Hi All; I didn't get the reason behind Francois's command, (ie that it would revert to blank/default configs) so thanks Derek for making that clear! (while highlighting to the list I'm not a seasoned Linux guru. :))
Long Story: After doing this; looking through the results, showed me "Exec-Program output: Exec-Program: FAILED to execute /usr/bin/ntlm_auth: No such file or directory": the ntlm_auth file was missing. Looking further, 'Yum provides */ntlm_auth' told me that samba was missing. It wasn't immediately clear to me (via the documentation) that the separate samba install was actually required. This is because I've happily had LDAP queries succeed without SAMBA and without that install step, because configuring /pf/conf/authentication/ldap.pm gave me ldap lookups. Architectually, I figured pf/freeradius would take care of everything and take what it needed from ldap. However, at this later stage, the configuration makes quite a bit more sense. Next comes a little feedback. On the ZEN we are with Centos 6.3, and speaking with colleagues, the distro version of Samba (3.5.10) is not trouble free with Windows 7. Many of this lot are with Windows 8 (brave souls!) so I searched and followed the link below to add a 3rd party repo, which maintains the latest versions, currently 3.6.9. I add this here in case its useful maybe to someone, or maybe to add to documentation? http://www.mavinerc.com/home/2012/04/30/howto-update-samba-to-the-latest-build-using-yum/ I set in the repo's, and proceeded with: # yum install samba ...some dependencies needed filling, and I accepted these and completed. This gave me samba3, samba3-client, libwbclient0. I checked each of the packages in the doc, and needed to get the following two manually to get all that were indicated: # yum install samba3-utils samba3-winbind Further notes/differences to the install procedure: [libdefaults] * renew_lifetime = 7d <------new line - not sure if its worth a mention or needs to be removed. * forwardable = true <---- the default file used true/false, not yes/no: don't know if its smart enough to cope, or if this would cause an issue The port numbers were not in the original conf file, but I put them in as per PF doc. The [appdefaults] section was completely missing so copied and pasted out of the PF doc. In order to get klist and kinit tools, I needed to: # yum install krb5-workstation When testing Samba: # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) WARNING: The "idmap uid" option is deprecated WARNING: The "idmap gid" option is deprecated ........so far as I know/can find, these can be ignored... (please feel free to correct me!) My Windows 8 client now still doesn't get connected - it says it doesn't recognise the certificate, and gives me a hex thumbprint. I'm in process of creating a certificate and placing trusted roots in (just to prove the point) but from my reading (http://support.microsoft.com/kb/814394/en-us) a special OID is required. So I'm trying to go through that process, test it, establish if the OID is required, and if so, can I get it from a current commercial CA, as establishing a private CA and messing with root certs for 1500 unmanaged devices (on this site) is going to be a pain. Anyone with experience to donate - feel free to contribute! Sorry for such a long mail. Thanks and regards; Ian Manson +447411317020 On Tue, Nov 20, 2012 at 2:05 PM, Derek Wuelfrath <[email protected]> wrote: > Ian, > > As Francois mentionned (thanks François ;)) you need to point the > radiusd binary to the configs PacketFence generates when running by hand > the debug mode since PacketFence manage RADIUS (3.5.0). > > Let us know if you figured things out. > > Cheers! > > On 2012-11-19 8:48 PM, Francois Gaudreault wrote: >> Try: >> radiusd -X -d /usr/local/pf/raddb >> >> That might help. >> >> On 2012-11-19 6:57 PM, Ian Manson wrote: >>> Hi All; >>> >>> I'm trying to sort an issue: running radiusd -X gives me this: >>> "Ignoring request to authentication address * port 1812 from unknown >>> client [ip] port 1645" >>> >>> > From looking about, I think I understand the following: >>> - The pf/raddb/clients.conf shouldn't be fulfilled manually as the >>> information should be in the database. Checking pf/raddb/sql.conf, I >>> see that the right information is populated and transferred from the >>> pf/conf/radius/sqlconf template to connect to the database. >>> - The database gets it from the pf/conf/switches.conf with a >>> /pf/bin/pfcmd service radiusd restart. Using Mysql to try and look to >>> see that information, I see my device with a good shared secret in the >>> table radius_nas. >>> - If the shared secret was wrong, I should see "Received packet from >>> [ip] with invalid Message-Authenticator! (Shared secret is >>> incorrect.) Dropping packet without response." >>> >>> I've tried a number of things, including resetting shared secrets, and >>> starting to debug on radiusd, as above. I'm using a Cisco Aironet >>> 1252 with IOS 12.4. >>> >>> I'm using the 3.6 version ZEN for VMWare. I did do the build manually >>> (which I was doing before the Zen was Centos 6.3) and ran into trouble >>> and then went to the zen install in case I was messing up somehow. >>> >>> Are there any pointers out there as to what I might be doing wrong? >>> Thanks and regards! >>> Ian Manson >>> +447411317020 >>> >>> ------------------------------------------------------------------------------ >>> Monitor your physical, virtual and cloud infrastructure from a single >>> web console. Get in-depth insight into apps, servers, databases, vmware, >>> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >>> Pricing starts from $795 for 25 servers or applications! >>> http://p.sf.net/sfu/zoho_dev2dev_nov >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >> >> ------------------------------------------------------------------------------ >> Monitor your physical, virtual and cloud infrastructure from a single >> web console. Get in-depth insight into apps, servers, databases, vmware, >> SAP, cloud infrastructure, etc. Download 30-day Free Trial. >> Pricing starts from $795 for 25 servers or applications! >> http://p.sf.net/sfu/zoho_dev2dev_nov >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- > Derek Wuelfrath > [email protected] :: +1.514.447.4918 (x110) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
