problems getting ntlm_auth working.
L.P.H. van Belle
belle at bazuin.nl
Fri Aug 30 13:55:19 CEST 2019
Hai Alan,
Offcourse if id read everyting you where saying.
And it's all working now.
If you can change one thing to the site's howto then you will never get these questions again.
.. Yes i know it is on the site already but, i would suggest you change this part.
'This configuration needs to be set on all participating Samba member(s) and (Samba4) AD-DC server(s).'
So what did i miss.. Yes, forgot to add to the AD-DC's smb.conf
ntlm auth = mschapv2-and-ntlmv2-only
After setting that, then "it just works" .. ;-)
Pretty stupid of me.. I wont argue that..
Just twoo more questions.
1)
We can authenticate 3 ways.
username
username at REALM
NTDOM\username
If running freeradius on AD-DC.
where : winbind use default domain = yes is not working on AD-DC.
See output of wbinfo -u
You can login with : username or NTDOM\username.
test : radtest -t mschap 'NTDOM\username' 'password' localhost 0 testing123
test : radtest -t mschap 'username' 'password' localhost 0 testing123
If running freeradius on AD-Member
where : winbind use default domain = yes is working.
See output of wbinfo -u
You can login with : username or username at REALM
test : radtest -t mschap 'username' 'password' localhost 0 testing123
test : radtest -t mschap 'username at REALM' 'password' localhost 0 testing123
What is the best way to handle all 3 types?
Im really new with freeradius, im trying to understand the configs, but thats not done in a sec.
2) Do note on the REALM.
I notice, and maybe you can verify this.
If realm is set as :
[libdefaults]
default_realm = internal.domain.tld
Trying to login with : username at INTERNAL.DOMAIN.TLD does not work.
You must match CAPS/non-caps in REALM, dorrect?
Or can we handle this in the config?
But thank you for your responces so far.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
ius.org] Namens Alan DeKok
> Verzonden: donderdag 29 augustus 2019 16:31
> Aan: FreeRadius users mailing list
> Onderwerp: Re: problems getting ntlm_auth working.
>
> On Aug 29, 2019, at 9:56 AM, Alan DeKok
> <aland at deployingradius.com> wrote:
> > The possible problems are:
> >
> > a) the program is run under a different UID, and therefore
> can't access the resources it needs when run under a different UID
Yes, i have checked that. Ive added freerad to winbind_priv group.
> >
> > b) the parameters passed to the program are different in
> the situations when it works, and when it doesn't work
>
> The only *other* choice is that the client is doing MS-CHAP
> calculations wrong. FreeRADIUS just packages that up and
> sends it to ntlm_auth. So if the calculations are wrong,
> then ntlm_auth will return "fail", even when ntlm_auth and
> samba are configured correctly.
>
> That can be tested by doing a test without ntlm_auth, and a
> locally configured password. If that works, then the client
> is fine. And, the problem isn't FreeRADIUS. Because
> FreeRADIUS can authenticate users just fine.
You where complety right here.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list