Nethserver active directory login for NAS and other non-Windows hosts / apps

Evening all, hoping you can help with this one

Struggling to get NETHSERVER active directory to work with NXFILTER
NXFILTER (NxFilter, Your free DNS filter! – Free DNS filtering for everybody.) is on a separate VM and i am struggling with the authentication, i can ping the AD ip of the NETHSERVER box and have tried ports 389 and 636, i have tried loads of combinations to get it to work and im either greeted with a spinning circle on NXFILTER or it states i need to enable SSL or an issue with the certificate

What am i missing, i had similar issues trying to get QNAP to authenticate with NETHSERVER and in the end gave up and used the authentication on QNAP

@derilium

Hi Robert

I think you’re unaware of the fact that a lot of applications - and programming languages - are very fussy when it comes to SSL certs. JAVA and PHP programmed applications tend to be such languages…

Why am I explaining this?

Your AD is on a NethServer, and NethServer can easily use LetsEncrypt SSL certs for free…
These work, eg with QNAP and other Apps, most likely also your NXFILTER - but only if your AD also uses valid LE SSL certs, which is NOT the case out of the box with NethServer…

This is easily corrected, however.

Add your ADs name (must be resolvable from external DNS, this can point to your firewall, forwarding ports 80 and 443 to NethServer) to the list of LetsEncrypt Aliases in NethServer (The LE Request).

Get your LE certs working, set them as default (Use the three dots!), then follow this:

==== Install LetsEncrypt SSL in AD ====

Create the needed script in the right directory:

nano /etc/e-smith/events/certificate-update/S80push2ad

Contents:

#!/bin/bash
cp -f -p /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp -f -p /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba

Exit with ‘‘CTRL-x’’, save with ‘‘y’’.

Set executable permissions on the script:

chmod 750 /etc/e-smith/events/certificate-update/S80push2ad

Then run the script at least once:

cd /
/etc/e-smith/events/certificate-update/S80push2ad

NethServer automatically renews the LE cert on time…

Done!


All of the above is of course in vain, if your AD is set up using very outdated concepts like a .local domain… This won’t work with SSL…

→ It’s now almost the end of 2022 now, concepts from before the millenium should be left where they belong, in the dust!

Even Microsoft has been suggesting to use a subdomain like ad.domain.tld for your AD, using a real Internet DNS domain - and this for more than ten years now!

Most AD needs a valid SSL cert nowadays, but a lot of Windows Admins still use .local domains.

Some people state security reasons, but I doubt they understand the issues. The ssl cert encrypts the over the air transfers.

  • A (bought) ssl cert is static for one year usually. (Gives a potential hacker a years time to use brute force)
  • A self created ssl cert is usually static for eternity. (At least you’ll likely be blissfully ignorant your server has long been rooted…)
  • LetsEncrypt mandates a 3 Month rotation with new certs, new SSL base for encryption. NethServer automatically renews the LE cert on time…

So what is more secure? :slight_smile:

Hope this is comprehensible, implementable and helps!

My 2 cents
Andy

PS:
Once you have LE SSL certs working on your AD, use Port 636 on your NXFILTER…
I’ve never used NXFILTER myself (I use PI-Hole), but I’ll wager it works right away!

Greatly appreciated on the help, i think its almost there though the next issue seems to be nxfilter wants a subject alternative name to connect and that being nethservers ip address (nxfilter doesnt allow me to put the server name instead) this has been raised on their forum, any ideas how i can add the subject alternative name

Add it (subject alternative name) as a (DNS-) Alias.
Then also in the Aliases for LetsEncrypt…