freeradius against AD not working
Karthik R
kartthikr at gmail.com
Fri Oct 27 01:07:37 CEST 2006
Using freeradius v1.1.1 on a RHEL 4 box trying to authenticate users against
Windows 2003 Active directory. I was able to bind linux box to Windows
domain successfully and able to read the active directory users and groups
using
wbinfo - u
R1\Administrator
R1\Guest
and wbinfo -g.
Using ntlm_auth tool am able to successfully authenticate the users too.
-bash-3.00# ntlm_auth --request-nt-key --username=kartthikr
password:
NT_STATUS_OK: Success (0x0)
But while using radtest tool with the same logon credentials as above it
rejects the user and here is the log message.
rad_recv: Access-Request packet from host 127.0.0.1:32927, id=243, length=61
User-Name = "<removed>"
User-Password = "<removed>"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "<removed>", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry DEFAULT at line 156
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
modcall[authenticate]: module "unix" returns notfound for request 0
modcall: leaving group authenticate (returns notfound) for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Sending Access-Reject of id 243 to 127.0.0.1 port 32927
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 243 with timestamp 45413139
Nothing to do. Sleeping until we see a request.
Here is nss config file:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files winbind nis dns
protocols: files winbind # nis
services: files winbind # nis
netgroup: files winbind # nis
automount: files winbind nis
Here is radiusd.conf file:
modules {
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
#use_mppe = no
require_encryption = yes
#require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
}
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061026/5debca8d/attachment.html>
More information about the Freeradius-Users
mailing list