Good morning, Fabrice,
I ran chroot /chroots/optionsad wbinfo -u and received the output of all users
and groups from AD where optionsad is my AD domain.
And here’s what I see in RADIUS debugs when I use a named realm, not the
default one, Windows supplicant uses PEAP method
session-state:Module-Failure-Message := "mschap: Program returned code (1) and
output 'Reading winbind reply failed! (0xc0000001)'"
So, I wish I understand the logic or the lack of it 😉
And asking the same question, what’s the point about a named realm if it
doesn’t work ?
Eugene
From: Fabrice Durand [mailto:fdur...@inverse.ca]
Sent: Wednesday, March 07, 2018 2:01 PM
To: E.P. <ype...@gmail.com>; packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] [Packetfence] AD authentication with
FreeRadius: "reading winbind reply failed!"
Hello Eugene,
Le 2018-03-06 à 22:33, E.P. a écrit :
Hi Jimmy and Fabrice,
I would like to report the same experience. I have a realm (OPTIONS-AD-REALM)
and it is associated with the AD domain (optionsad), i.e.
[OPTIONS-AD-REALM]
domain=optionsad
options=strip
I had similar problems with winbind, same errors in the output of RADIUS debug.
Moreover, my attempt to test authentication from the command line was
successful:
This is just an ldap bind / search, not the same think as ntlm_auth
[root@PacketFence-ZEN bin]# ./pftest authentication it.tech XXXXXXXXX
Authenticating against OPTIONS-AD-SOURCE
Authentication SUCCEEDED against OPTIONS-AD-SOURCE (Authentication
successful.)
Matched against OPTIONS-AD-SOURCE for 'authentication' rules
set_role : Staff
set_unreg_date : 2019-12-31
Go figure what’s wrong, permissions, bugs or a lack of understanding from my
side as what I see as the result of ntlm_auth query drives me mad:
There is a chroot for each domains, if you do : chroot /chroot/ITTECH then
wbinfo -u, does it answer something ?
Also a radius request in debug mode should help to find the solution.
Regards
Fabrice
[root@PacketFence-ZEN bin]# ntlm_auth --request-nt-key --domain=optionsad
--username=it.tech
Password:
could not obtain winbind separator!
Reading winbind reply failed! (0x01)
: (0x0)
So, here I would like Fabrice comment on this, specifically bearing in mind
that it all works if I use only the default realm and link it to the AD domain.
What’s the point of having named realms ?
Moreover, if I test my authentication source with the authentication realm
pointing to default the test fails. If I remove it then the test goes through ?
What’s the point of having the realm here, Fabrice ?
Moreover, if I use FQDN for the host that acts as the windows domain controller
my test also fails but if I use the IP address it is all good.
I know and I swear that PF can resolve the name normally.
There are more questions that I’d like to ask strongly believing there’s faulty
code or missing documentation or a combination of both.
Eugene
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
