Hi Jimmy,
Yes, this is what I meant, my connection via the profile that uses AD source
and authentication against AD works only on the condition that I use the
default realm and this default realm is linked to the AD domain.
Here are extract from configs
Domain.conf
===========
[optionsad]
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountContro
l:1.2.840.113556.1.4.803:=2))))
ntlm_cache=enabled
registration=0
ntlm_cache_expiry=3600
dns_name=options.bc.ca
dns_servers=172.XXX.XXX.XXX,172.XXX.XXX.XXX
ou=Computers
bind_pass=ZZZZZZZZZZZ
ntlm_cache_on_connection=disabled
bind_dn=ADintegrator
workgroup=OPTIONS
ntlm_cache_batch_one_at_a_time=disabled
sticky_dc=*
ad_server=adserver.options.bc.ca
ntlm_cache_batch=disabled
server_name=%h
ntlm_cache_source=OPTIONS-AD-SOURCE
realm.conf
==========
[DEFAULT]
domain=optionsad
options=strip
authentication.conf
===============
[OPTIONS-AD-SOURCE]
cache_match=0
read_timeout=10
realms=default
password=ZZZZZZZZZ
scope=base
binddn=CN=ADintegrator,CN=Users,DC=options,DC=bc,DC=ca
port=389
description=Options-AD-Source
write_timeout=5
type=AD
basedn=CN=Users,DC=options,DC=bc,DC=ca
set_access_level_action=
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=no
encryption=none
host=adserver.options.bc.ca
email_attribute=mail
Eugene
From: Jimmy Claes via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Tuesday, March 06, 2018 11:28 PM
To: 'packetfence-users@lists.sourceforge.net'
<packetfence-users@lists.sourceforge.net>
Cc: Jimmy Claes <j.cl...@clbgroup.be>
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with
FreeRadius: "reading winbind reply failed!"
Hello Eugene
By the following it all works if I use only the default realm and link it
to the AD domain. You mean that if u set your sources to the default realm,
assigning AD to the default realm and have no other realms configured,
authenticating with AD works?
Would u mind sharing the configuration u have that works with default realm?
Short term, it might just suffice for us.
Regards
Jimmy
Van: E.P. via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Verzonden: woensdag 7 maart 2018 4:33
Aan: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
CC: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> >
Onderwerp: Re: [PacketFence-users] [Packetfence] AD authentication with
FreeRadius: "reading winbind reply failed!"
Hi Jimmy and Fabrice,
I would like to report the same experience. I have a realm
(OPTIONS-AD-REALM) and it is associated with the AD domain (optionsad), i.e.
[OPTIONS-AD-REALM]
domain=optionsad
options=strip
I had similar problems with winbind, same errors in the output of RADIUS
debug. Moreover, my attempt to test authentication from the command line was
successful:
[root@PacketFence-ZEN bin]# ./pftest authentication it.tech XXXXXXXXX
Authenticating against OPTIONS-AD-SOURCE
Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication
successful.)
Matched against OPTIONS-AD-SOURCE for 'authentication' rules
set_role : Staff
set_unreg_date : 2019-12-31
Go figure whats wrong, permissions, bugs or a lack of understanding from my
side as what I see as the result of ntlm_auth query drives me mad:
[root@PacketFence-ZEN bin]# ntlm_auth --request-nt-key --domain=optionsad
--username=it.tech
Password:
could not obtain winbind separator!
Reading winbind reply failed! (0x01)
: (0x0)
So, here I would like Fabrice comment on this, specifically bearing in mind
that it all works if I use only the default realm and link it to the AD
domain.
Whats the point of having named realms ?
Moreover, if I test my authentication source with the authentication realm
pointing to default the test fails. If I remove it then the test goes
through ?
Whats the point of having the realm here, Fabrice ?
Moreover, if I use FQDN for the host that acts as the windows domain
controller my test also fails but if I use the IP address it is all good.
I know and I swear that PF can resolve the name normally.
There are more questions that Id like to ask strongly believing theres
faulty code or missing documentation or a combination of both.
Eugene
From: Durand fabrice via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Tuesday, March 06, 2018 6:26 PM
To: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
Cc: Durand fabrice <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with
FreeRadius: "reading winbind reply failed!"
Hello Jimmy,
create the realms associated to your domain, like you have a user like
ACME\bob and b...@acme.com <mailto:b...@acme.com> then create the 2 realms
and associate them to your AD.
Regards
Fabrice
Le 2018-03-06 à 07:14, Jimmy Claes via PacketFence-users a écrit :
Ive been trying to figure out this problem for days, whenever I try to
authenticate a user on Windows, I get the following error while the login is
correct:
wbinfo p fails aswell:
Winbind service is running:
Freeradius service is running:
The permissions on winbindd_privileged are properly set:
Result of running freeradius X attached.
----------------------------------------------------------------------------
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
