HI,<div><br></div><div>Thanks,<br><br><div class="gmail_quote">On Mon, Jan 7, 2013 at 5:41 PM, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On 07/01/13 16:49, Khapare Joshi wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello<br>
<br>
I been having problem as listed in this bug list:<br>
<br>
<a href="https://bugzilla.samba.org/show_bug.cgi?id=6563#c59" target="_blank">https://bugzilla.samba.org/<u></u>show_bug.cgi?id=6563#c59</a><br>
<br>
I know at least few university having similar issue and ended up with<br>
restarting winbind - that resolve the issue. I am not sure which version<br>
of samba+winbind are you using?<br>
</blockquote>
<br></div>
We are on RHEL5 using samba3x-3.3.8-0.52.el5_5.2. Our domain is Windows 2008R2, domain functional level is 2008R2 native.<div><br>
<br></div></blockquote><div>I am running on:<br>CENTOS6</div><div>samba-winbind-3.5.10-125.el6.x86_64<br><div>samba-3.5.10-125.el6.x86_64</div><div>samba-common-3.5.10-125.el6.x86_64</div><br><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Also, I am just thinking, is there a way to configure both kerberos<br>
(which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is<br>
possible I can support both TTLS via kerberos and PEAP - MCHAP with<br>
Active directory (winbind and samba). This way I can continue support<br>
older $$$client xp, win7 and for rest those are supported I can enforce<br>
to use TTLS-PAP with kerberos. It would be great if you direct me in<br>
right road.<br>
</blockquote>
<br></div>
Yes you can do this. I'm not sure what you're asking. You just configure each component correct and let it work.<br>
<br></blockquote><div>oh, I meant to support mschap as well. At the moment in my development environment I could not authenticate from windows 7 client because I can only choose mschap option. </div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This is only very slightly tricky because rlm_krb5 doesn't contain any Auth-Type handling; you need to run krb5 if it's a PAP request, see below. But you must already be doing this if you're using Kerberos, so just... keep doing it.<br>
<br>
<br></blockquote><div>Yes, Kerberos is working right now, What I did was :<br></div><div><br></div><div>Added /etc/raddb/site-enabled/inner-tunnel right after the Auth-Type PAP</div><div><div>Auth-Type kerberos {</div><div>
krb5</div></div><div>}</div><div><br></div><div>and DEFAULT AUTH-Type = kerberos in users file.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
sites-enabled/inner-tunnel:<br>
<br>
authorize {<br>
...<br>
eap<br>
mschap<br>
pap<br>
...<br>
}<br>
<br>
authenticate {<br>
Auth-Type PAP {<br>
krb5<br>
}<br>
Auth-Type MSCHAP {<br>
mschap<br>
}<br>
eap<br>
}<br>
<br>
...then configure "eap {}" appropriately for TTLS and PEAP.<div><div><br>
</div></div></blockquote><div><br></div><div>To make this work, I still have to configure samba, join radius server to AD and so on for the AD authentication right ?</div><div><br></div><div>but, kerberos only works with PAP, is there a security risk - what is your view on this?</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</div></div></blockquote></div><br>
</div>