Freeradius 3.x with LDAP authentication
Alan DeKok
aland at deployingradius.com
Thu Aug 17 09:11:03 CEST 2017
On Aug 17, 2017, at 3:50 AM, Adam Cage <adamcage27 at gmail.com> wrote:
>
> Dear, I've tried to understand what you said and I've made some changes:
>
> * I've deleted the the content of /etc/freeradius/users corresponding to
> ldap-group attribute
Good...
> * I've added the ldap-group clauses in
> /etc/freeradius/sites-available/default and inner-tunnel, as you said. I
> have not the ultimate clause yet, so the clause is a noop if users belong
> to the Group1 group:
That's fine.
> Here I show you the log for success test (Alan Dekok's guide exactly
> without LDAP authorization) and after that the log for failure test (adding
> LDAP support as described above), in order to confirm that mschap in the
> success test does not have the "NOT TRUSTED SAM ACCOUNT" error appearing in
> the failure case, being the same AD in both cases:
Adding an "LDAP-Group" check just can't create that error. The error is because of something else. Likely that Samba hasn't actually joined the AD domain.
While I understand this is frustrating, the error is *entirely* between ntlm_auth and AD. No amount of poking at FreeRADIUS will fix the problem.
You will have to check that Samba is actually joined to the domain, and debug issues there.
You *can* run ntlm_auth manually, using the information provided in the debug output:
$ ntlm_auth --username=adam --domain=D-HOLOMIT --challenge=e1248c7251ea7e63 --nt-response=d594e0a1673248f8e3a3b358381b78ed47891d8cd0fea851
Keep running that (and fixing AD / Samba issues) until you get "success" returned. FreeRADIUS will then work.
Alan DeKok.
More information about the Freeradius-Users
mailing list