Not sure if this is useful or not, but I noticed that if I try to enable one of the policies at a time instead of both that I *sometimes* get an error in the UI which has a corresponding exception trace in the system log:

Apr 11 18:18:47 gw-senesac-01 engine: exception: error: /usr/clearos/apps/base/libraries/Shell.php (233): ERROR(exception): Failed to add members "" to group "user_certificates_plugin" - Unable to find "". Operation cancelled.
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: /usr/clearos/apps/samba_directory/libraries/Group_Driver.php (440): execute
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: /usr/clearos/apps/samba_directory/libraries/Group_Driver.php (272): set_members
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: /usr/clearos/apps/samba_directory/libraries/User_Driver.php (859): delete_member
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: /usr/clearos/apps/samba_directory/libraries/User_Driver.php (555): _handle_plugins
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: /usr/clearos/apps/users/controllers/users.php (375): update
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: /usr/clearos/apps/users/controllers/users.php (203): _item
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: GUI (0): edit
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: /usr/clearos/framework/system/core/CodeIgniter.php (359): call_user_func_array
Apr 11 18:18:47 gw-senesac-01 engine: exception: debug backtrace: /usr/clearos/framework/htdocs/app/index.php (222): require_once
Apr 11 18:18:54 gw-senesac-01 events: accounts - event occurred
Apr 11 18:18:54 gw-senesac-01 events: accounts - triggered hook: accounts

Yes, I get the following responses:

SENESAC+user_certificates_plugin:x:3000047:SENESAC+stephen
SENESAC+openvpn_plugin:x:3000048:SENESAC+stephen

Stephen,

Did you already create the groups on your AD Server for

openvpn_plugin

and

user_certificates_plugin

These must exist as lower case group names in AD and must have your users added to them using tools such as the Active Directory Users and Computers MMC

If you have already created these, do they show up with user memberships when you run:

getent group |grep openvpn_plugin

and

getent group |grep user_certificates_plugin

Dave Loper wrote:

Make sure you have the underpinnings of a directory. You can validate this by running the following commands:

wbinfo -t

My AD is working just fine. All those commands are successful. I just can't enable the OpenVPN User or Security Certificates User app policies on any users.

John Colin McShane wrote:

Do you have the "Administrators" module installed?

I do not. Do I need to? I'm trying to do this as root so I don't think I need to delegate any administration tasks to another user.

Make sure you have the underpinnings of a directory. You can validate this by running the following commands:

wbinfo -t

This should tell you that trust has succeeded. If it doesn't, then you have to rejoin the domain or look to your AD logs to determine the problem. When the time comes or as a troubleshooting measure you can run the following from command line to rejoin the domain:

net ads join -S your.server.name -U administrator

*where 'administrator' is the name of your domain admin account.

If that succeeds then check the trust again.

If trust is still failing, run these commands to validate that you have the right information for your domain:

dig @localhost srv _ldap._tcp.dc._msdcs.$(egrep "^realm" /etc/samba/smb.conf | awk -F" = " '{ print$2 }') | egrep "^_ldap\._tcp\.dc\._msdcs\.$(egrep "^realm" /etc/samba/smb.conf | awk -F" = " '{ print$2 }')\.\s[0-9]+\sIN\sSRV\s[0-9]+\s[0-9]+\s[0-9]+\s$(egrep "^password server" /etc/samba/smb.conf | awk -F" = " '{ print$2 }')\.$"

This should return something. If it does not, then your name resolution does not match your settings or your DNS is not pointed in any meaningful way to your AD domain controllers.

Next, test your time. If the drift between your domain controller and your ClearOS system exceeds about 60 seconds, you will have problems. The following command will tell the drift in seconds between the ClearOS system and the server defined in your configuration:

abs () { [ $1 -lt 0 ] && echo $((-$1)) || echo $1; } && abs $(expr $(date -d "$(net time -S $(egrep "^password server" /etc/samba/smb.conf | awk -F" = " '{ print$2 }'))" "+%s") - $(date "+%s"))

If you get a number higher than 60 then you have problems with time sync

Both of these commands assume that the parameters for 'password server' and 'realm' in /etc/samba/smb.conf are separated from their value by a space, and equal sign, and a space.

If there was a problem with DNS, consider using split horizon DNS settings as suggested here.

If you problem is time drift, consider configuring your AD server to be an NTP server and then set the /etc/clearos/date.conf file to use the AD server for time. It is better that they are wrong together than for ClearOS to be right and your server to be wrong. Consensus in error is not insanity.

If these things are fixed now, try rejoining the domain with the command listed above. The outcomes of the following commands should always work if your AD service connection is healthy:

wbinfo -t
wbinfo -g # should show you Samba's disposition on your group memberships in AD
wbinfo -u # should show you Samba's disposition on your users in AD
getent group # should show you PAM's convergence of winbind and local account information
getent passwd # should show you PAM's convergence of winbind and local account information

Note that the two latter commands will time out if your AD directory is very large and will not display information even though it is there and can be validated with the 'id' command. The getent command is a posix-type report but is limited and does not scale. Currently, ClearOS's list manifest for users and groups is based off of getent instead of wbinfo and will bomb with too many users on the report even though everything is working authentication-wise.

IMPORTANT: when using AD Connector, no field can be manipulated in any of the ClearOS tools for account or plugin memberships. You must add the user to the appropriate group in AD for them to show up properly. This is because the AD connector is not a user managment platform since you have subordinated all of your directory to Active Directory. Make your changes to Active Directory Users and Groups for them to appear in ClearOS.

Also, to improve performance, you can set the Winbind service to operate in offline mode:

Advantages:
-Users who have previously authenticated can authenticate even if there are problems between the ClearOS server and the AD server
-Users can authenticate even in timeout conditions

Disadvantages:
-As with non-cached mode, users cannot authenticate if they never have before.
-Disabled users will still be able to authenticate in situations where the AD server is offline and there was never yet seen a reject message

To set this mode, add the following to /etc/samba/smb.conf

winbind offline logon = yes

Once users are working on the platform, they can log into Webconfig as themselves and generate and retrieve their individual keys.

Do you have the "Administrators" module installed?

Has anyone found a solution for this? I'm using the fully updated latest version and I cannot flip openvpn/certificates support from disabled to enabled on a user account. When I go back to edit the user it will always be disabled again.

I have a feeling we have reached the end of the line here. Unless things have changed, certificates and users were independent and any user could authenticate irrespective of the certificate used. Now with the added complication of AD and the plugin issue, I am not sure how to proceed - plus I am on holiday 1000km from my system and a proper screen and keyboard!

The requirement for our architecture is a key per user and no shared key.

I was able to create the server key but without getting the users openvpn & user certificates plugins enabled for the users, I am thinking it will be hard to get them created and then to get them authenticated is the system beleives the openvpn plugin is not enabled for the users.

Thanks for the help on this effort.

I think you can generate certificates manually. I think I did for apache but I'm away for a while now so I can't check. Note that you only need one valid certificate, I believe, and not one per user.

How do you make the user certificate files when the user certificates plugin is still saying disabled for the user and the documentation states to make the user certificates this plugin has to be enabled for the user.

I am able to login with the users Active Directory account but when I go to the User Certificates menu option I get the Warning message "Sorry, security certificates are not enabled for your account"

When I go to the OpenVPN User and Security Certificates user Plugins under the Account Manager Section and click either of these "App Policy" buttons I see the users I have placed into the Active Directory Groups (openvpn_plugin, user_certificates_plugin) with check boxes next to the user accounts.

However when I go to the Accounts \ Users section and view the users in the "App Policies" button the users have these Policies listed as "Disabled"
Where is the disconnect about the App Policies being available?

How do you get them to be enabled?

If I am not able to move forward, guess I might have to figure something else out.

The individual user certificates are not listed there. One issue I am having is how to get the users to have OpenVPN User and Security Certificates User properties enabled. I have been following the Active Directory Connector and OpenVPn documentation for ClearOS 7 and cannot get the users to have these properties.

If the webconfig is the only issue and you don't have too many users, you can probably get round the issue by using a basic config file for OpenVPN and downloading the certificates and keys from /etc/pki/CA. You'll need ca-cert.pem, the user's pem file and his key file from the private directory.