Freeradius and Winbindd Issue

Kinglok Fong busywater at gmail.com
Tue Aug 29 09:55:33 CEST 2017 

Hi all,

I am using freeradius 3.0.15.  Samba version is 4.6.7.  I compile both software on a Debian 9 machine.

With nmbd and winbindd running flawlessly at the background, the domain user identification is working with using tools like wbinfo and id.  However, when try to configure it with freeradius, it cannot authenticate.

First of all, this configuration file:
/usr/local/freeradius/etc/raddb/mods-enabled/mschap
===============
winbind_username = “%{schap:User-Name}”
winbind_domain = “SAMBADOM”
#ntlm_auth = blahblahblah
==============

Authentication was test using radtest
===============
/usr/local/freeradius/bin/radtest -t mschap a_user thepassword 127.0.0.1 0 testing123
Sent Access-Request Id 191 from 0.0.0.0:39893 to 127.0.0.1:1812 length 129
	User-Name = "a_user"
	MS-CHAP-Password = "thepassword"
	NAS-IP-Address = 192.168.107.7
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "thepassword"
	MS-CHAP-Challenge = 0xde5c70d1225f3f6c
	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e1a8009205e77b1fbbf020022ba3e20b70df576b57c71971
Sent Access-Request Id 191 from 0.0.0.0:39893 to 127.0.0.1:1812 length 129
	User-Name = "a_user"
	MS-CHAP-Password = "thepassword"
	NAS-IP-Address = 192.168.107.7
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "thepassword"
	MS-CHAP-Challenge = 0xde5c70d1225f3f6c
	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e1a8009205e77b1fbbf020022ba3e20b70df576b57c71971
Sent Access-Request Id 191 from 0.0.0.0:39893 to 127.0.0.1:1812 length 129
	User-Name = "a_user"
	MS-CHAP-Password = "thepassword"
	NAS-IP-Address = 192.168.107.7
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "thepassword"
	MS-CHAP-Challenge = 0xde5c70d1225f3f6c
	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e1a8009205e77b1fbbf020022ba3e20b70df576b57c71971
(0) No reply from server for ID 191 socket 3
===================


log.winbindd (in log level 10)
===================
[2017/08/29 15:03:44.139816, 10, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:761(process_request)
  process_request: request fn INTERFACE_VERSION
[2017/08/29 15:03:44.141735,  3, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
  [25579]: request interface version (version = 28)
[2017/08/29 15:03:44.143656, 10, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:864(winbind_client_response_written)
  winbind_client_response_written[25579:INTERFACE_VERSION]: delivered response to client
[2017/08/29 15:03:44.145639, 10, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:761(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2017/08/29 15:03:44.147727,  3, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
  [25579]: request location of privileged pipe
[2017/08/29 15:03:44.150965, 10, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:864(winbind_client_response_written)
  winbind_client_response_written[25579:WINBINDD_PRIV_PIPE_DIR]: delivered response to client
[2017/08/29 15:03:44.153161,  6, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:919(new_connection)
  accepted socket 27
[2017/08/29 15:03:44.155338,  6, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:968(winbind_client_request_read)
  closing socket 25, client exited
[2017/08/29 15:03:44.157538, 10, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:734(process_request)
  process_request: Handling async request 25579:GETGROUPS
[2017/08/29 15:03:44.159669,  3, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
  getgroups freerad
[2017/08/29 15:03:44.162646,  1, pid=25544, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:468(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          in: struct wbint_LookupName
              domain                   : *
                  domain                   : 'SAMBADOM'
              name                     : *
                  name                     : 'FREERAD'
              flags                    : 0x00000008 (8)
[2017/08/29 15:03:44.171620,  1, pid=25544, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:468(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          out: struct wbint_LookupName
              type                     : *
                  type                     : SID_NAME_USE_NONE (0)
              sid                      : *
                  sid                      : S-0-0
              result                   : NT_STATUS_NONE_MAPPED
[2017/08/29 15:03:44.180970,  5, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
  Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
[2017/08/29 15:03:44.183154, 10, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:796(wb_request_done)
  wb_request_done[25579:GETGROUPS]: NT_STATUS_NONE_MAPPED
[2017/08/29 15:03:44.192083, 10, pid=25544, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:864(winbind_client_response_written)
  winbind_client_response_written[25579:GETGROUPS]: delivered response to client
==============

When I switch back using ntlm_auth instead, it is working flawlessly.

Hope someone would help.

Thanks for attending.

Kinglok, Fong

More information about the Freeradius-Users mailing list