RE: freeradius and ntlm_auth howto
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The debugging output is exactly saying whats wrong Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) This dir should be readable by freeradius AND winbind. I thought 750 would work J. - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer jonathan.de.graeve@imelda.be +32(0)15/50.52.98
-----Oorspronkelijk bericht----- Van: freeradius-users- bounces+jonathan.de.graeve=imelda.be@lists.freeradius.org [mailto:freeradius-users- bounces+jonathan.de.graeve=imelda.be@lists.freeradius.org] Namens Stieven.Struyf@komatsu.eu Verzonden: donderdag 26 oktober 2006 16:24 Aan: freeradius-users@lists.freeradius.org Onderwerp: freeradius and ntlm_auth howto
All, I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. Can someone of the users look at the ouput below and point me to the correct solution/howto?
I setup smb.conf,krb5.conf and freeradius. I joined the server to the domain and tested the connection with ntlm_auth: [root@belx11ke ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET password: NT_STATUS_OK: Success (0x0) [root@belx11ke ~]#
rights of the winbind pipe: ls -l /var/cache/samba/winbindd_privileged total 0 srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe
below is the debug output of freeradius
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 2e4b4d54472e4e45545c73737472757966 PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf PEAP: Adding old state with a4 c3 PEAP: Sending tunneled request EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 2e4b4d54472e4e45545c73737472757966 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "KMT-EU.KMTG.NET\\sstruyf" State = 0xa4c337a92357e8d90a5f8c64b37d2df1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT- EU.KMTG.NET\sstruyf" rlm_realm: Found realm "KMT-EU.KMTG.NET" rlm_realm: Adding Stripped-User-Name = "sstruyf" rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 82 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched sstruyf at 98 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT- Password radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 95 rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf -- challeng e=7b634e5c9dd73ddc --nt- response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf -- challenge=7b634e5c9dd73ddc --nt- response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972 Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 7
Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Stieven.Struyf@komatsu.eu Tel. +32 (0)2 2552551
-----BEGIN PGP SIGNATURE----- Version: 9.5.0 (Build 1202) wsBVAwUBRUDJDNjY2X/BrZGJAQjchQf/QUKfxpmDYdPgui8BqBOLGnp9SeO/v97+ QJZa0iCfSPX7Sr2GoXq+lK4s5a+vFnyqTm2s1kHwCcZif4PaUAjmXf0kjsPiV4X9 IIeImenaGNnS8iEFmIWEaP7WnzrB8/rPAeA1xnSyML06g7ejyMK23b50NwcWUyrf lnPPrGxLLOu1FUg94NI28iVtwLs9eqoHKyAKddaw42m9IXomuc7rZDBYBRO6bNvv /3E9TZMLszpe2oy6SEIItNyx9qjZTZtP2K1KSBS1ING9rI6EIYL505aQ9OPYzj9t HsP0HnpdvZJL8D0EtcSxzzoQLuC5wPzBjlWmGUGtsDY/8Wil9fx07A== =wrIA -----END PGP SIGNATURE-----
participants (1)
-
Jonathan De Graeve