This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD SSO not working without proxy on Sophos XG 18.0.1 MR-1-Build396

Hi,

We have setup proxy on client computer for the sophos xg and AD SSO in place and it just works fine; user starts browsing, gets seemlessly authenticated via AD SSO and surfs on...

Now my organization wants to get rid of proxy settings, the traffic goes to the router and the router segregate internet traffic and sends it to sophos but sophos is not passing traffic. When i checked logs, i found out that there is not log from the specific user and when i check the authentication logs there is not authentication request either for that user. Once i add proxy, AD SSO kicks in, user gets authenticated and now its synced into Sophos. Now if i even remove the proxy the browsing is just fine.

What can be the reason that when traffic from a new AD user directly reaches the firewall (and not via proxy setup), it does not get authenticated and does not get internet either. How can i make this work.

I hope i am making sense, if not, please feel free to ask any question.

ps. i even tried setting up Sophos as gateway IP for the client and still no good.

regards,

Moeed

This thread was automatically locked due to age.

Top Replies

Vivek Jagad over 2 years ago in reply to Moeed Aziz +1 suggested

Hey Moeed Aziz , Can you disable the AD SSO under the administration > device access > for the LAN zone if enabled and then check if the error persists ?

Parents

0 Vivek Jagad over 2 years ago

Hello Moeed Aziz,

Thank you for reaching out to the community, I would request you to upgrade the firmware to v18.5.4 MR-4 the latest build:
The current firmware you are using is already declared EoL

Major software version End-of-Life notification End-of-Life (EOL)

SFOS 18.0 18-JAN-2022 31-JUL-2022

============================================================
Please refer the retirement calendar below:

If the reported problem persist even after the firmware upgrade please let us know here !!

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Moeed Aziz over 2 years ago in reply to Vivek Jagad

I tried 18.5.4 but it causes "Can't establish NTLM authentication channel with" domain controller.

18.0.1 works just fine for me other than the issue mentioned above.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Moeed Aziz

Hey Moeed Aziz,

Can you share the screenshot of the error you are receiving and logs from the advance shell:
tail -f /log/nasm.log
Log file details: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogFileDetails/index.html

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Moeed Aziz over 2 years ago in reply to Vivek Jagad

Below is the output of the command:

Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Sep 21 15:01:56.507528 [nasm] is_ad_server_alive: waitpid() failed for 'No chi ld processes'

Sep 21 15:02:16.851228 [nasm] is_ad_join_required() AD join NOT required due t o no change in smb.conf
Sep 21 15:02:17.377501 [nasm] channel established successfully
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Sep 21 15:02:19.377665 [nasm] is_ad_server_alive: waitpid() failed for 'No chi ld processes'
Sep 21 15:02:39.721640 [nasm] is_ad_join_required() AD join NOT required due to no change in smb.conf
Sep 21 15:02:40.255921 [nasm] channel established successfully
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Sep 21 15:02:42.256068 [nasm] is_ad_server_alive: waitpid() failed for 'No child processes'
Sep 21 15:03:02.582596 [nasm] is_ad_join_required() AD join NOT required due to no change in smb.conf
Sep 21 15:03:03.111373 [nasm] channel established successfully
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Sep 21 15:03:05.111553 [nasm] is_ad_server_alive: waitpid() failed for 'No child processes'
Sep 21 15:03:25.454555 [nasm] is_ad_join_required() AD join NOT required due to no change in smb.conf
Sep 21 15:03:25.982778 [nasm] channel established successfully
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Sep 21 15:03:27.982958 [nasm] is_ad_server_alive: waitpid() failed for 'No child processes'
Sep 21 15:03:48.326699 [nasm] is_ad_join_required() AD join NOT required due to no change in smb.conf
Sep 21 15:03:48.863260 [nasm] channel established successfully
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Sep 21 15:03:50.863424 [nasm] is_ad_server_alive: waitpid() failed for 'No child processes'
Sep 21 15:04:11.209236 [nasm] is_ad_join_required() AD join NOT required due to no change in smb.conf
Sep 21 15:04:11.746588 [nasm] channel established successfully
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Sep 21 15:04:13.746754 [nasm] is_ad_server_alive: waitpid() failed for 'No child processes'
Sep 21 15:04:34.083844 [nasm] is_ad_join_required() AD join NOT required due to no change in smb.conf
Sep 21 15:04:34.609722 [nasm] channel established successfully
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
winbindd version 4.7.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2017
Failed to create /var/log/samba/cores for user 0 with mode 0700
Unable to setup corepath for winbindd: Success
initialize_winbindd_cache: clearing cache and re-creating with version number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Sep 21 15:04:36.609885 [nasm] is_ad_server_alive: waitpid() failed for 'No child processes'
^C
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Moeed Aziz

Hey Moeed Aziz,

Can you disable the AD SSO under the administration > device access > for the LAN zone if enabled and then check if the error persists ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 Moeed Aziz over 2 years ago in reply to Vivek Jagad

Still the same issue.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Moeed Aziz

you mean you are still getting the errors under the log viewer > authentication section: "Can't establish NTLM authentication channel with" domain controller."

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
+1 -pete- over 2 years ago in reply to Moeed Aziz
Hi Moeed Aziz,

In 18.5 MR4, can you please run the following command from the advanced shell?

opcode -ds nosync nasm_cleanup

This should address the issue where the firewall is failing to join the domain by forcing a re-initialization of the nasm service/environment.

Thanks,
Peter Gale | Director, Software Development, NSG
Peter Gale | Director, Software Development, NSG
peter.gale@sophos.com
Cancel
Vote Up +1 Vote Down

Cancel
0 Moeed Aziz over 2 years ago in reply to Vivek Jagad

Yes
Cancel
Vote Up 0 Vote Down

Cancel
0 Moeed Aziz over 2 years ago in reply to -pete-

Still the same.
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Dunn over 2 years ago in reply to Moeed Aziz

Hi Moeed,

We are going to need more information and logs. The snippet of the logs you included shows an ongoing problem caused by an earlier error. We need to see the earlier error.

Can you please do the following:

# clear the log file
> /log/nasm.log

# reset all of nasm
opcode -ds nosync nasm_cleanup

Wait one minute. Then take a look at nasm.log. Can you post the entirety of the log file (or at least from the top to where the repeated loops occur).

Can you screenshot what the Administration > Device Access is? If AD SSO was disabled on all Zones it should have caused nasm to stop connecting to the AD server.

One of the changes between 18.5 MR1 and MR4 is that AD SSO better follows the Authentication > Server configuration for Connection Security / Port. Another thing to try would be (if it is not already) changing the setting to plaintext on port 389.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Michael Dunn over 2 years ago in reply to Moeed Aziz

Hi Moeed,

We are going to need more information and logs. The snippet of the logs you included shows an ongoing problem caused by an earlier error. We need to see the earlier error.

Can you please do the following:

# clear the log file
> /log/nasm.log

# reset all of nasm
opcode -ds nosync nasm_cleanup

Wait one minute. Then take a look at nasm.log. Can you post the entirety of the log file (or at least from the top to where the repeated loops occur).

Can you screenshot what the Administration > Device Access is? If AD SSO was disabled on all Zones it should have caused nasm to stop connecting to the AD server.

One of the changes between 18.5 MR1 and MR4 is that AD SSO better follows the Authentication > Server configuration for Connection Security / Port. Another thing to try would be (if it is not already) changing the setting to plaintext on port 389.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data