All,
I am trying to authenticate my wifi
users via our AD. I'm finding bits and pieces on the internet to configure
things, but no completely usable howto.
Can someone of the users look at the
ouput below and point me to the correct solution/howto?
I setup smb.conf,krb5.conf and freeradius.
I joined the server to the domain and tested the connection with ntlm_auth:
[root@belx11ke ~]# /usr/bin/ntlm_auth
--request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET
password:
NT_STATUS_OK: Success (0x0)
[root@belx11ke ~]#
rights of the winbind pipe:
ls -l /var/cache/samba/winbindd_privileged
total 0
srwxrwxrwx 1 root root 0 Oct 25
14:46 pipe
below is the debug output of freeradius
Processing the authenticate section
of radiusd.conf
modcall: entering group authenticate
for request 7
rlm_eap: Request found, released
from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established.
Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is
valid.
PEAP: Got tunneled EAP-Message
EAP-Message
= 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000
0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966
PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf
PEAP: Adding old state with a4
c3
PEAP: Sending tunneled request
EAP-Message
= 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000
0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966
FreeRADIUS-Proxied-To
= 127.0.0.1
User-Name
= "KMT-EU.KMTG.NET\\sstruyf"
State =
0xa4c337a92357e8d90a5f8c64b37d2df1
Processing the authorize section
of radiusd.conf
modcall: entering group authorize for
request 7
modcall[authorize]: module "preprocess"
returns ok for request 7
modcall[authorize]: module "mschap"
returns noop for request 7
rlm_realm: No '@' in User-Name
= "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL
rlm_realm: No such realm
"NULL"
modcall[authorize]: module "kmt-eu.kmtg.net"
returns noop for request 7
rlm_realm: Looking up
realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf"
rlm_realm: Found realm
"KMT-EU.KMTG.NET"
rlm_realm: Adding Stripped-User-Name
= "sstruyf"
rlm_realm: Proxying request
from user sstruyf to realm KMT-EU.KMTG.NET
rlm_realm: Adding Realm
= "KMT-EU.KMTG.NET"
rlm_realm: Authentication
realm is LOCAL.
modcall[authorize]: module "ntdomain"
returns noop for request 7
rlm_eap: EAP packet type response
id 9 length 82
rlm_eap: No EAP Start, assuming
it's an on-going EAP conversation
modcall[authorize]: module "eap"
returns updated for request 7
users: Matched sstruyf
at 98
modcall[authorize]: module "files"
returns ok for request 7
modcall: group authorize returns updated
for request 7
rad_check_password: Found
Auth-Type EAP
auth: type "EAP"
Processing the authenticate section
of radiusd.conf
modcall: entering group authenticate
for request 7
rlm_eap: Request found, released
from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section
of radiusd.conf
modcall: entering group Auth-Type for
request 7
rlm_mschap: No User-Password
configured. Cannot create LM-Password.
rlm_mschap: No User-Password
configured. Cannot create NT-Password.
rlm_mschap: NT Domain delimeter
found, should we have enabled with_ntdomain_hack?
rlm_mschap: Told to do MS-CHAPv2
for KMT-EU.KMTG.NET\sstruyf with NT-Password
radius_xlat: Running registered xlat
function of module mschap for string 'Challenge'
mschap2: 95
rlm_mschap: NT Domain delimeter
found, should we have enabled with_ntdomain_hack?
radius_xlat: Running registered xlat
function of module mschap for string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth
--request-nt-key --username=sstruyf --challeng e=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key
--username=sstruyf --challenge=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972
Exec-Program output: winbind client
not authorized to use winbindd_pam_auth_crap. Ensure permissions
on /var/cache/samba/winbindd_privileged are set correctly.
(0xc0000022)
Exec-Program-Wait: plaintext: winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions
on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response
is incorrect
modcall[authenticate]: module
"mschap" returns reject for request 7
modcall: group Auth-Type returns reject
for request 7
rlm_eap: Freeing handler
modcall[authenticate]: module
"eap" returns reject for request 7
modcall: group authenticate returns
reject for request 7
auth: Failed to validate the user.
Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no
User-Password attribute>] (from client localhost port 0)
Processing the post-auth section
of radiusd.conf
modcall: entering group Post-Auth-Type
for request 7
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf@komatsu.eu
Tel. +32 (0)2 2552551