802.1x machine authentication patch help

Michael Patzer michael.patzer at netviewer.com
Fri Dec 14 14:20:57 CET 2007


i fixed the issue by building and installing my own windbind-package 
from the debian unstable source for etch: winbind_3.0.28-1_i386.deb 

now i've only left the problem, that freeradius converts
username: "host/trelane.ka.foobar.de" to
	username: trelane$
	domain: ka

i did a workaround for this by adding the domainname directly to the 
ntlm_auth command, becouse at the moment we only use one domain.
but is there any better way?

regards,
michael

-----Original Message-----
From:
freeradius-users-bounces+michael.patzer=netviewer.com at lists.freeradius.o
rg
[mailto:freeradius-users-bounces+michael.patzer=netviewer.com at lists.free
radius.org] On Behalf Of Michael Patzer
Sent: Friday, December 14, 2007 1:04 PM
To: freeradius-users at lists.freeradius.org
Subject: Re: 802.1x machine authentication patch help

i found the topic about "No logon workstation trust account
(0xc0000199)".

i've the same problem using
	freeradius-2.0.0-pre2
	samba 3.0.24
	on debian etch

is it required to update to samba 3.0.28 (debian unstable) to fix this
issue, or could it be anything else?


thx
michael

freeradius-log:

+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create
LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create
NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for host/trelane.ka.foobar.de with
NT-Password
        expand: --username=%{mschap:User-Name} -> --username=trelane$
 mschap2: 95
        expand: --challenge=%{mschap:Challenge} ->
--challenge=36fc487a5fe99e03
        expand: --nt-response=%{mschap:NT-Response} ->
--nt-response=b8ec109fa4b1a1ed3b2832f4e9704456febebeb4d790574e
Exec-Program output: No logon workstation trust account (0xc0000199) 
Exec-Program-Wait: plaintext: No logon workstation trust account
(0xc0000199) 
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject



-----Original Message-----
From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Phil
Mayers
Sent: 01 October 2007 09:55
To: FreeRadius users mailing list
Subject: Re: 802.1x machine authentication patch help

On Fri, 2007-09-28 at 12:06 +0100, Marco Casulli wrote:
> Hi Jamie,
> 
> Marco from BBC in london.
> 
> I have read your message
> (http://lists.cistron.nl/pipermail/freeradius-users/2005-November/0485
> 76.html related to the error when the radius is trying to authenticate

> in AD and I am getting exactly the same message.
> 
> "No logon workstation trust account (0xc0000199)". 
> 
> The article is dated Nov 2005 so I hope you have the solution by now! 
> ;-)

You need a suitably recent version of Samba. I can't remember the exact
version number, but I'm sure judicious use of Google will find it, or
just use the most recent.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list