FreeRADIUS no longer authenticating domain clients following spplication of RHEL5 package updates yesterday morning
Matthew Newton
mcn4 at leicester.ac.uk
Wed Apr 20 18:51:44 CEST 2016
On Wed, Apr 20, 2016 at 05:11:36PM +0100, Jeremy Hill wrote:
> Following the reboot, the radius.log file is full of entries such as the
> following and no local clients are able to authenticate via this server:
How long did you leave it running for? It's usual to see some "No
EAP session matching the State variable." for a short while after
starting a server if there are auths that get cut over to the new
server while in-flight.
There's not enough in the debug log below to tell. You start off
with a half in-flight auth, then that restarts and the debug is
cut off before the second one finishes.
> Oddly, the results from a: "lsof -i tcp -nP | grep winbindd" does not show
> any LDAP connections over port 389 to our active directory either:
>
> winbindd 4535 root 23u IPv4 16513 0t0 TCP 172.19.0.123:56635->
> 172.19.0.73:445 (ESTABLISHED)
>
> We would expect to find the following:
>
> winbindd 4221 root 23u IPv4 34419318 0t0 TCP
> 172.19.0.124:36502->1 72.19.0.73:389 (ESTABLISHED)
> winbindd 4221 root 24u IPv4 8106940 0t0 TCP
> 172.19.0.124:50653->1 72.19.0.107:445 (ESTABLISHED)
Depends on where your LDAP call is made. If right at the end of
the auth, and the auths aren't getting that far, then you won't
see anything. So this isn't necessarily a problem in and of
itself.
> Cleaning up request 2 ID 253 with timestamp +2
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0xdc342b61de3b32a7 did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Ready to process requests.
>
> To my knowledge our certificate is valid until 2018 so am not sure how to
> proceed, any help gratefully received.
Assuming you're doing PEAP/MSCHAPv2 with ntlm_auth, then what
happens at the ntlm_auth stage in the debug logs? That's the bit
you've changed by upgrading Samba.
Might be something as simple as the winbind priv socket not being
readable by FreeRADIUS any more.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list