I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius.
Issue resolved. Thanks for the help. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa 319 384-0938 [email protected] > -----Original Message----- > From: freeradius-users-bounces+neil- > [email protected] [mailto:freeradius-users- > [email protected]] On Behalf Of > Johnson, Neil M > Sent: Thursday, October 28, 2010 11:27 AM > To: FreeRadius users mailing list > Subject: RE: Authenticating agains AD issues > > Could this be the samba bug ? I'm running 3.4.9 of samba. I thought it > was fixed in that release. > > -Neil > > > -- > Neil Johnson > Network Engineer > Information Technology Services > The University of Iowa > 319 384-0938 > [email protected] > > > > -----Original Message----- > > From: freeradius-users-bounces+neil- > > [email protected] [mailto:freeradius-users- > > [email protected]] On Behalf Of > > Johnson, Neil M > > Sent: Thursday, October 28, 2010 10:58 AM > > To: FreeRadius users mailing list > > Subject: RE: Authenticating agains AD issues > > > > Okay, I made those changes, but it still isn't working.. > > > > New log output: > > > > Found Auth-Type = EAP > > +- entering group authenticate {...} > > [eap] Request found, released from the list > > [eap] EAP/mschapv2 > > [eap] processing type mschapv2 > > [mschapv2] +- entering group MS-CHAP {...} > > [mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password > > [mschap] expand: --username=%{mschap:User-Name:-None} -> -- > > username=nmjoo > > [mschap] expand: %{mschap:NT-Domain} -> IOWA > > [mschap] expand: --domain=%{%{mschap:NT-Domain}:-IOWA} -> -- > > domain=IOWA > > [mschap] mschap2: f7 > > [mschap] expand: --challenge=%{mschap:Challenge:-00} -> -- > > challenge=7ec345e462e886cc > > [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> -- > > nt-response=a702419f587f109f326572c6e275dde4c144ccf18a11cc1d > > Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38 > > Exec-Program-Wait: plaintext: NT_KEY: > 0FD5C0593F3B79F0478DB821B51BCB38 > > Exec-Program: returned: 0 > > [mschap] adding MS-CHAPv2 MPPE keys > > ++[mschap] returns ok > > MSCHAP Success > > ++[eap] returns handled > > } # server inner-tunnel > > [peap] Got tunneled reply code 11 > > EAP-Message = > > > 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413 > > 335313237463630414239443345323741 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = 0x685b4a666951502b3811a806682630a9 > > [peap] Got tunneled reply RADIUS code 11 > > EAP-Message = > > > 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413 > > 335313237463630414239443345323741 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = 0x685b4a666951502b3811a806682630a9 > > [peap] Got tunneled Access-Challenge > > ++[eap] returns handled > > Sending Access-Challenge of id 0 to 128.255.11.74 port 32768 > > EAP-Message = > > > 0x010a005b19001703010050a8e7120ce3206005ece77b52e24df05d1ea02d75ff36206 > > > 97699ee570a8b6a06d08cc95c2d4f4985bd9d8754d8a895ca8758dddd2ba6f7973a78d1 > > 6d781735fb1e7274f297ef87971da17a0f708d6d0d > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = 0x122499391a2e80cc44ec4cdf9c13104c > > Finished request 17. > > Going to the next request > > Waking up in 3.2 seconds. > > C > > > > -- > > Neil Johnson > > Network Engineer > > Information Technology Services > > The University of Iowa > > 319 384-0938 > > [email protected] > > > > > > > -----Original Message----- > > > From: freeradius-users-bounces+neil- > > > [email protected] [mailto:freeradius-users- > > > [email protected]] On Behalf Of > > Phil > > > Mayers > > > Sent: Thursday, October 28, 2010 10:44 AM > > > To: [email protected] > > > Subject: Re: Authenticating agains AD issues > > > > > > On 28/10/10 16:22, Johnson, Neil M wrote: > > > > Yes, I did. > > > > > > Ah. However, the debug output says: > > > > > > > > > > > [mschap] expand: %{Stripped-User-Name} -> > > > > [mschap] ... expanding second conditional > > > > [mschap] WARNING: Deprecated conditional expansion ":-". See "man > > > > unlang" for details > > > > [mschap] expand: %{User-Name:-None} -> IOWA\nmjoo > > > > [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User- > Name:- > > > None}} > > > > -> --username=IOWA\nmjoo > > > > > > i.e. the username still contains a "DOMAIN\". You need to change > the > > > "ntlm_auth" command in /etc/raddb/modules/mschap to have: > > > > > > ntlm_auth = "... --username=%{mschap:User-Name} ..." > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
