eapol_test giving up and win-like error?

NdK ndk.clanbo at gmail.com
Mon Jan 23 12:24:07 CET 2012 

Il 23/01/2012 11:02, Phil Mayers ha scritto:

> Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path.
So radtest isn't actually equivalent to eapol_test. It's just another
step for testing.

> Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon.
What do you mean by "local user"? One added in users file? I know it
works (tested while following the guide), but it's not using mschapv2,
IIUC...

>From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that
script only generates NTLMv1 responses... And it references a quite old
Samba version. I'm using 3.5.10.
>From comment 46: "Yes, 3.5.6 has all necessary fixes for this issue.
Unless the sernet packages do contain other changes, it should just work
with those packages."

I retested, adding "winbind:forcesamlogon = True" and eapol_test is now
successful.
Might be useful to add to the guide. Seems, after all, it's needed for
recent SAMBA releases, too.

Just for completeness my (now working) smb.conf is:
[global]
        workgroup = PERSONALE
        realm = PERSONALE.DIR.UNIBO.IT
        server string = %v
        security = ADS
        restrict anonymous = 2
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = No
        dns proxy = No
        idmap uid = 100000-100000000
        idmap gid = 100000-100000000
        template shell = /bin/bash
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        winbind normalize names = Yes
        idmap config STUDENTI:range = 50000000 - 99999999
        idmap config STUDENTI:base_rid = 500
        idmap config STUDENTI:backend = rid
        idmap config PERSONALE:range = 100000 - 49999999
        idmap config PERSONALE:base_rid = 500
        idmap config PERSONALE:backend = rid
        idmap config STUDENTI:default = yes
        idmap config PERSONALE:default = no
        winbind:forcesamlogon = True
[maybe the whole idmap could be removed, but better not to touch it once
it's working...]
No need to edit /etc/krb5.conf (interfacing to a native AD domain, so
DNS records are OK for auto-discovery of Kerberos servers.

Now it's Zeroshell's turn...

Tks for the patience.

BYtE,
 Diego.

More information about the Freeradius-Users mailing list