freeradius and ntlm_auth howto

Jonathan De Graeve Jonathan.De.Graeve at imelda.be
Thu Oct 26 16:41:05 CEST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The debugging output is exactly saying whats wrong

Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap.  Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.                                              (0xc0000022)

This dir should be readable by freeradius AND winbind. I thought 750 would work

J.

- --
Jonathan De Graeve
IMELDA vzw
Informatica Dienst
Network System Engineer
jonathan.de.graeve at imelda.be
+32(0)15/50.52.98

> -----Oorspronkelijk bericht-----
> Van: freeradius-users-
> bounces+jonathan.de.graeve=imelda.be at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+jonathan.de.graeve=imelda.be at lists.freeradius.org] Namens
> Stieven.Struyf at komatsu.eu
> Verzonden: donderdag 26 oktober 2006 16:24
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: freeradius and ntlm_auth howto
> 
> 
> All,
> I am trying to authenticate my wifi users via our AD. I'm finding bits and
> pieces on the internet to configure things, but no completely usable
> howto.
> Can someone of the users look at the ouput below and point me to the
> correct solution/howto?
> 
> I setup smb.conf,krb5.conf and freeradius. I joined the server to the
> domain and tested the connection with ntlm_auth:
> [root at belx11ke ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf
> --domain=KMT-EU.KMTG.NET
> password:
> NT_STATUS_OK: Success (0x0)
> [root at belx11ke ~]#
> 
> rights of the winbind pipe:
> ls -l /var/cache/samba/winbindd_privileged
> total 0
> srwxrwxrwx  1 root root 0 Oct 25 14:46 pipe
> 
> below is the debug output of freeradius
> 
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 7
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/peap
>   rlm_eap: processing type peap
>   rlm_eap_peap: Authenticate
>   rlm_eap_tls: processing TLS
>   eaptls_verify returned 7
>   rlm_eap_tls: Done initial handshake
>   eaptls_process returned 7
>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Decoding tunneled attributes.
>   rlm_eap_peap: EAP type mschapv2
>   rlm_eap_peap: Tunneled data is valid.
>   PEAP: Got tunneled EAP-Message
>         EAP-Message =
> 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000
> 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555
> 2e4b4d54472e4e45545c73737472757966
>   PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf
>   PEAP: Adding old state with a4 c3
>   PEAP: Sending tunneled request
>         EAP-Message =
> 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000
> 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555
> 2e4b4d54472e4e45545c73737472757966
>         FreeRADIUS-Proxied-To = 127.0.0.1
>         User-Name = "KMT-EU.KMTG.NET\\sstruyf"
>         State = 0xa4c337a92357e8d90a5f8c64b37d2df1
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 7
>   modcall[authorize]: module "preprocess" returns ok for request 7
>   modcall[authorize]: module "mschap" returns noop for request 7
>     rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up
> realm   NULL
>     rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7
>     rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-
> EU.KMTG.NET\sstruyf"
>     rlm_realm: Found realm "KMT-EU.KMTG.NET"
>     rlm_realm: Adding Stripped-User-Name = "sstruyf"
>     rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET
>     rlm_realm: Adding Realm = "KMT-EU.KMTG.NET"
>     rlm_realm: Authentication realm is LOCAL.
>   modcall[authorize]: module "ntdomain" returns noop for request 7
>   rlm_eap: EAP packet type response id 9 length 82
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 7
>     users: Matched sstruyf at 98
>   modcall[authorize]: module "files" returns ok for request 7
> modcall: group authorize returns updated for request 7
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 7
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/mschapv2
>   rlm_eap: processing type mschapv2
>   Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 7
>   rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>   rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>   rlm_mschap: NT Domain delimeter found, should we have enabled
> with_ntdomain_hack?
>   rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-
> Password
> radius_xlat: Running registered xlat function of module mschap for string
> 'Challenge'
>  mschap2: 95
>   rlm_mschap: NT Domain delimeter found, should we have enabled
> with_ntdomain_hack?
> radius_xlat: Running registered xlat function of module mschap for string
> 'NT-Response'
> radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --
> challeng e=7b634e5c9dd73ddc --nt-
> response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972'
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --
> challenge=7b634e5c9dd73ddc --nt-
> response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972
> Exec-Program output: winbind client not authorized to use
> winbindd_pam_auth_crap.  Ensure permissions on
> /var/cache/samba/winbindd_privileged are set correctly.
> (0xc0000022)
> Exec-Program-Wait: plaintext: winbind client not authorized to use
> winbindd_pam_auth_crap.  Ensure permissions on
> /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
> Exec-Program: returned: 1
>   rlm_mschap: External script failed.
>   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>   modcall[authenticate]: module "mschap" returns reject for request 7
> modcall: group Auth-Type returns reject for request 7
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns reject for request 7
> modcall: group authenticate returns reject for request 7
> auth: Failed to validate the user.
> Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>]
> (from client localhost port 0)
>   Processing the post-auth section of radiusd.conf
> modcall: entering group Post-Auth-Type for request 7
> 
> Stieven Struyf
> M.I.S. Division - System Operations
> Komatsu Europe International NV
> Mechelsesteenweg 586
> B-1800 Vilvoorde
> Stieven.Struyf at komatsu.eu
> Tel. +32 (0)2 2552551

-----BEGIN PGP SIGNATURE-----
Version: 9.5.0 (Build 1202)

wsBVAwUBRUDJDNjY2X/BrZGJAQjchQf/QUKfxpmDYdPgui8BqBOLGnp9SeO/v97+
QJZa0iCfSPX7Sr2GoXq+lK4s5a+vFnyqTm2s1kHwCcZif4PaUAjmXf0kjsPiV4X9
IIeImenaGNnS8iEFmIWEaP7WnzrB8/rPAeA1xnSyML06g7ejyMK23b50NwcWUyrf
lnPPrGxLLOu1FUg94NI28iVtwLs9eqoHKyAKddaw42m9IXomuc7rZDBYBRO6bNvv
/3E9TZMLszpe2oy6SEIItNyx9qjZTZtP2K1KSBS1ING9rI6EIYL505aQ9OPYzj9t
HsP0HnpdvZJL8D0EtcSxzzoQLuC5wPzBjlWmGUGtsDY/8Wil9fx07A==
=wrIA
-----END PGP SIGNATURE-----

More information about the Freeradius-Users mailing list