Just had this same problem myself. Oddly enough with Fedora, the samba-common package is all that will be installed as a dependency and it does not include the regular samba services. I could start winbind and even do ntlm_auth requests, but I was essentially having this same issue where it would just fail over and over and nothing useful was turning up in the logs. I then saw this post in the and tried installing the main samba package then started the smb service before winbind and that fixed it.
Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -----Original Message----- From: freeradius-users-bounces+tcasartello=wsc.ma....@lists.freeradius.org [mailto:freeradius-users-bounces+tcasartello=wsc.ma....@lists.freeradius.org ] On Behalf Of Meyers, Dan Sent: Friday, December 04, 2009 5:42 AM To: FreeRadius users mailing list Subject: RE: Logins against AD failing in *most* cases. Can see why, but don't*understand* why. > Given *my* background: I tend to blame everything *other* than > FreeRADIUS. If there's a bug, it gets fixed pretty quickly. That's > more than you can say for Microsoft. Finally got it sorted, and it was indeed nothing to do with FreeRADIUS but was a combination of several factors all related to Samba (posted here in case anyone else has similar issues in future and thinks it's FreeRADIUS): 1) We needed to upgrade to a newer version of Samba to be able to talk to Windows Server 2008 R2 (R2 made some significant changes over straight 2008, according to our Windows admins, so R1 or straight 2008 might be more lenient) using ntlm_auth (something we did quite early in the attempt to get it working). We're now on 3.4.3 compiled from source (3.4.0 in packages for Debian 5.0 didn't seem to work). 2) We needed to change our smb.conf. The config that worked with Server 2003 seems to not work with 2008 R2. 3) (And this was the one that really got me towards the end and caused me much confusion for the last few days when it sometimes worked and sometimes didn't): You *must* start Samba (i.e. nmbd and smbd) before winbind. If you start winbind first, then ntlm_auth gives every indication of working correctly. An ntlm_auth --username=whatever and then giving a password returns NT_STATUS_OK: Success (0x0). An incorrect password returns NT_STATUS_WRONG_PASSWORD, so it's evidently talking to the DC OK. Likewise taking a username, challenge and nt response from a radius request in debug mode and testing on the command line does return an NT key like it should. *However* that NT key, which is the same every time the command is run for a given username, challenge and response, is *not* the same as the NT key returned for the same username, challenge and response if you start Samba before winbind. If you start winbind first, the client will reject the NT key returned. If you start Samba first, it works fine. Bit of a noddy error on my part, that one. But if ntlm_auth had actually given any indication of not being able to talk to the domain I would have spotted it much sooner. Because all indications were that it was communicating fine it never occurred to me that the NT key being returned might be invalid. Thanks all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
smime.p7s
Description: S/MIME cryptographic signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
