Hi Mourik,
That does not seem like an authentication issue related to samba.
That looks like the client and radius server can’t agree on a TLS tunnel.
You don’t even make it as far as ntlm_auth.
Look client side.
Check the supplicant configuration and valid certificates.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On Jun 23, 2015, at 16:12 , mourik jan heupink <[email protected]> wrote:
> Hi Louis,
>
> I didn't know that. Thanks: it works, I can authenticate now.
>
> Next problem: windows would also like to be able to authenticate using
> the machine account. I have put our AD user source to
> DC=samba,DC=our,DC=domain, and with "subtree".
>
> I'm getting:
>
>> # Executing group from file /usr/local/pf/raddb/sites-enabled/packetfence
>> +group authenticate {
>> [eap] Request found, released from the list
>> [eap] EAP/peap
>> [eap] processing type peap
>> [peap] processing EAP-TLS
>> TLS Length 37
>> [peap] Length Included
>> [peap] eaptls_verify returned 11
>> [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
>> TLS Alert read:fatal:access denied
>> [peap] WARNING: No data inside of the tunnel.
>> [peap] eaptls_process returned 7
>> [peap] EAPTLS_OK
>> [peap] Session established. Decoding tunneled attributes.
>> [peap] Peap state ?
>> [peap] FAILED processing PEAP: Tunneled data is invalid.
>> [eap] Handler failed in EAP/peap
>> [eap] Failed in EAP select
>> ++[eap] = invalid
>> +} # group authenticate = invalid
>> Failed to authenticate the user.
>> Login incorrect (TLS Alert read:fatal:access denied):
>> [host/P002518.samba.our.domain] (from client x.y.z.248 port 17 cli
>> 2c-41-38-8f-f1-3a)
>> } # server packetfence
>> Using Post-Auth-Type REJECT
>
> I have also seen this bug report:
> http://www.packetfence.org/bugs/view.php?id=1318
>
> Debian 7 comes with samba 3.6.6... However, as you may (or may not)
> remember: Weeks ago I attempted to install packetfence using the sernet
> packages, and later also the wheezy backports. (both giving more recent
> samba versions, but I ran into nummerous issues on my way)
>
> So... What to do, if I would like to also be able to use machine
> authentication?
>
> (or: IS bug 1318 really the issue that can be seen above..?)
>
> (or do you need again a complete freeradius debug log?)
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
