Hello Luca,
When you see winbind isn't started, it is actually running. When doing a
domain join via the admin interface, winbind is started in a chroot,
that allow you to have 1 winbind daemon by domain. So you should not
need to start it manually.
Go in the section configuration -> realm and add ASSL10 as the domain
for the realm NULL.
Thanks
On 01/29/2017 01:10 PM, Luca Messori wrote:
Hi Fabrice,
I trie to start winbondd manually; this is the output:
[root@mitelwifi samba]# /usr/sbin/winbindd -s /etc/samba/ASSL10.conf -S -F
winbindd version 3.6.23-36.el6_8 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
Could not fetch our SID - did we join?
unable to initialize domain list
Kindly regards
*/Luca Messori/*
_________________________
Descrizione: mead
*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it <http://www.meadinformatica.it/>
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere riservato e
confidenziale. Qualora non foste i destinatari, vi preghiamo di
notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali allegati,
senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del
contenuto
di questo mesaggio espone il responsabile alle conseguenze civili e
penali.
This message may contain information which is confidential or
privileged. if you are not the intended recipient, please immediately
notify us
and destroy this message and any attachments without retaining a copy.
Any unauthorized use of this message can expose the responsabile party
to civil and/or criminal penalties.
Descrizione: Descrizione: cid:696372015@22072008-1A64
*Da:*Fabrice Durand [mailto:[email protected]]
*Inviato:* venerdì 27 gennaio 2017 19:42
*A:* [email protected]
*Oggetto:* Re: [PacketFence-users] R: R: Issue authenticathing WPA2 WLAN
Hi Luca,
it still miss the assl10 realm, can you share your realm.conf file ?
Does winbind is running ?
Did you restart radiusd after adding the realm ?
Regards
Fabrice
Le 2017-01-27 à 12:22, Luca Messori a écrit :
Hi Fabrice,
we have reconfigured the Realm and we have done some new test but
we have the following error:
(7) Fri Jan 27 12:00:12 2017: ERROR: mschap: External script says:
Reading winbind reply failed! (0xc0000001)
(7) Fri Jan 27 12:00:12 2017: ERROR: mschap: MS-CHAP2-Response is
incorrect
I have attached the raddebug output.
Can you help us?
Kindly regards
*/Luca Messori/*
_________________________
Descrizione: mead
*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522 393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere
riservato e confidenziale. Qualora non foste i destinatari, vi
preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali
allegati, senza trattenerne copia. Qualsivoglia utilizzo non
autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze civili
e penali.
This message may contain information which is confidential or
privileged. if you are not the intended recipient, please
immediately notify us
and destroy this message and any attachments without retaining a
copy. Any unauthorized use of this message can expose the
responsabile party
to civil and/or criminal penalties.
Descrizione: Descrizione: cid:696372015@22072008-1A64
*Da:*Fabrice Durand [mailto:[email protected]]
*Inviato:* giovedì 26 gennaio 2017 14:54
*A:* [email protected]
<mailto:[email protected]>
*Oggetto:* Re: [PacketFence-users] R: Issue authenticathing WPA2 WLAN
Hello Lucas,
here is the error:
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: Executing:
/usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}:
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--username=integrazionewifi
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: Creating challenge
hash with username: integrazionewifi
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--challenge=%{mschap:Challenge:-00}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--challenge=c7224e97b4103ad9
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: EXPAND
--nt-response=%{mschap:NT-Response:-00}
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: -->
--nt-response=ad0e31b4fa7cad4f8ebecb1c9eb46025e8c52715f60f9183
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: Program returned
code (1) and output 'Reading winbind reply failed! (0xc0000001)'
(52) Wed Jan 25 13:51:23 2017: Debug: mschap: External script failed
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: External script
says: Reading winbind reply failed! (0xc0000001)
(52) Wed Jan 25 13:51:23 2017: ERROR: mschap: MS-CHAP2-Response is
incorrect
Freeradius try to use winbind but it can't, so you must join the
server to the domain to fix that and you need to create a realm
that match assl10 and point to the domain you just created (Admin
Gui).
Also for just ldap you need to have the clear password or the
nthash in the ldap directory.
http://deployingradius.com/documents/protocols/compatibility.html
Regards
Fabrice
Le 2017-01-26 à 04:00, Luca Messori a écrit :
Ho Fabrice,
I have attached two file containing the logs saved as you
required.
The two file names contains the username used during the test
tryin to connect to the WLAN.
I have tested both AD integration (putting PF in the Microsoft
domain) and LDAP.
Actually we are using LDAP.
Thank you veri much,
Kindly ergards
*/Luca Messori/*
_________________________
Descrizione: mead
*Mead Informatica Srl*
*SEDE *- Via G. Ferraris, 2 - 42122 Reggio Emilia
Tel. +39 0522 265800 Tel. amm.ne 0522265940 - Fax +39 0522
393306
Tel. +39 049 8702540 Fax +39 049 8706249
http://www.meadinformatica.it
-----------------------------------------------------------------------
Questo messaggio puo' contenere informazioni di carattere
riservato e confidenziale. Qualora non foste i destinatari, vi
preghiamo di notificarcelo
e di provvedere ad eliminare il messaggio, con gli eventuali
allegati, senza trattenerne copia. Qualsivoglia utilizzo non
autorizzato del contenuto
di questo mesaggio espone il responsabile alle conseguenze
civili e penali.
This message may contain information which is confidential or
privileged. if you are not the intended recipient, please
immediately notify us
and destroy this message and any attachments without retaining
a copy. Any unauthorized use of this message can expose the
responsabile party
to civil and/or criminal penalties.
Descrizione: Descrizione: cid:696372015@22072008-1A64
*Da:*Fabrice Durand [mailto:[email protected]]
*Inviato:* mercoledì 25 gennaio 2017 14:18
*A:* [email protected]
<mailto:[email protected]>
*Oggetto:* Re: [PacketFence-users] Issue authenticathing WPA2 WLAN
Hello Luca,
are you using an active directory ?
If it's the case then first you need to join PacketFence to
the domain.
Also can you do a : raddebug -f
/usr/local/pf/var/run/radius.sock -t 3000
and retry your authentication (you will have more details).
Regards
Fabrice
Le 2017-01-25 à 04:51, Luca Messori a écrit :
Hi all,
I’m trying to configure my PF to authenticate wireless users.
I have created a WPA2 enterprise WLAN on my Aps and I have
configured the PF IP as radius server.
I have configured a LDAP user source that should be used
by the Radius server.
Using pftest I have this output:
[root@mitelwifi ~]# /usr/local/pf/bin/pftest
authentication integrazionewifi <MYPASSWD> <LDAP_SOURCE>
Testing authentication for "integrazionewifi"
Authenticating against <LDAP_SOURCE>
Authentication SUCCEEDED against <LDAP_SOURCE>
(Authentication successful.)
Matched against <LDAP_SOURCE>for 'authentication' rules
set_role : impiegati
set_access_duration : 5D
Did not match against <LDAP_SOURCE>
When a wireless client try to connect to the WLAN I see
this log on radius log file:
Wed Jan 25 02:41:29 2017 : Auth: (11) Login incorrect
(eap: Tried to start unsupported EAP type MSCHAPv2 (26)):
[<MYDOMAIN>\integrazionewifi] (from client 10.12.15.0/24
port 1 cli 70:77:81:1a:d2:c5 via TLS tunnel)
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
connection (1): Hit idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
connection (2): Hit idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
connection (3): Hit idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
connection (4): Hit idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
connection (0): Hit idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Closing
connection (5): Hit idle_timeout, was idle for 204 seconds
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening
additional connection (6), 1 of 64 pending slots used
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Need 2
more connections to reach 10 spares
Wed Jan 25 02:41:29 2017 : Info: rlm_sql (sql): Opening
additional connection (7), 1 of 63 pending slots used
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: The
users session was previously rejected: returning reject
(again.)
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: This
means you need to read the PREVIOUS messages in the debug
output
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: to find
out the reason why the user was rejected
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: Look for
"reject" or "fail". Those earlier messages will tell you
Wed Jan 25 02:41:29 2017 : Info: (12) eap_peap: what
went wrong, and how to fix the problem
Wed Jan 25 02:41:29 2017 : Auth: (12) Login incorrect
(eap: Failed continuing EAP PEAP (25) session. EAP
sub-module failed): [<MYDOMAIN>\integrazionewifi] (from
client 10.12.15.0/24 port 1 cli 70:77:81:1a:d2:c5)
Wed Jan 25 02:41:29 2017 : [mac:70:77:81:1a:d2:c5]
Rejected user: assl10\integrazionewifi
Using tcpdump I cannot see any connection to LDAP serevr
I don’t understand why I have this log.
I have enabled PEAP and MSCHAPv2 as authentication method.
Thank you very much
Luca Messori
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
