Hello Eugene,

Le 2018-03-06 à 22:33, E.P. a écrit :
>
> Hi Jimmy and Fabrice,
>
> I would like to report the same experience. I have a realm
> (OPTIONS-AD-REALM) and it is associated with the AD domain
> (optionsad), i.e.
>
>  
>
> [OPTIONS-AD-REALM]
>
> domain=optionsad
>
> options=strip
>
>  
>
> I had similar problems with winbind, same errors in the output of
> RADIUS debug. Moreover, my attempt to test authentication from the
> command line was successful:
>
>  
>
This is just an ldap bind / search, not the same think as ntlm_auth
>
> /[root@PacketFence-ZEN bin]# ./pftest authentication it.tech XXXXXXXXX/
>
> / /
>
> /Authenticating against OPTIONS-AD-SOURCE/
>
> /  Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication
> successful.) /
>
> /  Matched against OPTIONS-AD-SOURCE for 'authentication' rules/
>
> /    set_role : Staff/
>
> /    set_unreg_date : 2019-12-31/
>
>  
>
> Go figure what’s wrong, permissions, bugs or a lack of understanding
> from my side as what I see as the result of ntlm_auth query drives me mad:
>
>  
>
There is a chroot for each domains, if you do : chroot /chroot/ITTECH
then wbinfo -u, does it answer something ?
Also a radius request in debug mode should help to find the solution.

Regards
Fabrice

> /[root@PacketFence-ZEN bin]# ntlm_auth --request-nt-key
> --domain=optionsad --username=it.tech/
>
> /Password: /
>
> /could not obtain winbind separator!/
>
> */Reading winbind reply failed! (0x01)/*
>
> /:  (0x0)///
>
>  
>
> So, here I would like Fabrice comment on this, specifically bearing in
> mind that it all works if I use only the default realm and link it to
> the AD domain.
>
> What’s the point of having named realms ?
>
> Moreover, if I test my authentication source with the authentication
> realm pointing to default the test fails. If I remove it then the test
> goes through ?
>
> What’s the point of having the realm here, Fabrice ?
>
> Moreover, if I use FQDN for the host that acts as the windows domain
> controller my test also fails but if I use the IP address it is all good.
>
> I know and I swear that PF can resolve the name normally.
>
> There are more questions that I’d like to ask strongly believing
> there’s faulty code or missing documentation or a combination of both.
>
>  
>
> Eugene
>
>  
>
> *From:*Durand fabrice via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
>
>
> *Sent:* Tuesday, March 06, 2018 6:26 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Durand fabrice <fdur...@inverse.ca>
> *Subject:* Re: [PacketFence-users] [Packetfence] AD authentication
> with FreeRadius: "reading winbind reply failed!"
>
>  
>
> Hello Jimmy,
>
> create the realms associated to your domain, like you have a user like
> ACME\bob and b...@acme.com <mailto:b...@acme.com> then create the 2
> realms and associate them to your AD.
>
> Regards
>
> Fabrice
>
>  
>
>  
>
> Le 2018-03-06 à 07:14, Jimmy Claes via PacketFence-users a écrit :
>
>     I’ve been trying to figure out this problem for days, whenever I
>     try to authenticate a user on Windows, I get the following error
>     while the login is correct:
>
>     
> imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E24205?header=quotebody&part=1.2&filename=image001.png
>
>      
>
>     ‘wbinfo –p’ fails aswell:
>
>     
> imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E24205?header=quotebody&part=1.3&filename=image002.png
>
>      
>
>     Winbind service is running:
>
>     
> imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E24205?header=quotebody&part=1.4&filename=image003.png
>
>      
>
>     Freeradius service is running:
>
>     
> imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E24205?header=quotebody&part=1.5&filename=image004.png
>
>      
>
>     The permissions on winbindd_privileged are properly set:
>
>     
> imap://fdur...@mail.inverse.ca:143/fetch%3EUID%3E/PacketFence%20Users%20List%3E24205?header=quotebody&part=1.6&filename=image005.png
>
>      
>
>     Result of running ‘freeradius –X’ attached.
>
>      
>
>
>
>
>     
> ------------------------------------------------------------------------------
>
>     Check out the vibrant tech community on one of the world's most
>
>     engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
>     _______________________________________________
>
>     PacketFence-users mailing list
>
>     PacketFence-users@lists.sourceforge.net
>     <mailto:PacketFence-users@lists.sourceforge.net>
>
>     https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>  
>

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to