A radius request in debug mode please.
cd /usr/local/pf
raddebug -f var/run/radiusd.sock -t 3000
Regards
Fabrice
Le 2018-03-08 à 00:39, E.P. a écrit :
>
> Good morning, Fabrice,
>
> I ran chroot /chroots/optionsad wbinfo -u and received the output of
> all users and groups from AD where optionsad is my AD domain.
>
>
>
> And here’s what I see in RADIUS debugs when I use a named realm, not
> the default one, Windows supplicant uses PEAP method
>
>
>
> */session-state:Module-Failure-Message := "mschap: Program returned
> code (1) and output 'Reading winbind reply failed! (0xc0000001)'"/*
>
>
>
> So, I wish I understand the logic or the lack of it 😉
>
> And asking the same question, what’s the point about a named realm if
> it doesn’t work ?
>
>
>
> Eugene
>
> *From:*Fabrice Durand [mailto:fdur...@inverse.ca]
> *Sent:* Wednesday, March 07, 2018 2:01 PM
> *To:* E.P. <ype...@gmail.com>; packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] [Packetfence] AD authentication
> with FreeRadius: "reading winbind reply failed!"
>
>
>
> Hello Eugene,
>
>
>
> Le 2018-03-06 à 22:33, E.P. a écrit :
>
> Hi Jimmy and Fabrice,
>
> I would like to report the same experience. I have a realm
> (OPTIONS-AD-REALM) and it is associated with the AD domain
> (optionsad), i.e.
>
>
>
> [OPTIONS-AD-REALM]
>
> domain=optionsad
>
> options=strip
>
>
>
> I had similar problems with winbind, same errors in the output of
> RADIUS debug. Moreover, my attempt to test authentication from the
> command line was successful:
>
>
>
> This is just an ldap bind / search, not the same think as ntlm_auth
>
> /[root@PacketFence-ZEN bin]# ./pftest authentication it.tech
> XXXXXXXXX/
>
> / /
>
> /Authenticating against OPTIONS-AD-SOURCE/
>
> / Authentication SUCCEEDED against OPTIONS-AD-SOURCE
> (Authentication successful.) /
>
> / Matched against OPTIONS-AD-SOURCE for 'authentication' rules/
>
> / set_role : Staff/
>
> / set_unreg_date : 2019-12-31/
>
>
>
> Go figure what’s wrong, permissions, bugs or a lack of
> understanding from my side as what I see as the result of
> ntlm_auth query drives me mad:
>
>
>
> There is a chroot for each domains, if you do : chroot /chroot/ITTECH
> then wbinfo -u, does it answer something ?
> Also a radius request in debug mode should help to find the solution.
>
> Regards
> Fabrice
>
>
> /[root@PacketFence-ZEN bin]# ntlm_auth --request-nt-key
> --domain=optionsad --username=it.tech/
>
> /Password: /
>
> /could not obtain winbind separator!/
>
> */Reading winbind reply failed! (0x01)/*
>
> /: (0x0)/
>
>
>
> So, here I would like Fabrice comment on this, specifically
> bearing in mind that it all works if I use only the default realm
> and link it to the AD domain.
>
> What’s the point of having named realms ?
>
> Moreover, if I test my authentication source with the
> authentication realm pointing to default the test fails. If I
> remove it then the test goes through ?
>
> What’s the point of having the realm here, Fabrice ?
>
> Moreover, if I use FQDN for the host that acts as the windows
> domain controller my test also fails but if I use the IP address
> it is all good.
>
> I know and I swear that PF can resolve the name normally.
>
> There are more questions that I’d like to ask strongly believing
> there’s faulty code or missing documentation or a combination of both.
>
>
>
> Eugene
>
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
