PVE 6 Bug with Active Directory

[T.Herrmann]

On the PVE 6.0.4 the Active Directory connection stopped working.

With same settings in PVE 5.4.11 it works fine on PVE 6.04 login with Active Directory accounts not possible.

Where I can check this issue in CLI ?

Best Tim.

 

[fireon]

During the loginprocess have look at the logs:

journalctl -f

 

[T.Herrmann]

Same Configuration but different behavior

output from journalctl -f

PVE 5.4.11
pvedaemon[21175]: <root@pam> successful auth for user ‚xxxx@xxx.de'


PVE 6.0.4
pvedaemon[30092]: authentication failure; host=192.xx.xxx.xxx user=xxx@xxx msg=no such user ('xxx@xxx')

 

[fireon]

Post your config for der AD-Connection.

 

[T.Herrmann]

Here is the config for der AD-Connection. Sorry I took out the original name of the server for security reasons.

 

[T.Herrmann]

Here is the config for der AD-Connection. Sorry I took out the original name of the server for security reasons.


View attachment 11029

Ok I get the problem. The SSL stuff is not working , with Port 389 it works fine but with SSL on 636 not.

PVE 5.4-11 works with SSL on port 636

 

[fireon]

I know the problem, same with ldap. But with ldap ssl was also broken in 5.x.
https://bugzilla.proxmox.com/show_bug.cgi?id=2196
https://bugzilla.proxmox.com/show_bug.cgi?id=1279

 

[Greg.Davis]

Have there been updates to this issue? Just updated pve5.4 to pve6 and our AD Authentication ended up breaking. I have SSL disabled in the short term to get it working for now - are there any other workarounds for this?

 

[T.Herrmann]

The Problem is the old MS Active Directory Server (probably Windows Server 2008 or older) with support for TLSv1.0 only.

Debian Buster set the minimum to TLSv1.2.

Solution:

• nano /etc/ssl/openssl.cnf MinProtocol = TLSv1.2 >> TLSv1.0

 

[Greg.Davis]

The Problem is the old MS Active Directory Server (probably Windows Server 2008 or older) with support for TLSv1.0 only.

Debian Buster set the minimum to TLSv1.2.

Solution:

• nano /etc/ssl/openssl.cnf MinProtocol = TLSv1.2 >> TLSv1.0

Unfortunately that does not appear to be the issue (or resolution). I tried the fix but it didn't resolve the issue and I did find that our AD Server blocks v1.0 and utilizes v1.2.

 

[T.Herrmann]

Ok, in our case this solution workout fine.

 

[Greg.Davis]

Ok, in our case this solution workout fine.

Just to update this thread - that did end up being the issue. After looking into which AD server we were trying to talk to we found out it was, in fact, a 2008 server. Our environment has newer servers available so after pointing to them all is well. Thanks for the information!

 

[fireon]

Yes here with Univention 4.4 it is working fine with actual TLS.

 

[t.lamprecht]

The Problem is the old MS Active Directory Server (probably Windows Server 2008 or older) with support for TLSv1.0 only.

Debian Buster set the minimum to TLSv1.2.

Solution:

• nano /etc/ssl/openssl.cnf MinProtocol = TLSv1.2 >> TLSv1.0

No need to drop down the whole TLS security for the host!
The realm config got a new "sslversion" property (see here for commit) in libpve-access-control (6.0-4).
It's much better if you use that to enforce the lower TLS version.

I'll see that I can add Webinterface support for this, for now you can set it by editing /etc/pve/domains.cfg
It could then look like:

pve: pve
    comment Proxmox VE authentication server
    default 0

pam: pam
    comment Linux PAM standard authentication

ldap: xyzfoo
    base_dn CN=Users,Company=Proxmox,Domain=PROXMOX
    server1 xyzfoo.proxmox.com
    user_attr uid
    sslversion tlsv1
    secure 1

 

[t.lamprecht]

But, the respective libpve-access-control package version will only get to the enterprise repository next week, FYI.