Yes, the users and computers are all in the same domain (as
with the servers). I did attempt to stick the laptop in an OU that has policy
inheritance blocked.
Ntlm as user succeeds:
-bash-4.1$ ntlm_auth --username=stormont
password:
NT_STATUS_OK: Success (0x0)
-bash-4.1$ ntlm_auth --username=zzhoppy
password:
NT_STATUS_OK: Success (0x0)
-bash-4.1$
And from log.winbindd (during interactive user authentication
listed above)
[2014/08/13 12:48:11.379309, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[38847]: request interface version
[2014/08/13 12:48:11.379440, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[38847]: request location of privileged pipe
[2014/08/13 12:48:11.379608, 3]
winbindd/winbindd_misc.c:394(winbindd_domain_name)
[38847]: request domain name
[2014/08/13 12:48:15.921652, 3] winbindd/winbindd_misc.c:372(winbindd_info)
[38847]: request misc info
[2014/08/13 12:48:15.921795, 3]
winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send)
[38847]: pam auth OMNI\stormont
[2014/08/13 12:48:26.815876, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[38848]: request interface version
[2014/08/13 12:48:26.816002, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[38848]: request location of privileged pipe
[2014/08/13 12:48:26.816106, 3]
winbindd/winbindd_misc.c:394(winbindd_domain_name)
[38848]: request domain name
[2014/08/13 12:48:31.267636, 3] winbindd/winbindd_misc.c:372(winbindd_info)
[38848]: request misc info
[2014/08/13 12:48:31.267793, 3]
winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send)
[38848]: pam auth OMNI\zzhoppy
Ntlm as machine still fails:
[root@pfcv logs]# ntlm_auth --username=LT-T430-3\$
--challenge=4ab096b446376d5f
--ntresponse=4df85dd62db46ee5bef1aa07fe499e87fc16eca72bd529e7
Logon failure (0xc000006d)
Below is log.winbindd from when the laptop attempted machine
auth:
[2014/08/13 13:37:43.894898, 3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
[38912]: request interface version
[2014/08/13 13:37:43.895143, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[38912]: request location of privileged pipe
[2014/08/13 13:37:43.895372, 3]
winbindd/winbindd_misc.c:394(winbindd_domain_name)
[38912]: request domain name
[2014/08/13 13:37:43.895587, 3]
winbindd/winbindd_pam_auth_crap.c:56(winbindd_pam_auth_crap_send)
[38912]: pam auth crap domain: [OMNI] user: LT-T430-3$
From: Louis Munro [mailto:[email protected]]
Sent: Wednesday, August 13, 2014 9:49 AM
To: [email protected]
Subject: Re: [PacketFence-users] "No trusted SAM account"
On 2014-08-12, at 15:58 , "Stormont, Stephen (IMS)"
<[email protected]<mailto:[email protected]>> wrote:
When I entered the command that you suggested on the PacketFence/FreeRadius
server, I got this:
[root@pfcv sbin]# ntlm_auth --username=LT-T430-3\$
--challenge=4ab096b446376d5f
--ntresponse=4df85dd62db46ee5bef1aa07fe499e87fc16eca72bd529e7
Logon failure (0xc000006d)
Contents of mschp are below:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --ntresponse=%{mschap:NT-Response:-00}"
}
Well, at least you can reproduce it reliably...
Your mschap file looks about right.
So I think the first step is to get user authentication working reliably.
It's probably easier to figure out why user auth is not working first since
it's easier to know if your password is correct.
What happens when you try user auth at the command line using ntlm_auth?
I.e.
# ntlm_auth --username=whatever
And if we compare with the FreeRADIUS debugging output for the same section?
Can you post the relevant lines for that please (same ones as for the computer
authentication)?
What happens when you try to authenticate a user with the same arguments to
ntlm_auth that FreeRadius uses (just as for the computer auth)?
If user authentication works when you enter the password manually but not when
freeradius tries it, then either the 802.1x client is not using a valid
password or the AD cannot find that user.
See this article for some background on ntlm:
http://msdn.microsoft.com/en-ca/library/windows/desktop/aa378749(v=vs.85).aspx
Have a look at the winbind logs (/var/log/samba/log.winbindd ).
There should be a line for each authentication attempt like the following:
[2014/08/13 09:31:56.156551, 3]
winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send)
[ 7023]: pam auth inverse.local\lmunro
How does the line differ between when you are authentication manually (from the
command line) as opposed to when FreeRadius calls winbind (and fails)?
Is the domain the same?
Of course it may help if you have some logs from the AD side as well.
Regards,
--
Louis Munro
[email protected]<mailto:[email protected]> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
________________________________
Information in this e-mail may be confidential. It is intended only for the
addressee(s) identified above. If you are not the addressee(s), or an employee
or agent of the addressee(s), please note that any dissemination, distribution,
or copying of this communication is strictly prohibited. If you have received
this e-mail in error, please notify the sender of the error.
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
