Error "Insufficent access rights" when add nethserver to AD

maiconjs · April 30, 2017, 3:00am

NethServer Version: NethServer release 7.3.1611 (Final)
Module: Accounts Provider

When trying to add the nethserver to ad (Windows Server 2008R2 with LDAPS), I get the message:

“Insufficent access rights (49/710): specify alternative LDAP bind credentials in Accounts provider configuration”

I looked for solutions in the forum, but I did not find something that solved. How to solve ?

davidep · April 30, 2017, 7:07am

The reason is explained here

http://docs.nethserver.org/en/v7/accounts.html#join-an-existing-active-directory-domain

Go to Accounts provider > Advanced settings and set the credentials. The inline help gives further details about field values.

Good news are we are going to drop this requirement soon (at least for the Server Manager application).

maiconjs · April 30, 2017, 1:56pm

Yes, I created a user named “root” in the “Nethserver” OU with administrative permissions, and I still receive the notification. The curious thing is that even with the notification, “Nethserver” can authenticate users of the Windows domain. Only squid is not yet authenticating.

davidep · April 30, 2017, 2:23pm

Are not required; read-only access is enough.

To be fully operational NethServer requires an additional account to perform simple LDAP binds. Create a dedicated user account in AD, and set a complex non-expiring password for it.

Please refer to the inline help for more info about required credentials.

This is another issue. Proxy clients use kerberos/GSSAPI, NTLM or HTTP basic auth against squid. The additional credentials you set are not involved.

maiconjs · April 30, 2017, 3:31pm

Sorry, but I can not understand. By default, do users created in AD already have read permission? When I create a user without administrative privileges, nethserver notifies you of “invalid credentials”, only with administrator permission that it registers in the AD but with the red “Insufficent access rights” notification.

maiconjs · April 30, 2017, 3:40pm

The status in domain account apparently it’s ok.

davidep · April 30, 2017, 7:49pm

Yes, all AD users have LDAP read access.

Some applications like NextCloud, Roundcube, Webtop, ejabberd and Server Manager (until next update) require to access LDAP directly to read users and groups information. They cannot use the machine account credentials, like those based on PAM/NSS/SSSD (ie postfix, dovecot, samba…), so they require some other user credentials.

To join an AD domain administrative credentials are required. It is a one time action. Provided credentials are forgotten immediately and never used to browse LDAP.

Could you open a root shell and paste here the output of

account-provider-test dump

A similar (but different) problem

maiconjs · May 1, 2017, 3:31pm

[maicon@nethserver ~]# account-provider-test dump
{
“startTls” : “”,
“bindUser” : “NETHSERVER$”,
“userDN” : “dc=company,dc=local”,
“port” : 636,
“isAD” : “1”,
“host” : “company.local”,
“groupDN” : “dc=company,dc=local”,
“isLdap” : “”,
“ldapURI” : “ldaps://company.local”,
“baseDN” : “dc=company,dc=local”,
“bindPassword” : “”,
“bindDN” : “COMPANY\NETHSERVER$”
}
[maicon@nethserver ~]#

maiconjs · May 1, 2017, 3:34pm

It’s strange because everything seems ok, but the red notification continues.

davidep · May 1, 2017, 4:44pm

It looks like you’re still missing this step!