Just to say that I am following this thread with interest, as I
currently have the same issue on my (debian8) install.
GUI says: domain join OK
Also, in CLI, I can do:
root@pf:/chroots/DOMAIN/etc/samba# chroot /chroots/DOMAIN ntlm_auth
--username=testuser
Password:
NT_STATUS_OK: Success (0x0)
But doing radtest in cli/chroot gives:
root@pf:/chroots/DOMAIN/etc/samba# chroot /chroots/DOMAIN radtest -t
mschap -x testuser testpasswd localhost:18120 12 testing123
Sent Access-Request Id 55 from 0.0.0.0:55804 to 127.0.0.1:18120 length 133
User-Name = "testuser"
MS-CHAP-Password = "testpasswd"
NAS-IP-Address = 192.x.y.z (=packetfence ip)
NAS-Port = 12
Message-Authenticator = 0x00
Cleartext-Password = "testpasswd"
MS-CHAP-Challenge = 0x91acda8016
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000b8b70be9c9dee2a5298cd8cf1b3xxxx
Received Access-Reject Id 55 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
and during radtest the following is logged in radius.log:
Jul 10 14:13:31 pf auth[15670]: (283) Rejected in post-auth: [testuser]
(from client localhost port 12)
Jul 10 14:14:06 pf auth[15670]: (284) rest: ERROR: Server returned:
Jul 10 14:14:06 pf auth[15670]: (284) rest: ERROR: {"Reply-Message":"CLI
Access is not allowed by PacketFence on this
switch","control:PacketFence-Authorization-Status":"allow"}
Are you seeing this same message about CLI access?
MJ
On 07/10/2017 11:58 AM, luca comes via PacketFence-users wrote:
I've found this error in radius.log
ERROR: mschap_machine: Program returned code (1) and output 'Reading
winbind reply failed! (0xc00
00001)'
But the domain is working fine, how can I solve this?
Luca
Inviato da Outlook <http://aka.ms/weboutlook>
------------------------------------------------------------------------
*Da:* luca comes via PacketFence-users
<[email protected]>
*Inviato:* lunedì 10 luglio 2017 11:42
*A:* [email protected]
*Cc:* luca comes
*Oggetto:* Re: [PacketFence-users] Machine authentication
Hi all,
any suggestion? I don't know what check, domain is correctly configured
the test are fine (wbinfo -u etc.). I added my domain to the LOCAL realm
as per Antoine mail but is still doesn't work.
Thanks for your help
Luca
Inviato da Outlook <http://aka.ms/weboutlook>
------------------------------------------------------------------------
*Da:* luca comes via PacketFence-users
<[email protected]>
*Inviato:* venerdì 7 luglio 2017 17:40
*A:* [email protected]
*Cc:* luca comes
*Oggetto:* Re: [PacketFence-users] Machine authentication
Hi Antoine,
thank you for your answer, unfortunately it doesn't work. Same behavior
as before, any other suggestion?
Luca
Inviato da Outlook <http://aka.ms/weboutlook>
------------------------------------------------------------------------
*Da:* Antoine Amacher via PacketFence-users
<[email protected]>
*Inviato:* venerdì 7 luglio 2017 17:20
*A:* [email protected]
*Cc:* Antoine Amacher
*Oggetto:* Re: [PacketFence-users] Machine authentication
Lucas,
Map the domain on which they should authenticate with the REALM LOCAL.
In configuration -> policies and access control -> realms
Thanks
On 07/07/2017 11:15 AM, luca comes via PacketFence-users wrote:
Hi all,
I'm trying to do machine authentication vs Windows AD but it doesn't
work. I've created the domain and the realm but in the radius debug
log I can see that it is not catching the correct realm:
(20) Fri Jul 7 16:29:45 2017: Debug: Received Access-Request Id 103
from 10.10.10.4:1645 to 172.27.17.5:1812 length 226
(20) Fri Jul 7 16:29:45 2017: Debug: User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul 7 16:29:45 2017: Debug: Service-Type = Framed-User
(20) Fri Jul 7 16:29:45 2017: Debug: Framed-MTU = 1500
(20) Fri Jul 7 16:29:45 2017: Debug: Called-Station-Id =
"00-22-91-6F-B8-81"
(20) Fri Jul 7 16:29:45 2017: Debug: Calling-Station-Id =
"00-9C-02-92-EA-B0"
(20) Fri Jul 7 16:29:45 2017: Debug: EAP-Message =
0x0201001801686f73742f4c4142332d4e422e646d2e6c6f63
(20) Fri Jul 7 16:29:45 2017: Debug: Message-Authenticator =
0xcf9553149f5c843907b87d3758e0b7d8
(20) Fri Jul 7 16:29:45 2017: Debug: Cisco-AVPair =
"audit-session-id=0A0A0A04000000DEBBDF4BBE"
(20) Fri Jul 7 16:29:45 2017: Debug: NAS-Port-Type = Ethernet
(20) Fri Jul 7 16:29:45 2017: Debug: NAS-Port = 50101
(20) Fri Jul 7 16:29:45 2017: Debug: NAS-Port-Id =
"GigabitEthernet1/0/1"
(20) Fri Jul 7 16:29:45 2017: Debug: NAS-IP-Address = 10.10.10.4
....
....
(20) Fri Jul 7 16:29:46 2017: Debug: suffix: Checking for suffix
after "@"
(20) Fri Jul 7 16:29:46 2017: Debug: suffix: No '@' in User-Name =
"host/LAB3-NB.dm.loc", skipping NULL due to config.
(20) Fri Jul 7 16:29:46 2017: Debug: [suffix] = noop
(20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Checking for prefix
before "\"
(20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: No '\' in User-Name =
"host/LAB3-NB.dm.loc", looking up realm NULL
(20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Found realm "null"
(20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Adding
Stripped-User-Name = "host/LAB3-NB.dm.loc"
(20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Adding Realm = "null"
(20) Fri Jul 7 16:29:46 2017: Debug: ntdomain: Authentication realm
is LOCAL
(20) Fri Jul 7 16:29:46 2017: Debug: [ntdomain] = ok
How can I solve this? Obviously the machine is correctly joined to the
domain below the servicePrincipalName associated:
TERMSRV/LAB3-NB.dm.loc
TERMSRV/LAB3-NB
RestrictedKrbHost/LAB3-NB
HOST/LAB3-NB
RestrictedKrbHost/LAB3-NB.dm.loc
HOST/LAB3-NB.dm.loc
Anyone that can suggest me what to check?
Thank you in advance.
Luca
Inviato da Outlook <http://aka.ms/weboutlook>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] ::www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
