infamous AD integration

Alan DeKok aland at deployingradius.com
Wed Jun 15 17:50:57 CEST 2016 

On Jun 15, 2016, at 11:42 AM, lejeczek via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I know there are howtos and as a novice I've been reading whatever I could find but I still fail to have my radius 3.0.4 talk to AD 2014.
> 
> I'm hoping some expert would share a pointer to a nice & working tutorial on how to setup active directory.
> 
> I've gotten it up to winbind bit working fine, seems samba+winbind are doing ok, and before I dump my configs I'd like to say I followed these:
> 
> https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-mschap/

  I haven't seen that one.

> http://deployingradius.com/documents/configuration/active_directory.html

  That's mine.  It works.

> ... and a few more.
> 
> What I'm hoping to have might be a bit nonstandard(?) - it might be that I don't need that, that I don't need full domain name.

  That's fine.  It doesn't make any difference.

> before I dump the configs here, I test radius:
> 
> $ radtest -t mschap pe243 at my.domain.local my.Pass $(hostname -f) 1812 radius.Pass
> 

> Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}:
> (2)  mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (2)  mschap :    --> --username=pe243 at my.domain.local
> (2)  mschap : mschap1: 53
> (2)  mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (2)  mschap :    --> --challenge=53a9b819d2f4c974
> (2)  mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (2)  mschap :    --> --nt-response=eaaf1863833782d3cfc44549b99ba2a0831afaf3b25b13a6
> Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'

  Something is wrong with winbind.  Use the above debug output to test it on the command line:

$ /usr/bin/ntlm_auth --request-nt-key --username=pe243 at my.domain.local --challenge=53a9b819d2f4c974 --nt-response=eaaf1863833782d3cfc44549b99ba2a0831afaf3b25b13a6

  Don't bother with any FreeRADIUS testing until the above command works.  See the Samba documentation for debugging winbind problems.

  Alan DeKok.

More information about the Freeradius-Users mailing list