eapol_test giving up and win-like error?
ndk.clanbo at gmail.com
Mon Jan 23 12:24:07 CET 2012
Il 23/01/2012 11:02, Phil Mayers ha scritto:
> Mschap v1 doesn't validate the reply from server to client, which is what is failing with eapol_test. Therefore you're not testing the same path.
So radtest isn't actually equivalent to eapol_test. It's just another
step for testing.
> Try using a local i.e. non samba user to test. I am sure the problem is with your samba daemon.
What do you mean by "local user"? One added in users file? I know it
works (tested while following the guide), but it's not using mschapv2,
>From https://bugzilla.samba.org/show_bug.cgi?id=6563 it seems that
script only generates NTLMv1 responses... And it references a quite old
Samba version. I'm using 3.5.10.
>From comment 46: "Yes, 3.5.6 has all necessary fixes for this issue.
Unless the sernet packages do contain other changes, it should just work
with those packages."
I retested, adding "winbind:forcesamlogon = True" and eapol_test is now
Might be useful to add to the guide. Seems, after all, it's needed for
recent SAMBA releases, too.
Just for completeness my (now working) smb.conf is:
workgroup = PERSONALE
realm = PERSONALE.DIR.UNIBO.IT
server string = %v
security = ADS
restrict anonymous = 2
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
idmap uid = 100000-100000000
idmap gid = 100000-100000000
template shell = /bin/bash
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
winbind normalize names = Yes
idmap config STUDENTI:range = 50000000 - 99999999
idmap config STUDENTI:base_rid = 500
idmap config STUDENTI:backend = rid
idmap config PERSONALE:range = 100000 - 49999999
idmap config PERSONALE:base_rid = 500
idmap config PERSONALE:backend = rid
idmap config STUDENTI:default = yes
idmap config PERSONALE:default = no
winbind:forcesamlogon = True
[maybe the whole idmap could be removed, but better not to touch it once
No need to edit /etc/krb5.conf (interfacing to a native AD domain, so
DNS records are OK for auto-discovery of Kerberos servers.
Now it's Zeroshell's turn...
Tks for the patience.
More information about the Freeradius-Users