Hi Louis,
I didn't know that. Thanks: it works, I can authenticate now.
Next problem: windows would also like to be able to authenticate using
the machine account. I have put our AD user source to
DC=samba,DC=our,DC=domain, and with "subtree".
I'm getting:
> # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> TLS Length 37
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
> TLS Alert read:fatal:access denied
> [peap] WARNING: No data inside of the tunnel.
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Peap state ?
> [peap] FAILED processing PEAP: Tunneled data is invalid.
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Login incorrect (TLS Alert read:fatal:access denied):
> [host/P002518.samba.our.domain] (from client x.y.z.248 port 17 cli
> 2c-41-38-8f-f1-3a)
> } # server packetfence
> Using Post-Auth-Type REJECT
I have also seen this bug report:
http://www.packetfence.org/bugs/view.php?id=1318
Debian 7 comes with samba 3.6.6... However, as you may (or may not)
remember: Weeks ago I attempted to install packetfence using the sernet
packages, and later also the wheezy backports. (both giving more recent
samba versions, but I ran into nummerous issues on my way)
So... What to do, if I would like to also be able to use machine
authentication?
(or: IS bug 1318 really the issue that can be seen above..?)
(or do you need again a complete freeradius debug log?)
MJ
On 06/23/2015 08:38 PM, Louis Munro wrote:
> On Jun 23, 2015, at 14:19 , heupink <[email protected]
> <mailto:[email protected]>> wrote:
>
>>
>> But where do I specify a default realm? (I'm guessing you are not
>> talking about krb5.conf) I'd like our users to be able to use just a
>> username, as they can for everything. (and we have just one realm)
>
>
> Either in the GUI under configuration > RADIUS > realms or just in
> conf/realm.conf, as in the following example (then restart) :
>
> [default]
> domain=pftest
> options=strip
>
> [inverse.local]
> domain=inverse
> options=strip
>
> [inverse]
> domain=inverse
> options=strip
>
> [pftest]
> domain=pftest
> options=strip
>
> [pftest.org <http://pftest.org>]
> domain=pftest
> options=strip
>
>
> Regards,
> --
> Louis Munro
> [email protected] <mailto:[email protected]> :: www.inverse.ca
> <http://www.inverse.ca>
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>)
> and PacketFence (www.packetfence.org <http://www.packetfence.org>)
>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
