Alan, you were right.....I haven't joined to the domain because this is a new server, I forget it !!! After join the domain, the radtest worked OK. Special thanks to all of you and now I have to make the ldap authorization clauses based on SSID and ldap-groups....maybe I will ask for your help again. Regards!!! 2017-08-17 4:11 GMT-03:00 Alan DeKok <aland@deployingradius.com>:
On Aug 17, 2017, at 3:50 AM, Adam Cage <adamcage27@gmail.com> wrote:
Dear, I've tried to understand what you said and I've made some changes:
* I've deleted the the content of /etc/freeradius/users corresponding to ldap-group attribute
Good...
* I've added the ldap-group clauses in /etc/freeradius/sites-available/default and inner-tunnel, as you said. I have not the ultimate clause yet, so the clause is a noop if users belong to the Group1 group:
That's fine.
Here I show you the log for success test (Alan Dekok's guide exactly without LDAP authorization) and after that the log for failure test (adding LDAP support as described above), in order to confirm that mschap in the success test does not have the "NOT TRUSTED SAM ACCOUNT" error appearing in the failure case, being the same AD in both cases:
Adding an "LDAP-Group" check just can't create that error. The error is because of something else. Likely that Samba hasn't actually joined the AD domain.
While I understand this is frustrating, the error is *entirely* between ntlm_auth and AD. No amount of poking at FreeRADIUS will fix the problem.
You will have to check that Samba is actually joined to the domain, and debug issues there.
You *can* run ntlm_auth manually, using the information provided in the debug output:
$ ntlm_auth --username=adam --domain=D-HOLOMIT --challenge=e1248c7251ea7e63 --nt-response=d594e0a1673248f8e3a3b358381b78 ed47891d8cd0fea851
Keep running that (and fixing AD / Samba issues) until you get "success" returned. FreeRADIUS will then work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html