On 15/06/16 17:06, Matthew Newton wrote:
On Wed, Jun 15, 2016 at 11:50:57AM -0400, Alan DeKok wrote:
On Jun 15, 2016, at 11:42 AM, lejeczek via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-ms... I haven't seen that one. That has stuff in it (at least Kerberos configuration and nsswitch.conf) that you generally don't need to do. You just set "realm" and "password server" in smb.conf.
Don't bother with any FreeRADIUS testing until the above command works. See the Samba documentation for debugging winbind problems. General order to get things working is
- Configure Samba and join to the domain.
- Make sure "net ads testjoin" returns "Join is OK"
- Make sure winbind is running
- Make sure ntlm_auth will successfully authenticate from the shell
- Make sure permissions/group are right on the winbind privileged socket here, I missed radius to winbind's fs access. Now I have $ radtest -t mschap ... working, but I don't quite grasp why one has to test with "-t". When I now test without "-t" it still fails with:
(3) } # filter_username filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix : Checking for suffix after "@" (3) suffix : Looking up realm "my.domain.local" for User-Name = "pe243@my.domain.local" (3) suffix : Found realm "my.domain.local" (3) suffix : Adding Stripped-User-Name = "pe243" (3) suffix : Adding Realm = "my.domain.local" (3) suffix : Authentication realm is LOCAL (3) [suffix] = ok (3) eap : No EAP-Message, not doing EAP (3) [eap] = noop (3) [unix] = notfound (3) [files] = noop (3) [expiration] = noop (3) [logintime] = noop (3) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (3) WARNING: pap : Authentication will fail unless a "known good" password is available (3) [pap] = noop (3) } # authorize = ok (3) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/raddb/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject : EXPAND %{User-Name} (3) attr_filter.access_reject : --> pe243@my.domain.local (3) attr_filter.access_reject : Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (3) [eap] = noop (3) remove_reply_message_if_eap remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else else { (3) [noop] = noop (3) } # else else = noop (3) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated thanks a lot!
- Make sure ntlm_auth will successfully authenticate from the shell when running as the FreeRADIUS user/group
- Configure and test FreeRADIUS.
If _any_ of the steps is not right then fix that before moving on to the next, otherwise it just won't work. This will also give a big hint as to where the problem lies.
The above is just as valid when using direct libwbclient configuration rather than ntlm_auth.
Matthew