Hi, I would like to allow access when user authentication is approved by AD through winbind, OR when the MAC address is in a local file. I'm trying to follow this guide: https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind but also this other guide: https://wiki.freeradius.org/guide/mac-auth#mac-auth-or-802-1x My software versions: freeradius-3.0.14 samba-4.5.10 Samba/winbind works fine: # ntlm_auth --username=user --domain=DOMAIN Password: NT_STATUS_OK: Success (0x0) freeradius build.log looks good: checking for wbclient.h in /usr/include/samba-4.0/... yes checking for wbcCtxAuthenticateUserEx in -lwbclient... yes # grep winbind_ /etc/raddb/mods-available/mschap | grep -v ^# winbind_username = "%{mschap:User-Name}" winbind_domain = "DOMAIN" # tail -n 6 /etc/raddb/clients.conf client 10.215.144.92 { ipv4addr = 10.215.144.92 secret = testrad shortname = testsys require_message_authenticator = no }
From 10.215.144.92: # radtest -t mschap user password 10.215.144.91 0 testrad Sent Access-Request Id 181 from 0.0.0.0:39653 to 10.215.144.91:1812 length 132 User-Name = "user" MS-CHAP-Password = "password" NAS-IP-Address = 10.215.144.92 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "user" MS-CHAP-Challenge = 0x5e0a69983fa65564 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005b82652f1e38b465daebf5a3fb1a2697b12af97676f7c721 Received Access-Reject Id 181 from 10.215.144.91:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject
Radius log: (0) Received Access-Request Id 181 from 10.215.144.92:39653 to 10.215.144.91:1812 length 132 (0) User-Name = "user" (0) NAS-IP-Address = 10.215.144.92 (0) NAS-Port = 0 (0) Message-Authenticator = 0x1905f61891b983253895b1d8d33976d8 (0) MS-CHAP-Challenge = 0x5e0a69983fa65564 (0) MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000005b82652f1e38b465daebf5a3fb1a2697b12af97676f7c721 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) policy rewrite_calling_station_id { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy rewrite_calling_station_id = noop (0) if (!EAP-Message) { (0) if (!EAP-Message) -> TRUE (0) if (!EAP-Message) { (0) authorized_macs: EXPAND %{Calling-Station-ID} (0) authorized_macs: --> (0) [authorized_macs] = noop (0) if (!ok) { (0) if (!ok) -> TRUE (0) if (!ok) { (0) [reject] = reject (0) } # if (!ok) = reject (0) } # if (!EAP-Message) = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> user (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 181 from 10.215.144.91:1812 to 10.215.144.92:39653 length 20 # grep user /etc/raddb/radiusd.conf | grep -v '#' user = radius I cannot find any subdir named 'winbindd_privileged': # ls /var/lock/samba/ brlock.tdb mutex.tdb smbXsrv_session_global.tdb g_lock.tdb names.tdb smbXsrv_tcon_global.tdb gencache_notrans.tdb printer_list.tdb smbXsrv_version_global.tdb leases.tdb serverid.tdb smb_krb5 locking.tdb smbXsrv_client_global.tdb smbd_cleanupd.tdb msg.lock smbXsrv_open_global.tdb Why is my radtest above not getting an Access-Accept? Thanks, Vieri