HI, Thanks,
On Mon, Jan 7, 2013 at 5:41 PM, Phil Mayers <[email protected]> wrote: > On 07/01/13 16:49, Khapare Joshi wrote: > >> Hello >> >> I been having problem as listed in this bug list: >> >> https://bugzilla.samba.org/**show_bug.cgi?id=6563#c59<https://bugzilla.samba.org/show_bug.cgi?id=6563#c59> >> >> I know at least few university having similar issue and ended up with >> restarting winbind - that resolve the issue. I am not sure which version >> of samba+winbind are you using? >> > > We are on RHEL5 using samba3x-3.3.8-0.52.el5_5.2. Our domain is Windows > 2008R2, domain functional level is 2008R2 native. > > > I am running on: CENTOS6 samba-winbind-3.5.10-125.el6.x86_64 samba-3.5.10-125.el6.x86_64 samba-common-3.5.10-125.el6.x86_64 >> Also, I am just thinking, is there a way to configure both kerberos >> (which works TTLS with PAP) and EAP-PEAP with MSCHAPv2 ? if it is >> possible I can support both TTLS via kerberos and PEAP - MCHAP with >> Active directory (winbind and samba). This way I can continue support >> older $$$client xp, win7 and for rest those are supported I can enforce >> to use TTLS-PAP with kerberos. It would be great if you direct me in >> right road. >> > > Yes you can do this. I'm not sure what you're asking. You just configure > each component correct and let it work. > > oh, I meant to support mschap as well. At the moment in my development environment I could not authenticate from windows 7 client because I can only choose mschap option. > This is only very slightly tricky because rlm_krb5 doesn't contain any > Auth-Type handling; you need to run krb5 if it's a PAP request, see below. > But you must already be doing this if you're using Kerberos, so just... > keep doing it. > > > Yes, Kerberos is working right now, What I did was : Added /etc/raddb/site-enabled/inner-tunnel right after the Auth-Type PAP Auth-Type kerberos { krb5 } and DEFAULT AUTH-Type = kerberos in users file. sites-enabled/inner-tunnel: > > authorize { > ... > eap > mschap > pap > ... > } > > authenticate { > Auth-Type PAP { > krb5 > } > Auth-Type MSCHAP { > mschap > } > eap > } > > ...then configure "eap {}" appropriately for TTLS and PEAP. > > To make this work, I still have to configure samba, join radius server to AD and so on for the AD authentication right ? but, kerberos only works with PAP, is there a security risk - what is your view on this? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
