I understand that, but what I don't understand is why my PF server can resolve the IP address of the AD server, using the configured DNS server, and can reverse this so the name can be pulled from the IP address, but even then samba doesn't seem to want to work as it did before.
EG. Resnet DNS server: - 10.1.3.11 PF server: 10.1.3.10 AD server: 192.1.68.110.34 (also a DNS server, but I want to configure PF to use the resnet DNS if possible) All names and IP addresses are resolvable from the PF server, however if I declare 192.168.110.34 in /etc/resolv.conf ntlm_auth works, but if I declare 10.1.3.11 then it doesn't. I appreciate this isn't actually a PF problem, and more a linux/samba/dns problem, but I was hoping someone on the list may have seen this before. Cheers, Andi -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: 27 January 2012 15:06 To: [email protected] Subject: Re: [Packetfence-users] Radius no longer authenticating users You need to have a DNS server that is able to resolve your local domain name properly, otherwise it won't work :S ie. 4.2.2.2 is not able to resolve domain.local for sure :) On 12-01-27 10:00 AM, Morris, Andi wrote: > When attempting to rejoin the domain I get the error "Failed to join domain: > failed to find DC for domain". > > Ntlm_auth --username ............. responds with: > NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e) > > However I've since discovered that if I put the IP address of the DC as a > nameserver in /etc/resolv.conf the ntlm_auth test is successful. Do I need > to have this IP address in there, I would rather use the DNS server that I > did have set if possible. > > Cheers, > Andi > > > -----Original Message----- > From: Francois Gaudreault [mailto:[email protected]] > Sent: 27 January 2012 14:43 > To: [email protected] > Subject: Re: [Packetfence-users] Radius no longer authenticating users > > Rejoin the machine to the domain and it should fix it. > > On 12-01-27 8:54 AM, Morris, Andi wrote: >> Hi all, >> >> Since yesterday my PF server has stopped authenticating users. The >> only things that I can think may be related are: >> >> -A week or so back I added a new DNS server into the PF development >> network, and changed all the relevant entries that I could think of >> in the PF config. This morning was possibly the first time the PF >> server had rebooted since this new DNS server was in place. >> >> -Yesterday I mounted a windows share on the PF server so that I could >> transfer some company logos etc onto the box, I managed to do this >> successfully via CIFS. >> >> To troubleshoot I attempted a radtest dd9999 Abcd1234 localhost 12 >> testing123 and a kinit connection and they both failed, with some >> sort of unknown server message (sorry I didn't write it down), but >> this led me to realise that I hadn't declared the PF server in the >> new DNS server, nor the AD server. After adding these entries into >> DNS I rebooted the PF server and can now successfully run both tests. >> >> However I'm still unable to authenticate via radius and am seeing >> this in the debug log: >> >> /# Executing group from file >> /etc/raddb/sites-enabled/packetfence-tunnel/ >> >> /+- entering group authenticate {...}/ >> >> /[eap] Request found, released from the list/ >> >> /[eap] EAP/mschapv2/ >> >> /[eap] processing type mschapv2/ >> >> /[mschapv2] # Executing group from file >> /etc/raddb/sites-enabled/packetfence-tunnel/ >> >> /[mschapv2] +- entering group MS-CHAP {...}/ >> >> /[mschap] Creating challenge hash with username: sm18818/ >> >> /[mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password/ >> >> /[mschap] expand: %{Stripped-User-Name} ->/ >> >> /[mschap] ... expanding second conditional/ >> >> /[mschap] WARNING: Deprecated conditional expansion ":-". See "man >> unlang" for details/ >> >> /[mschap] expand: %{User-Name:-None} -> sm18818/ >> >> /[mschap] expand: >> --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> >> --username=sm18818/ >> >> /[mschap] mschap2: 0f/ >> >> /[mschap] Creating challenge hash with username: sm18818/ >> >> /[mschap] expand: --challenge=%{mschap:Challenge:-00} -> >> --challenge=dfa962c4782b9582/ >> >> /[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> >> --nt-response=54452218a438818444dd851749894003ab9926896ac14877/ >> >> /Exec-Program output: No logon servers (0xc000005e)/ >> >> /Exec-Program-Wait: plaintext: No logon servers (0xc000005e)/ >> >> /Exec-Program: returned: 1/ >> >> /[mschap] External script failed./ >> >> /[mschap] FAILED: MS-CHAP2-Response is incorrect/ >> >> /++[mschap] returns reject/ >> >> /[eap] Freeing handler/ >> >> /++[eap] returns reject/ >> >> /Failed to authenticate the user./ >> >> "No logon servers" seems to be a samba related error from what I can >> find, but I can't think of where else I will need to look in order to >> get this vital service back up and running again. >> >> Cheers, >> >> Andi >> >> --------------------------------------------------------------------- >> - >> -- >> >> > From 1st November 2011 UWIC changed its title to Cardiff >> Metropolitan University. From the 6th December, as part of this >> change, all email addresses which included @uwic.ac.uk have changed to >> @cardiffmet.ac.uk. >> All emails sent from Cardiff Metropolitan University will now be sent >> from the new @cardiffmet.ac.uk address. *Please could you ensure that >> all of your contact records and databases are updated to reflect this >> change.* Further information can be found on the website here. >> <http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> >> >> >> >> --------------------------------------------------------------------- >> - >> -------- Try before you buy = See our experts in action! >> The most comprehensive online learning library for Microsoft >> developers is just $99.99! Visual Studio, SharePoint, SQL - plus >> HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you >> subscribe now! >> http://p.sf.net/sfu/learndevnow-dev2 >> >> >> >> _______________________________________________ >> Packetfence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > ---------------------------------------------------------------------- > -------- Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers is > just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ________________________________ > >> From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >> University. From the 6th December, as part of this change, all email >> addresses which included @uwic.ac.uk have changed to >> @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan >> University will now be sent from the new @cardiffmet.ac.uk address. >> Please could you ensure that all of your contact records and >> databases are updated to reflect this change. Further information can >> be found on the website >> here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx >> > > > ---------------------------------------------------------------------- > -------- Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft > developers is just $99.99! Visual Studio, SharePoint, SQL - plus > HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you > subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ >From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >University. From the 6th December, as part of this change, all email addresses >which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent >from Cardiff Metropolitan University will now be sent from the new >@cardiffmet.ac.uk address. Please could you ensure that all of your contact >records and databases are updated to reflect this change. Further information >can be found on the website >here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
