My .02.. Im wondering if it is a domain policy preventing it? All the output he showed looked right up until the point of failure.
On Wed, Aug 13, 2014 at 9:48 AM, Louis Munro <[email protected]> wrote: > On 2014-08-12, at 15:58 , "Stormont, Stephen (IMS)" <[email protected]> > wrote: > > When I entered the command that you suggested on the > PacketFence/FreeRadius server, I got this: > > [root@pfcv sbin]# ntlm_auth --username=LT-T430-3\$ > --challenge=4ab096b446376d5f > --ntresponse=4df85dd62db46ee5bef1aa07fe499e87fc16eca72bd529e7 > Logon failure (0xc000006d) > > Contents of mschp are below: > > mschap { > use_mppe = yes > require_encryption = yes > require_strong = yes > with_ntdomain_hack = yes > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key > --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} > --challenge=%{mschap:Challenge:-00} --ntresponse=%{mschap:NT-Response:-00}" > } > > > Well, at least you can reproduce it reliably… > > Your mschap file looks about right. > So I think the first step is to get user authentication working reliably. > It's probably easier to figure out why user auth is not working first > since it's easier to know if your password is correct. > > What happens when you try user auth at the command line using ntlm_auth? > > I.e. > # ntlm_auth --username=whatever > > And if we compare with the FreeRADIUS debugging output for the same > section? > Can you post the relevant lines for that please (same ones as for the > computer authentication)? > > What happens when you try to authenticate a user with the same arguments > to ntlm_auth that FreeRadius uses (just as for the computer auth)? > > If user authentication works when you enter the password manually but not > when freeradius tries it, then either the 802.1x client is not using a > valid password or the AD cannot find that user. > > See this article for some background on ntlm: > http://msdn.microsoft.com/en-ca/library/windows/desktop/aa378749(v=vs.85).aspx > > > Have a look at the winbind logs (/var/log/samba/log.winbindd ). > There should be a line for each authentication attempt like the following: > > [2014/08/13 09:31:56.156551, 3] > winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send) > [ 7023]: pam auth inverse.local\lmunro > > How does the line differ between when you are authentication manually > (from the command line) as opposed to when FreeRadius calls winbind (and > fails)? > Is the domain the same? > > > Of course it may help if you have some logs from the AD side as well. > > Regards, > -- > Louis Munro > [email protected] :: www.inverse.ca > +1.514.447.4918 *125 :: +1 (866) 353-6153 > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence ( > www.packetfence.org) > > > ------------------------------------------------------------------------------ > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
