Problems freeradius and samba4
Hi all. I trying deploy the environment beetween freeradius and samba4 for wireless network. The topology follow bellow. access point <----> freeradius server <-----> server samba4 I setting the access point for authenticate in freeradius server and freeradius using ldap e authenticate in samba4, but not work follow bellow log server freeradius: [suffix] No '@' in User-Name = "user", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[unix] returns notfound ++[files] returns noop [ldap] performing user authorization for user [ldap] expand: (&(objectClass=user)(sAMAccountName=%{User-Name})) -> (&(objectClass=user)(sAMAccountName=user)) [ldap] expand: dc=batlab,dc=corp -> dc=batlab,dc=corp [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] closing existing LDAP connection [ldap] (re)connect to 192.168.0.4:389, authentication 0 [ldap] bind as CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp/xxxx to 192.168.0.4:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=batlab,dc=corp, with filter (&(objectClass=user)(sAMAccountName=user)) [ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Invalid user: [user/<no User-Password attribute>] (from client 192.168.0.200 port 0 cli 001f3a528f60) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated I note this ldapsearch executed successfull # ldapsearch -LLL -h 192.168.0.4 -b dc=batlab,dc=corp -D user2@batlab.corp -W '(&(objectClass=user)(sAMAccountName=user))' dn: CN=user test,OU=noc,OU=batlab,DC=batlab,DC=corp objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: user test instanceType: 4 whenCreated: 20130404161519.0Z displayName: user test uSNCreated: 3728 name: user test objectGUID:: x9uu1FOl70u8ovEwuZ72Rw== badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAA2w3N/Xfij4HyH/nmUQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: user sAMAccountType: 805306368 userPrincipalName: user@batlab.corp objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=batlab,DC=corp pwdLastSet: 130095657200000000 userAccountControl: 66048 memberOf: CN=Administrators,CN=Builtin,DC=batlab,DC=corp memberOf: CN=Domain Admins,CN=Users,DC=batlab,DC=corp memberOf: CN=Enterprise Admins,CN=Users,DC=batlab,DC=corp memberOf: CN=g_noc,OU=noc,OU=batlab,DC=batlab,DC=corp mail: user@batlab.ufms.br whenChanged: 20130427195156.0Z uSNChanged: 4204 distinguishedName: CN=user test,OU=noc,OU=batlab,DC=batlab,DC=corp I noticed that the ldap Samba4 does not possess the attribute user-password, is this the cause? My settings: Ubuntu Linux 12.04.2 Access Point: Linksys Cisco wrtp54g Any ideas. Regards
ricardobarbosams wrote:
[ldap] ldap_search() failed: Operations error
Read raddb/modules/ldap. Look for "operations error".
I noticed that the ldap Samba4 does not possess the attribute user-password, is this the cause?
No.
My settings:
Ubuntu Linux 12.04.2 Access Point: Linksys Cisco wrtp54g
But not the version of FreeRADIUS. <sigh> Alan DeKok.
Hi Alan, my version freeradius root@maxwell:~# freeradius -v freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2010 The FreeRADIUS server project and contributors. Regards. Em 06/10/13 15:33, Alan DeKok escreveu:
ricardobarbosams wrote:
[ldap] ldap_search() failed: Operations error Read raddb/modules/ldap. Look for "operations error".
I noticed that the ldap Samba4 does not possess the attribute user-password, is this the cause? No.
My settings:
Ubuntu Linux 12.04.2 Access Point: Linksys Cisco wrtp54g But not the version of FreeRADIUS.
<sigh>
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10.06.2013 23:29, ricardobarbosams wrote:
[ldap] bind as CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp/xxxx to 192.168.0.4:389
[skipped]
# ldapsearch -LLL -h 192.168.0.4 -b dc=batlab,dc=corp -D user2@batlab.corp -W '(&(objectClass=user)(sAMAccountName=user))'
freeradius binds as CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp and ldapsearch binds as user2@batlab.corp. Maybe this is the cause of different search operation results.
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the directory. Your ldapsearch binds to the directory using one user and your radiusd binds to directory as another user. These users can have different authorization levels in the directory server. Directory may allow to retrieve objects to user2@batlab.corp user but disallow it to CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user. Configure radiusd to use the user2@batlab.corp user to bind to the directory and you'll get same results as with ldapsearch.
Hi, but not any other settins, only file ldap. ldap { server = "192.168.0.4" identity = "CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp" password = XXXXX basedn = "dc=batlab,dc=corp" filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))" base_filter = "(objectClass=user)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no } What other file setting user for directory? Regards. Em 06/13/13 03:37, Iliya Peregoudov escreveu:
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the directory. Your ldapsearch binds to the directory using one user and your radiusd binds to directory as another user. These users can have different authorization levels in the directory server. Directory may allow to retrieve objects to user2@batlab.corp user but disallow it to CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user.
Configure radiusd to use the user2@batlab.corp user to bind to the directory and you'll get same results as with ldapsearch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi. Executing ldapsearch with user freeradius root@maxwell:~# ldapsearch -LLL -x -h 192.168.0.4 -b "dc=batlab,dc=corp" -D "CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp" -W "(sAMAccountName=administrator)" cn Enter LDAP Password: dn: CN=Administrator,CN=Users,DC=batlab,DC=corp cn: Administrator Its Works. Regards. Em 06/13/13 03:37, Iliya Peregoudov escreveu:
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the directory. Your ldapsearch binds to the directory using one user and your radiusd binds to directory as another user. These users can have different authorization levels in the directory server. Directory may allow to retrieve objects to user2@batlab.corp user but disallow it to CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user.
Configure radiusd to use the user2@batlab.corp user to bind to the directory and you'll get same results as with ldapsearch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, i'm starter here but, the user freeradius in your ldap must be able to read user's passwords. Try with administrator in /etc/raddb/modules/ldap and if it works, the user freeradius won't has rigths for this. By El viernes, 14 de junio de 2013, ricardobarbosams escribió:
Hi.
Executing ldapsearch with user freeradius
root@maxwell:~# ldapsearch -LLL -x -h 192.168.0.4 -b "dc=batlab,dc=corp" -D "CN=freeradius,OU=noc,OU=**batlab,DC=batlab,DC=corp" -W "(sAMAccountName=**administrator)" cn Enter LDAP Password: dn: CN=Administrator,CN=Users,DC=**batlab,DC=corp cn: Administrator
Its Works.
Regards.
Em 06/13/13 03:37, Iliya Peregoudov escreveu:
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(**sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the directory. Your ldapsearch binds to the directory using one user and your radiusd binds to directory as another user. These users can have different authorization levels in the directory server. Directory may allow to retrieve objects to user2@batlab.corp user but disallow it to CN=freeradius,OU=noc,OU=**batlab,DC=batlab,DC=corp user.
Configure radiusd to use the user2@batlab.corp user to bind to the directory and you'll get same results as with ldapsearch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
-- -- Un saludo. ____________________ Roberto Ortega Profesor de Informática. http://www.proyectoret.es Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com No imprimas este correo si no es necesario. Protejamos el medio ambiente.
Hi Ortega, With user administrator not worked. look log file [ldap] performing user authorization for test [ldap] expand: (&(objectClass=user)(sAMAccountName=%{User-Name})) -> (&(objectClass=user)(sAMAccountName=test)) [ldap] expand: dc=batlab,dc=corp -> dc=batlab,dc=corp [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] closing existing LDAP connection [ldap] (re)connect to 192.168.0.4:389, authentication 0 [ldap] bind as /XXXXX to 192.168.0.4:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=batlab,dc=corp, with filter (&(objectClass=user)(sAMAccountName=test)) [ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Any Idea Em 06/14/13 03:40, Roberto Ortega Ramiro escreveu:
Hi, i'm starter here but, the user freeradius in your ldap must be able to read user's passwords.
Try with administrator in /etc/raddb/modules/ldap and if it works, the user freeradius won't has rigths for this.
By
El viernes, 14 de junio de 2013, ricardobarbosams escribió:
Hi.
Executing ldapsearch with user freeradius
root@maxwell:~# ldapsearch -LLL -x -h 192.168.0.4 -b "dc=batlab,dc=corp" -D "CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp" -W "(sAMAccountName=administrator)" cn Enter LDAP Password: dn: CN=Administrator,CN=Users,DC=batlab,DC=corp cn: Administrator
Its Works.
Regards.
Em 06/13/13 03:37, Iliya Peregoudov escreveu:
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the directory. Your ldapsearch binds to the directory using one user and your radiusd binds to directory as another user. These users can have different authorization levels in the directory server. Directory may allow to retrieve objects to user2@batlab.corp user but disallow it to CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user.
Configure radiusd to use the user2@batlab.corp user to bind to the directory and you'll get same results as with ldapsearch. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Un saludo. ____________________
Roberto Ortega Profesor de Informática. http://www.proyectoret.es <http://www.proyectoret.es/>
Escuelas San José Valencia Avd.Cortes Valencianas nº1 46015 Valencia R4600489A Tf:963499011 ext. 262 Fax:963488835 http://www.escuelassj.com <http://www.escuelassj.com/>
No imprimas este correo si no es necesario. Protejamos el medio ambiente.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ricardobarbosams wrote:
[ldap] ldap_search() failed: Operations error [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail
Read raddb/modules/ldap. Look for "operations error". This is documented in v2.2.0. If you're not running 2.2.0, then upgrade. Or, still *read* the configuration file you edited. It has instructions for what to do in this situation. Alan DeKok.
Hi,
With user administrator not worked. look log file
[ldap] performing user authorization for test [ldap] expand: (&(objectClass=user)(sAMAccountName=%{User-Name})) -> (&(objectClass=user)(sAMAccountName=test)) [ldap] expand: dc=batlab,dc=corp -> dc=batlab,dc=corp [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] closing existing LDAP connection [ldap] (re)connect to 192.168.0.4:389, authentication 0 [ldap] bind as /XXXXX to 192.168.0.4:389 [ldap] waiting for bind result ... [ldap] Bind was successful ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[ldap] performing search in dc=batlab,dc=corp, with filter (&(objectClass=user)(sAMAccountName=test)) [ldap] ldap_search() failed: Operations error [ldap] search failed
^^^^^^^^^^^^^^^^^^^^^^^^^
[ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail
Any Idea
i'd suggest that you get aquainted with your LDAP directory structure and ensure that you are looking in the right place with the right filter alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Iliya Peregoudov -
ricardobarbosams -
Roberto Ortega Ramiro