Freeradius2 and Samba3x

Alan DeKok aland at deployingradius.com
Wed Jul 14 17:43:50 CEST 2010 

freeradius at corwyn.net wrote:
> So we upgraded to samba 3x, but that appears to break freeradius. Hrm.

  The upgrade screwed up the file permissions.  See the debug output.

> We're using freeradius to auth VPN users that are connecting from a
> sonicwall firewall, using the windows l2tp client.
> 
> freeradius2-2.1.8-2.el5
> 
> Here's the output from radiusd -xX

  The FAQ, "man" page, etc., all say "radiusd -X".  The first step to
solving a problem is following documentation.
...
> Wed Jul 14 10:51:16 2010 : Debug: Exec-Program output: winbind client
> not authorized to use winbindd_pam_auth_crap. Ensure permissions on
> /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)
> Wed Jul 14 10:51:16 2010 : Debug: Exec-Program-Wait: plaintext: winbind
> client not authorized to use winbindd_pam_auth_crap. Ensure permissions
> on /var/lib/samba/winbindd_privileged are set correctly. (0xc0000022)

  While that message is buried in lots of debug output, the following
few lines help:

> Wed Jul 14 10:51:16 2010 : Debug: Exec-Program: returned: 1
> Wed Jul 14 10:51:16 2010 : Info: [mschap] External script failed.
> Wed Jul 14 10:51:16 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is
> incorrect

  If you read the debug output looking *only* for WARNING, ERROR,
Failed, or Reject, you will almost always find a message describing the
problem.  As with this one, the message often says how to fix it, too.

 And another authentication request yields:

> Wed Jul 14 11:18:08 2010 : Info: [mschap]       expand:
> --nt-response=%{mschap:NT-Response:-00} ->
> --nt-response=00be3e466ff82a106ee9e3144e442c6caa1bcb71636031b6
> Wed Jul 14 11:18:08 2010 : Debug: Exec-Program output: NT_KEY:
> 580B07A2801E5E9B5CDD55BC23C38D1F
> Wed Jul 14 11:18:08 2010 : Debug: Exec-Program-Wait: plaintext: NT_KEY:
> 580B07A2801E5E9B5CDD55BC23C38D1F
> Wed Jul 14 11:18:08 2010 : Debug: Exec-Program: returned: 0
...
> Sending Access-Accept of id 224 to 10.4.1.2 port 2452
>         Reply-Message := "Authorized Users Only"
>         MS-CHAP2-Success =
> 0x01533d45453444463034303730304331303545384245463834323743454544353433303841303643454530
> 
>         MS-MPPE-Recv-Key = 0x908aea21b6fbe22426feafd473d29657
>         MS-MPPE-Send-Key = 0xe2cddf5bd3f2aaa193fbce0410b840e8
>         MS-MPPE-Encryption-Policy = 0x00000001
>         MS-MPPE-Encryption-Types = 0x00000006

  OK... so what's the problem?  MS-CHAP works...

> Any ideas?

  Read the debug output.  Post the debug output for *one* authentication
request, not 3-4.

> Here are the complete details of our config:

  Which the documentation does not ask for.  The "radiusd -X" output is
all that's necessary.

  Alan DeKok.

More information about the Freeradius-Users mailing list