HI, Thanks, On Mon, Jan 7, 2013 at 5:41 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 07/01/13 16:49, Khapare Joshi wrote:
Hello
I been having problem as listed in this bug list:
I know at least few university having similar issue and ended up with restarting winbind - that resolve the issue. I am not sure which version of samba+winbind are you using?
We are on RHEL5 using samba3x-3.3.8-0.52.el5_5.2. Our domain is Windows 2008R2, domain functional level is 2008R2 native.
I am running on: CENTOS6 samba-winbind-3.5.10-125.el6.x86_64 samba-3.5.10-125.el6.x86_64 samba-common-3.5.10-125.el6.x86_64
Also, I am just thinking, is there a way to configure both kerberos (which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is possible I can support both TTLS via kerberos and PEAP - MCHAP with Active directory (winbind and samba). This way I can continue support older $$$client xp, win7 and for rest those are supported I can enforce to use TTLS-PAP with kerberos. It would be great if you direct me in right road.
Yes you can do this. I'm not sure what you're asking. You just configure each component correct and let it work.
oh, I meant to support mschap as well. At the moment in my development environment I could not authenticate from windows 7 client because I can only choose mschap option.
This is only very slightly tricky because rlm_krb5 doesn't contain any Auth-Type handling; you need to run krb5 if it's a PAP request, see below. But you must already be doing this if you're using Kerberos, so just... keep doing it.
Yes, Kerberos is working right now, What I did was :
Added /etc/raddb/site-enabled/inner-tunnel right after the Auth-Type PAP Auth-Type kerberos { krb5 } and DEFAULT AUTH-Type = kerberos in users file. sites-enabled/inner-tunnel:
authorize { ... eap mschap pap ... }
authenticate { Auth-Type PAP { krb5 } Auth-Type MSCHAP { mschap } eap }
...then configure "eap {}" appropriately for TTLS and PEAP.
To make this work, I still have to configure samba, join radius server to AD and so on for the AD authentication right ? but, kerberos only works with PAP, is there a security risk - what is your view on this?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>