marco Hald at 2:25 PM (GMT -7) on 4 May 2022]
Children
No Data