Overview
I'm trying to get Proxmox to perform user authentication via LDAP with a Windows Server 2016 ADDS server. Proxmox is convinced that my credentials are incorrect.
Environment
-
Proxmox 6.3-1, PVE 6.3-6
-
Windows Server 2019 Datacenter 1809, b17763.1823
-
The Proxmox server and Domain Controller are on the same network (the DC is a guest on the Proxmox instance).
-
The DC's root certificate has been added to the Proxmox server's store.
-
Proxmox's realm binding is set up with a dedicated standard user account in the OU
OU=Service Users,DC=subdomain,DC=domain,DC=tld
. -
I have an administrative account in the standard
CN=Users,DC=subdomain,DC=domain,DC=tld
. -
Proxmox's realm binding is as follows via the GUI:
General --- Domain: DC=subdomain,DC=domain,DC=tld Default: True Server: dc.subdomain.domain.tld Fallback Server: Unused Port: Default SSL: True Verify Certificate: True Require TFA: None Sync Options --- Bind User: CN=ServiceAccount,OU=Service Users,DC=subdomain,DC=domain,DC=tld E-Mail Attribute: mail Groupname Attr.: sAMAccountName User Classes: user Group Classes: group User Filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=InfrastructureAdmins,CN=Users,DC=subdomain,DC=domain,DC=tld)) Group Filter: (sAMAccountName=InfrastructureAdmins)
What's Happening
- Proxmox's login page gives the error message "Login failed. Please try again".
- Proxmox's syslog shows the line entry
hostname pvedaemon[pid]: authentication failure; rhost=10.9.0.50 user=username@realm msg=80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563
.- The error code
52e
suggests that the password is incorrect.
- The error code
- I'm not seeing any entries for ServiceAccount or username in the DC's security event log when the login fails.
What I've Tried
- I've verified that Proxmox can communicate with the DC; when the realm is synced, it successfully pulls groups and users from the domain.
- I've verified that the binding user
ServiceAccount
can log in to a domain-joined computer. - I've verified that the account I'm testing with (my admin account) can log in to domain-joined computers; it's the account I'm logged into the DC with.
- I've also created a test account with no additional settings, just the proper group membership, and attempted to use it to log into Proxmox.
- I've tried simplifying the passwords for both my user account and the binding account down to
P4$$w0rd
. - LDAP works for other systems with a similar binding account.
Any guidance or suggestions would be greatly appreciated.
Best Answer
I can't be sure you and I have the same problem, but I solved the same symptoms by:
ad.example.com
). Proxmox will append this to a user name in order to log on, so the LDAP server will reject you if you've got it wrong.ProxmoxAdmins
and assigned it theAdministrator
role)Things I've noticed are that the log messages don't tell you the cause of the problem at all. I've also noticed that LDAP groups cannot have spaces in them (eg.
Proxmox Admins
doesn't work,ProxmoxAdmins
does). You can see this if you do a "sync preview" in the LDAP settings). And lastly, just because "sync" works, doesn't mean users will - it only tests the Bind credentials (a useful check, but not everything!).