-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The debugging output is exactly saying whats wrong
Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) This dir should be readable by freeradius AND winbind. I thought 750 would work J. - -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 > -----Oorspronkelijk bericht----- > Van: freeradius-users- > [EMAIL PROTECTED] > [mailto:freeradius-users- > [EMAIL PROTECTED] Namens > [EMAIL PROTECTED] > Verzonden: donderdag 26 oktober 2006 16:24 > Aan: freeradius-users@lists.freeradius.org > Onderwerp: freeradius and ntlm_auth howto > > > All, > I am trying to authenticate my wifi users via our AD. I'm finding bits and > pieces on the internet to configure things, but no completely usable > howto. > Can someone of the users look at the ouput below and point me to the > correct solution/howto? > > I setup smb.conf,krb5.conf and freeradius. I joined the server to the > domain and tested the connection with ntlm_auth: > [EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf > --domain=KMT-EU.KMTG.NET > password: > NT_STATUS_OK: Success (0x0) > [EMAIL PROTECTED] ~]# > > rights of the winbind pipe: > ls -l /var/cache/samba/winbindd_privileged > total 0 > srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe > > below is the debug output of freeradius > > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > eaptls_verify returned 7 > rlm_eap_tls: Done initial handshake > eaptls_process returned 7 > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: EAP type mschapv2 > rlm_eap_peap: Tunneled data is valid. > PEAP: Got tunneled EAP-Message > EAP-Message = > 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000 > 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 > 2e4b4d54472e4e45545c73737472757966 > PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf > PEAP: Adding old state with a4 c3 > PEAP: Sending tunneled request > EAP-Message = > 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000 > 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d4555 > 2e4b4d54472e4e45545c73737472757966 > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "KMT-EU.KMTG.NET\\sstruyf" > State = 0xa4c337a92357e8d90a5f8c64b37d2df1 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 7 > modcall[authorize]: module "preprocess" returns ok for request 7 > modcall[authorize]: module "mschap" returns noop for request 7 > rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up > realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7 > rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT- > EU.KMTG.NET\sstruyf" > rlm_realm: Found realm "KMT-EU.KMTG.NET" > rlm_realm: Adding Stripped-User-Name = "sstruyf" > rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET > rlm_realm: Adding Realm = "KMT-EU.KMTG.NET" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "ntdomain" returns noop for request 7 > rlm_eap: EAP packet type response id 9 length 82 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 7 > users: Matched sstruyf at 98 > modcall[authorize]: module "files" returns ok for request 7 > modcall: group authorize returns updated for request 7 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 7 > rlm_eap: Request found, released from the list > rlm_eap: EAP/mschapv2 > rlm_eap: processing type mschapv2 > Processing the authenticate section of radiusd.conf > modcall: entering group Auth-Type for request 7 > rlm_mschap: No User-Password configured. Cannot create LM-Password. > rlm_mschap: No User-Password configured. Cannot create NT-Password. > rlm_mschap: NT Domain delimeter found, should we have enabled > with_ntdomain_hack? > rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT- > Password > radius_xlat: Running registered xlat function of module mschap for string > 'Challenge' > mschap2: 95 > rlm_mschap: NT Domain delimeter found, should we have enabled > with_ntdomain_hack? > radius_xlat: Running registered xlat function of module mschap for string > 'NT-Response' > radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf -- > challeng e=7b634e5c9dd73ddc --nt- > response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972' > Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf -- > challenge=7b634e5c9dd73ddc --nt- > response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972 > Exec-Program output: winbind client not authorized to use > winbindd_pam_auth_crap. Ensure permissions on > /var/cache/samba/winbindd_privileged are set correctly. > (0xc0000022) > Exec-Program-Wait: plaintext: winbind client not authorized to use > winbindd_pam_auth_crap. Ensure permissions on > /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) > Exec-Program: returned: 1 > rlm_mschap: External script failed. > rlm_mschap: FAILED: MS-CHAP2-Response is incorrect > modcall[authenticate]: module "mschap" returns reject for request 7 > modcall: group Auth-Type returns reject for request 7 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns reject for request 7 > modcall: group authenticate returns reject for request 7 > auth: Failed to validate the user. > Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] > (from client localhost port 0) > Processing the post-auth section of radiusd.conf > modcall: entering group Post-Auth-Type for request 7 > > Stieven Struyf > M.I.S. Division - System Operations > Komatsu Europe International NV > Mechelsesteenweg 586 > B-1800 Vilvoorde > [EMAIL PROTECTED] > Tel. +32 (0)2 2552551 -----BEGIN PGP SIGNATURE----- Version: 9.5.0 (Build 1202) wsBVAwUBRUDJDNjY2X/BrZGJAQjchQf/QUKfxpmDYdPgui8BqBOLGnp9SeO/v97+ QJZa0iCfSPX7Sr2GoXq+lK4s5a+vFnyqTm2s1kHwCcZif4PaUAjmXf0kjsPiV4X9 IIeImenaGNnS8iEFmIWEaP7WnzrB8/rPAeA1xnSyML06g7ejyMK23b50NwcWUyrf lnPPrGxLLOu1FUg94NI28iVtwLs9eqoHKyAKddaw42m9IXomuc7rZDBYBRO6bNvv /3E9TZMLszpe2oy6SEIItNyx9qjZTZtP2K1KSBS1ING9rI6EIYL505aQ9OPYzj9t HsP0HnpdvZJL8D0EtcSxzzoQLuC5wPzBjlWmGUGtsDY/8Wil9fx07A== =wrIA -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html