FR + ADS 2003 + ntlm_auth (including config files)

Alan DeKok aland at deployingradius.com
Tue Apr 24 08:01:23 CEST 2007


Jacob Jarick wrote:
> I have gone back to ntlm_auth for the time being instead of ldap due
> to the incredibly frustrating lack of good documentation (if there are
> good docs, link it or shutup).

  A large part of the problem is that you seem to be making random
changes, and following various bits of various documentation.

  The way to get it to work is this:

1. Start with the default configuration.  ALWAYS start with the default
configuration.
2. Make one small change.
3. Test it.
4. If it works, go back to step 2 and make another change
5. If it doesn't work, try again.

  Also, keep backups of everything.  If something works, make a copy.
Also, in step 4, repeat all of the tests that worked earlier.

> None of the howtos/ tutorials I have followed end in success its
> always some ldap error of some kind.

  Then fix the LDAP errors before trying to debug FreeRADIUS.  If
FreeRADIUS can't connect to the LDAP server, then your setup won't work.

> At least 1/2 the FR + LDAP howtos
> say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is
> incorrect.

  It's wrong.  It's not needed.  You can believe the random people on
the net who don't understand FreeRADIUS, or you can believe the people
here, who do understand it.

> I followed Alans Active Directory Intergation tutorial and everything
> is setup as the guide says, But eap fails with this message:
> "
>  rlm_eap: Handler failed in EAP/peap
>  rlm_eap: Failed in EAP select
>  modcall[authenticate]: module "eap" returns invalid for request 7
> modcall: leaving group authenticate (returns invalid) for request 7
> auth: Failed to validate the user.
> "

  You are NOT reading the whole debug output.  That's part of the reason
you're finding this so difficult.  The real cause of the authentication
failure, AND THE SUGGESTED FIX are in the debugging output:

Exec-Program-Wait: plaintext: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)

  What part of that is not clear?

  It also looks like you did NOT follow my guide, which says to run
ntlm_auth from the command line first.

> On another note Id like to volenteer to help update some of the
> documentation out there on FR, some is horribly out of date and makes
> for a very frustrating introduction for people.

  It's almost as frustrating to write documentation and then have it
ignored.  When the documentation says 10 times read the debugging
output, it really, truly, honestly, means that you should read it.
Looking at the last few lines that say "authentication failed" is
useless.  The rest of the output contains the information as to WHY it
failed.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list