Jacob Jarick wrote: > I have gone back to ntlm_auth for the time being instead of ldap due > to the incredibly frustrating lack of good documentation (if there are > good docs, link it or shutup).
A large part of the problem is that you seem to be making random changes, and following various bits of various documentation. The way to get it to work is this: 1. Start with the default configuration. ALWAYS start with the default configuration. 2. Make one small change. 3. Test it. 4. If it works, go back to step 2 and make another change 5. If it doesn't work, try again. Also, keep backups of everything. If something works, make a copy. Also, in step 4, repeat all of the tests that worked earlier. > None of the howtos/ tutorials I have followed end in success its > always some ldap error of some kind. Then fix the LDAP errors before trying to debug FreeRADIUS. If FreeRADIUS can't connect to the LDAP server, then your setup won't work. > At least 1/2 the FR + LDAP howtos > say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is > incorrect. It's wrong. It's not needed. You can believe the random people on the net who don't understand FreeRADIUS, or you can believe the people here, who do understand it. > I followed Alans Active Directory Intergation tutorial and everything > is setup as the guide says, But eap fails with this message: > " > rlm_eap: Handler failed in EAP/peap > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 7 > modcall: leaving group authenticate (returns invalid) for request 7 > auth: Failed to validate the user. > " You are NOT reading the whole debug output. That's part of the reason you're finding this so difficult. The real cause of the authentication failure, AND THE SUGGESTED FIX are in the debugging output: Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022) What part of that is not clear? It also looks like you did NOT follow my guide, which says to run ntlm_auth from the command line first. > On another note Id like to volenteer to help update some of the > documentation out there on FR, some is horribly out of date and makes > for a very frustrating introduction for people. It's almost as frustrating to write documentation and then have it ignored. When the documentation says 10 times read the debugging output, it really, truly, honestly, means that you should read it. Looking at the last few lines that say "authentication failed" is useless. The rest of the output contains the information as to WHY it failed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html