freeRADIUS -> AD Auth

[A.L.M.Buxey at lboro.ac.uk]

Hi,

look at what the server is running...

> 
>    [mschapv2] # Executing group from file
>    /etc/freeradius/sites-enabled/inner-tunnel
>    [mschapv2] +- entering group MS-CHAP {...}
>    [mschap] Creating challenge hash with username: hausmeister at oblan
>    [mschap] Told to do MS-CHAPv2 for hausmeister at oblan with NT-Password
>    [mschap]        expand: %{Stripped-User-Name} -> hausmeister
>    [mschap]        expand:
>    --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
>    --username=hausmeister
>    [mschap] Creating challenge hash with username: hausmeister at oblan
>    [mschap]        expand: %{mschap:Challenge} -> fffc6d74f50463ee
>    [mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} ->
>    --challenge=fffc6d74f50463ee
>    [mschap]        expand: %{mschap:NT-Response} ->
>    46ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b
>    [mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
>    --nt-response=46ced655ef1738b05dad84aaa9fea60fc7cfa22f9c6c563b
>    Exec-Program output: Reading winbind reply failed! (0xc0000001)
>    Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
>    Exec-Program: returned: 1
>    [mschap] External script failed.
>    [mschap] FAILED: MS-CHAP2-Response is incorrect
>    ++[mschap] returns reject

compared to what ou run

> 
>    NTLM_AUTH works:
>    haus-meister at KRATOS:~$ ntlm_auth --request-nt-key --username=hausmeister
>    --domain=OBLAN
>    Password:
>    NT_STATUS_OK: Success (0x0)

theres a 'domain' in your hand-run stuff - you havent configured the server to use a --domain=OBLAN

theres also a request NT key argument which you dont have.


as for permissions...we run radiusd process as 'radiusd' user, so permissions are
radiusd:radiusd for all of the raddb directory, shares, log dirs etc...and radiusd is
in the winbind group so the winbind_privileged directory is okay

alan