Hi, after I fully crashed my freeRADIUS Server I have to ask again: It still fails with: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: hausmeister@OBLAN [mschap] Told to do MS-CHAPv2 for hausmeister@OBLAN with NT-Password [mschap] expand: %{Stripped-User-Name} -> hausmeister [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=hausmeister [mschap] Creating challenge hash with username: hausmeister@OBLAN [mschap] expand: %{mschap:Challenge} -> 01b99ad5745936be [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=01b99ad5745936be [mschap] expand: %{mschap:NT-Response} -> cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt- response=cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject so Im not sure why. I think its because hes not allowed to execute the ntlm or my mschap is cofigured wrong. (or both) I checked the users/groups: sambashare:x:111:haus-meister winbindd_priv:x:112:freerad freerad:x:113:freerad ssl-cert:x:114:freerad looks fine to me? So my NTLM_Auth string in the modules/mschap is: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" I allso tried a lot of other stuff nothing change. Hope you can help me again. -- Mit freundlichem Gruß Nicolas Fischer email: nfischer@hush.com jabber: jagger@jabber.ccc.de tel: 01573-0420888 Skype: jagger64 TOX: Just ask me :) PGP-Key: http://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xCF5... If you sent me a PGP Crypted Mail I´ll be happy and will give you a free cookie :)
Hi,
I checked the users/groups: sambashare:x:111:haus-meister winbindd_priv:x:112:freerad freerad:x:113:freerad ssl-cert:x:114:freerad
looks fine to me?
what does your /var/lib/samba (or whatever your SAMBA directory is) look like regarding user/group/other permissions for the directories within?
So my NTLM_Auth string in the modules/mschap is: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
and does that work when you use it (replacing the %{} vars with what FreeRADIUS tried to use) on the command line? alan
Hi, ..just for info - from the FR mailing list archives: You were absolutely right. For future reference: Ubuntu (12.04) places the socket in /var/run/samba/winbindd_privileged The socket itself is owned root:root permissions s777 The directory is owned root:winbindd_privileged permissions 750 Adding the user freerad to the group winbindd_privileged did the trick. Thanks.... Peter you probably have EXACTLY the same issue. alan
Hi! /var/run/samba/winbindd_privileged/ is empty i can´t see anything in there? What exaclly is this socket? In /var/run/samba/winbindd/ is only a file names pipe? srwxrwxrwx 1 root root 0 Aug 18 16:05 pipe Im a little confused by now. If I execute the ntlm_auth command in the Terminal it fails with Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) If I execute it as root it workes. So its a rights Problem... -- Mit freundlichem Gruß Nicolas Fischer email: nfischer@hush.com jabber: jagger@jabber.ccc.de tel: 01573-0420888 Skype: jagger64 TOX: Just ask me :) PGP-Key: http://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xCF5... If you sent me a PGP Crypted Mail I´ll be happy and will give you a free cookie :) On 18.8.2014 at 6:09 PM, A.L.M.Buxey@lboro.ac.uk wrote:Hi, ..just for info - from the FR mailing list archives: You were absolutely right. For future reference: Ubuntu (12.04) places the socket in /var/run/samba/winbindd_privileged The socket itself is owned root:root permissions s777 The directory is owned root:winbindd_privileged permissions 750 Adding the user freerad to the group winbindd_privileged did the trick. Thanks.... Peter you probably have EXACTLY the same issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
IT FUCKING WORK! chown freerad on /var/run/samba/winbindd/ did it for me :) I want to thank you again guys. This is really one of the most friendly Mailinglists I know. . Cheers Nicolas -- On 19.8.2014 at 12:01 PM, nfischer@hush.com wrote:Hi! /var/run/samba/winbindd_privileged/ is empty i can´t see anything in there? What exaclly is this socket? In /var/run/samba/winbindd/ is only a file names pipe? srwxrwxrwx 1 root root 0 Aug 18 16:05 pipe Im a little confused by now. If I execute the ntlm_auth command in the Terminal it fails with Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) If I execute it as root it workes. So its a rights Problem... -- Mit freundlichem Gruß Nicolas Fischer email: nfischer@hush.com jabber: jagger@jabber.ccc.de tel: 01573-0420888 Skype: jagger64 TOX: Just ask me :) PGP-Key: http://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xCF5... If you sent me a PGP Crypted Mail I´ll be happy and will give you a free cookie :) On 18.8.2014 at 6:09 PM, A.L.M.Buxey@lboro.ac.uk wrote:Hi, ..just for info - from the FR mailing list archives: You were absolutely right. For future reference: Ubuntu (12.04) places the socket in /var/run/samba/winbindd_privileged The socket itself is owned root:root permissions s777 The directory is owned root:winbindd_privileged permissions 750 Adding the user freerad to the group winbindd_privileged did the trick. Thanks.... Peter you probably have EXACTLY the same issue. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 19-08-14 15:12, nfischer@hush.com wrote:
IT FUCKING WORK! chown freerad on /var/run/samba/winbindd/ did it for me :)
Until there is a update of your winbind package and the package fixes the ownership of the directory. The better fix was already quoted by Alan from a previous entry on the mailing list:
Ubuntu (12.04) places the socket in /var/run/samba/winbindd_privileged The socket itself is owned root:root permissions s777 The directory is owned root:winbindd_privileged permissions 750 Adding the user freerad to the group winbindd_privileged did the trick.
-- Herwin Weststrate
And the /var/lib/samba/winbindd_privileged directory is owned by winbindd with group winbindd_priv? Stefan From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of nfischer@hush.com Sent: 18 August 2014 16:53 To: freeradius-users@lists.freeradius.org Subject: freeRADIUS -> AD Auth Hi, after I fully crashed my freeRADIUS Server I have to ask again: It still fails with: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: hausmeister@OBLAN [mschap] Told to do MS-CHAPv2 for hausmeister@OBLAN with NT-Password [mschap] expand: %{Stripped-User-Name} -> hausmeister [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=hausmeister [mschap] Creating challenge hash with username: hausmeister@OBLAN [mschap] expand: %{mschap:Challenge} -> 01b99ad5745936be [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=01b99ad5745936be [mschap] expand: %{mschap:NT-Response} -> cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt- response=cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject so Im not sure why. I think its because hes not allowed to execute the ntlm or my mschap is cofigured wrong. (or both) I checked the users/groups: sambashare:x:111:haus-meister winbindd_priv:x:112:freerad freerad:x:113:freerad ssl-cert:x:114:freerad looks fine to me? So my NTLM_Auth string in the modules/mschap is: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" I allso tried a lot of other stuff nothing change. Hope you can help me again. -- Mit freundlichem Gruß Nicolas Fischer email: nfischer@hush.com<mailto:nfischer@hush.com> jabber: jagger@jabber.ccc.de<mailto:jagger@jabber.ccc.de> tel: 01573-0420888 Skype: jagger64 TOX: Just ask me :) PGP-Key: http://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xCF5... If you sent me a PGP Crypted Mail I´ll be happy and will give you a free cookie :) Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Herwin Weststrate -
nfischer@hush.com -
Stefan Paetow