FreeRADIUS using Active Directory integration broken without any traces

Stefan Paetow Stefan.Paetow at ja.net
Mon Sep 29 16:38:47 CEST 2014 

Hi Sebastian, 

Did you update SAMBA at any point and did you possibly change the ownership of the winbindd_privileged directory? If so, that might be the reason. Add radiusd (or freerad on Deb platforms) to the group that Winbind belongs to. That should resolve the problem. 

Stefan


> -----Original Message-----
> From: freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+stefan.paetow=ja.net at lists.freeradius.org] On Behalf Of Sebastian
> Hagedorn
> Sent: 29 September 2014 14:28
> To: Vinícius Ferrão
> Cc: FreeRadius users mailing list
> Subject: Re: FreeRADIUS using Active Directory integration broken without
> any traces
> 
> Hi,
> 
> --On 26. September 2014 19:54:23 +0000 Vinícius Ferrão
> <ferrao at if.ufrj.br> wrote:
> 
> > But RADIUS fails when doing EAP-PEAP authentication, and running
> > FreeRADIUS in debug mode this is the error message:
> >
> ># (9) mschap : Executing: /usr/local/bin/ntlm_auth --request-nt-key
> ># --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> ># --challenge=%{%{mschap:Challenge}:-00}
> ># --nt-response=%{%#{mschap:NT-Response}:-00} (9) mschap : EXPAND
> ># --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (9)
> mschap :
> ># --> --username=ferrao
> ># (9) mschap : Creating challenge hash with username: ferrao
> ># (9) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
> ># (9) mschap :    --> --challenge=082e8ba7b848aaae
> ># (9) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> ># (9) mschap :    -->
> ># --nt-response=27b40a6d1dba1b4acfd33aff5c710a43e70d050269087bf1 (9)
> ># ERROR: mschap : Program returned code (1) and output 'Reading winbind
> ># reply failed! (0xc0000001)' (9) mschap : External script failed.
> ># (9) ERROR: mschap : External script says: Reading winbind reply failed!
> ># (0xc0000001) (9) ERROR: mschap : MS-CHAP2-Response is incorrect
> ># (9)   [mschap] = reject
> ># (9)  } # Auth-Type MS-CHAP = reject
> ># (9) eap : Freeing handler
> ># (9)   [eap] = reject
> ># (9)  } #  authenticate = reject
> ># (9) Failed to authenticate the user.
> ># (9) Login incorrect (mschap: Program returned code (1) and output
> ># 'Reading winbind reply failed! (0xc0000001)'): [ferrao/<via Auth-Type =
> ># EAP>] (from client 192.168.0.0/26 port 0 via TLS tunnel)
> >
> > So something is wrong with Winbind and FreeRADIUS, and I don't know
> what.
> 
> check the archives:
> 
> <http://lists.freeradius.org/pipermail/freeradius-users/2012-
> May/061047.html>
> --
>     .:.Sebastian Hagedorn - Weyertal 121 (Gebäude 133), Zimmer 2.02.:.
>                  .:.Regionales Rechenzentrum (RRZK).:.
>    .:.Universität zu Köln / Cologne University - ✆ +49-221-470-89578.:.

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

More information about the Freeradius-Users mailing list