FreeRADIUS no longer authenticating domain clients following spplication of RHEL5 package updates yesterday morning

Matthew Newton mcn4 at leicester.ac.uk
Wed Apr 20 18:51:44 CEST 2016 

On Wed, Apr 20, 2016 at 05:11:36PM +0100, Jeremy Hill wrote:
> Following the reboot, the radius.log file is full of entries such as the
> following and no local clients are able to authenticate via this server:

How long did you leave it running for? It's usual to see some "No
EAP session matching the State variable." for a short while after
starting a server if there are auths that get cut over to the new
server while in-flight.

There's not enough in the debug log below to tell. You start off
with a half in-flight auth, then that restarts and the debug is
cut off before the second one finishes.


> Oddly, the results from a: "lsof -i tcp -nP | grep winbindd" does not show
> any LDAP connections over port 389 to our active directory either:
> 
> winbindd  4535    root   23u  IPv4  16513      0t0  TCP 172.19.0.123:56635->
> 172.19.0.73:445 (ESTABLISHED)
> 
> We would expect to find the following:
> 
> winbindd   4221    root   23u  IPv4 34419318      0t0  TCP
> 172.19.0.124:36502->1      72.19.0.73:389 (ESTABLISHED)
> winbindd   4221    root   24u  IPv4  8106940      0t0  TCP
> 172.19.0.124:50653->1       72.19.0.107:445 (ESTABLISHED)

Depends on where your LDAP call is made. If right at the end of
the auth, and the auths aren't getting that far, then you won't
see anything. So this isn't necessarily a problem in and of
itself.

> Cleaning up request 2 ID 253 with timestamp +2
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0xdc342b61de3b32a7 did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Ready to process requests.
> 
> To my knowledge our certificate is valid until 2018 so am not sure how to
> proceed, any help gratefully received.

Assuming you're doing PEAP/MSCHAPv2 with ntlm_auth, then what
happens at the ntlm_auth stage in the debug logs? That's the bit
you've changed by upgrading Samba.

Might be something as simple as the winbind priv socket not being
readable by FreeRADIUS any more.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list