Firewall and Webfiltering policies on AD username

Support
1

How do I set firewall and webfiltering policies on my AD network using the AD usernames instead of IP addresses?

Previously, incase of IP, I was using hosts to define the IPs to test, and then adding them to hostgroups in the firewall objects. For this new test, how do I get the same result?

2

Hi,

I’m not in front of a NethServer instance, and can’t guide you formally.
But as I see in the Administrator Manual, You can create a group and apply a policy on the group.
Take a look here: http://docs.nethserver.org/en/latest/content_filter.html#users-from-active-directory

1 Like
3

Right, thanks … but how I get the users from the AD? Do I import from a CSV file, as mentioned in: http://docs.nethserver.org/en/latest/accounts.html And then just create NS groups of users and apply firewall/proxy/filtering policies on those groups? Or is there another way to apply these policies on the AD users?

4

If you’re joined to an AD server, you should see the list of AD users right inside the Content filter page.

Sadly, you can’t use AD groups for content filtering.

5

Ok, if I understand correctly, I just go into the content filter -> profiles … and I should see the domain users in the dropdown box for “who” field? I do not see the domain users in that list, or anywhere else for that matter. It makes me think I have to import the users first. Please correct me if i’m wrong.

Edit: I don’t care about groups, I can create NS groups and apply the policies on that, but obviously for NS groups to be made, I need to add AD users to it. I can’t see/understand how to get AD users.

6

Exactly, AD users must be listed inside this select box.
Please, NS is correctly joined:

# net -k ads testjoin
Join is OK

You can list users and groups using these commands:

   getent passwd
   wbinfo -u
   wbinfo -g

No, you can’t use groups at all with AD. Unless you do some hacky and unsupported commands which I even don’t recall! :smiley:

7

But I don’t see the users in dropdown:

Pasted image294Ă—576 11.2 KB

getend passwd shows me no domain users in the output.
wbinfo -u gives no output
wbinfo -g shows below:

8

Please show your Windows Network panel :slight_smile:

9

Sorry, what network panel? I don’t understand

10

This panel
http://community.nethserver.org/t/connect-to-acitvedirectory-windows-server-2008/?source_topic_id=3251

11

Here you go :slight_smile:

Edit: All my AD users are part of this CN, but I can’t see them in any output on NS, as I said above. I can however see my AD groups (also part of same CN), as shown in pic above as output of “wbinfo -g”

12

I can’t figure out why you can’t see AD users.

The UI executes the getent command, this is the relevant code:

13

Not sure if it matters, but on my system, I connected to OU=Users rather than CN=Users even though it was a container object.

14

Here’s the output of my “getent passwd” command:

[root@nethserver ~]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:998:996:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
polkitd:x:997:995:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
srvmgr:x:996:994::/home/srvmgr:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
clamupdate:x:995:993:Clamav database update user:/var/lib/clamav:/sbin/nologin
redis:x:994:992:Redis Database Server:/var/lib/redis:/sbin/nologin
c-icap:x:993:991:C-ICAP Service user:/var/run/c-icap:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
chrony:x:992:990::/var/lib/chrony:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
ldap:x:55:55:OpenLDAP server:/var/lib/ldap:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
snort:x:991:989:Snort:/var/log/snort:/bin/false
nsstest:x:1001:1001:LibNss_Test_Account:/var/lib/nethserver/home/nsstest:/bin/false
locals:x:1002:1002:Local users:/var/lib/nethserver/home/locals:/bin/false
admin:x:1000:1000:admin:/var/lib/nethserver/home/admin:/bin/bash
domadmins:x:1003:1003:Domain Admins:/home/domadmins:/bin/false
domcomputers:x:1004:1004:domcomputers:/var/lib/nethserver/home/domcomputers:/bin/false
domguests:x:1005:1005:domguests:/var/lib/nethserver/home/domguests:/bin/false
[root@nethserver ~]#

15

I changed the CN to OU, but there’s no change in the situation.

I’ve also tried to leave the domain, and rejoin … but there’s still no change.

Edit: Interestingly, when I rejoin the domain, it doesn’t ask for username/password again

16

Update: I fired up another instance of NS on a VM, and installed only the file server package. Set the NTP and DNS correctly … joined the domain successfully … the result is the same.

[root@ns2 ~]#
[root@ns2 ~]# net -k ads testjoin
Join is OK
[root@ns2 ~]#
[root@ns2 ~]#
[root@ns2 ~]#
[root@ns2 ~]# wbinfo -u
[root@ns2 ~]#

I don’t get what I’m doing wrong.

One thing to note is: When joining the domain, when I click on “submit”, I still get the error “Task completed with errors #exit status” … with the pop-up to put in admin username/password. After putting in the username and password, it joins the domain successfully and shows above behavior. I don’t know if this is important or not.

17

Update 2: I finally got it working. My original NS was the 7.x alpha version. The second NS server I set up was the same. Finally, for my last attempt, I used the 6.7 stable version. Followed exactly the same steps and joined without any problems or error messages. wbinf -u now shows list of users properly.

I don’t know the root cause of the problem, but it seems there’s something wrong with the version 7 integration.

1 Like
18

We are completely rewriting the user/group module :slight_smile:

19

So if a LAN has 2000 users, let’s say … they have to create 2000 different profiles on the content filter? Really?? I’m finding it a hassle to create profiles only for 60 people, I can’t imagine how bigger networks would deal with it :smile:

20

You’re right, but I would like to explain the problem hoping someone will come out with a good idea to fix it.

Scenario

  • AD server with students group
  • The students group contains 3 users: user1, user2, user3
  • NS configured to filter web content for students group, but the group must be expanded into the list of users inside the configuration file (in this case it’s a limitation of SquidGuard)
  • Admin adds the user4 to students group
  • NS doesn’t know the group has been changed, so it continues only to block only user1, user2 and user3

The only viable fix is to manually connect to NS, regenerate the configuration file and restart the SquidGuard service.

Does someone know how to automate this? :frowning2: