Smoothwall Help

[DSapseid]

I have just bought smoothwall SchoolGuardian and have got it all installed nicely but i cant get the damn LDAP connection working properly I am 90% sure i have my settings correct but and have applied the changes and rebooted the server.

Settings i have got are below:

primary server : <servername>.internal.manhood.sussex.sch.uk
secondary server : <servername>.internal.manhood.sussex.sch.uk
kerberos realm: INTERNAL.MANHOOD.SUSSEX.SCH.UK
server user: administrator@INTERNAL.MANHOOD.SUSSEX.SCH.UK
LDAP Port: 389
User root: OU=Manhood Community College,DC=Internal,DC=Manhood,DC=Sussex,DC=sch,DC =uk

The OU Manhood Community College is my top level OU in ad.

What have i got wrong??

Cheers

Dan

[rob_f]

Instead of the administrator user, try creating a new user who is a domain admin (and hasn't got the password set to expire).

The administrator user often does not have a windows 2000 style user@domain login name. Hence cannot be used in this step.

If you find that your users don't have this style login name (on the accounts tab of their account properties), tick the "use SAM account name" underneath advanced. However the user in this first step in connecting to the directory must have both style usernames.

Hope this helps, if not feel free to let me know!


Rob.

[DSapseid]

Hi Rob,

I have created a new account called smoothwall and changed it but it still wont connect. On the Authentication -> Control page the only ones that are running are 'Authentication Service' and 'Authentication Service Local'. All the others are closed!

Cheers

Dan

[krisd32]

is the time set the same on the smoothwall box? this will stop communication between active directory and smoothwall.

[DSapseid]

the time is an hour fast but whenever i change it and then reboot it resets itself!!!

[krisd32]

Yeah i have this issue but don't generally need to restart it too often only when the updates are applied. just need to remember that it needs resetting everytime. have you tried it with the correct time? does it help with the issue at all?

[mounters]

Have you configured the system to get the time with ntp. Under system » preferences » time make sure you have set the correct time zone and then tick the box to enable network time retrieval.

Get the time set correctly first, otherwise you'll never get Kerberos to work.

[DSapseid]

I have set the time manually and still no luck

[DSapseid]

All working now i hadnt set the dns servers on the internal nic

[krisd32]

this is my settings page.

[rob_f]

Check to see if your time settings are the same as attached. Set them as this, click save, then "get time now". Hopefully that should make it always right. If running on a virtualisation platform, you may want to increase the network time retrieval frequency if you are seeing gradual time skew issues.

[tom_newton]

Thanks folks - you seem to have managed to sort things before my coffee kicked in!

Does sound like a GMT/DST issue if you are an hour out... what does the BIOS think it is doing?

For other "smaller" timing issues, Smoothie will shortly be changed to grab an ntp update on boot.

[DSapseid]

Right after getting this problem fixed yesterday i now have another! I have set the filtering rules to be block everything for all groups but its still letting you through (im typing this now going through it when i supposedly have blocked all web traffic!)

I have attached a screenshot of my filtering rules, as you can see i have disabled all of them apart from the block everything for all groups one. I only did this to see if the rules were overlapping and having a fight.

I have set the proxy correct in ie.

Any ideas??

[rob_f]

Are you perhaps in the network administrators group which by default is unfiltered - see Guardian > Authentication > Settings toward the bottom of the page.

Do you see your browsing in the logs (Information > Realtime > Web Filter or Information > Logs > Web Filter) and if so does it say "Exception" or similar next to it? This would again indicate the above. No log entries would mean you're not using the filter at all.

HTH,


Rob.

[krisd32]

Have you created groups in AD to map accross to the filter? i'm not at the high school today but i can send you over a manual that i created when i set all my stuff up if you want.