We run Debian, and we currently have our samba packages pinned at version 2:3.0.30-3 due to this issue:
http://lists.freeradius.org/pipermail/freeradius-users/2009-February/msg0028...
See the Debain APT manual for information on package pinning.
Thanks Mike! I'll look into this a bit more although as you say I am not quite having that issue (yet). :->
That said, your debug output (if that was all of it) didn't seem to suggest you're running into this particular issue just yet. I say that because your EAP exchange never progresses to the point where ntlm_auth is executed by FreeRADIUS. Things seem to be hanging right after the outer TLS tunnel is established, which may point to a certificate problem. Are you sure your server certificate is OK?
I am not sure that it is, I am a noob. I built freeradius from the current stable source, but I used apt to install openssl. My understanding was that when I fired freeradius up for the first time it would automatically populate /etc/freeradius/certs with all of the files necessary to make a proper peap connection. Can you suggest a way to test the cert? Wireshark tells me that my 3Com 3226 switch is sending an eap reject immediately after I connect the supplicant to a port protected with .1x. I don't see any traffic between the switch and freeradius so I am wondering if the switch doesn't support peap? Perhaps I should back off and try md5 or something? Also since I am throwing out the litany of my ignorance I haven't solved in a good way a complaint that I get when I am testing via 'wbinfo -a username%password'. I've had to chmod 777 /var/run/samba/winbindd_privileged in order to use the socket, of course restarting winbind resets the perms here. I saw something about enabling extending acls's on the file system to work around this issue. I'd be interested to know what you ended up doing. Thanks for the reply! John
Mike Loosbrock Bethel University Network Services 651-638-6723
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html