Hi, The solution that is working for me is to run winbindd as root - then with proper file permissions, radiator can run as user "radiator" and the ntlm authentication works.
Thanks so much for the help!! Joy On 11/2/11 9:19 AM, "David Zych" <[email protected]> wrote: >Joy Veronneau wrote: >> Hi, >> I am stumped! I have implemented samba and MSCHAPv2 and everything >>works when running as user root. (Winbindd and radiator running as >>root.) But I need to run the radiator process as user "radiator". I also >>had to install samba in an alternate directory. >> >> So ? when running radiator and winbindd as "root" everything works >>including ntlm_auth from command line and also MSCHAPv2 connections >>through radiator. When running radiator and winbindd as user "radiator" >>ntlm_auth from command line works but MCHAPv2 connection through >>radiator fails. The log file looks like this: >> >... >> Mon Oct 31 10:50:03 2011: INFO: Starting NtlmAuthProg: >>/app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1 >... >> As user radiator, this works: >> >> /app/radius/samba/bin/ntlm_auth --request-nt-key --domain=CORNELL >>--username=jv11 --password=xxxxxxxxxx > >I had exactly the same problem when I first set up radiator. The gotcha >is that for some reason ntlm_auth actually requires more special >permissions to run with --helper-protocol=ntlm-server-1 than it does to >do a simple auth check from the command line. > >The best way to troubleshoot this is to invoke ntlm_auth from the command >line in the same way that Radiator actually invokes it to do MS-CHAPv2. > >For example, run > >ntlm_auth --helper-protocol=ntlm-server-1 > >And then paste as input: > >Username: yourusernamehere >NT-Domain: YOURDOMAINHERE >LANMAN-Challenge: 0102030405060708 >NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718 >. > >(the dot on a line by itself followed by another newline tells the helper >protocol that you're done entering attributes) > >The desired output of this test, since the NT-Response value is >completely bogus, is: > >Authenticated: No >Authentication-Error: Wrong Password > >What it said for me instead, the first time I tried it, was: > >Authenticated: No >Authentication-Error: winbind client not authorized to use >winbindd_pam_auth_crap. Ensure permissions on >/var/cache/samba/winbindd_privileged are set correctly. > >which pointed me to the problem. The solution that worked for me was to >change the group ownership of this directory (which will of course be in >a different location for you): > >chgrp radiator /var/cache/samba/winbindd_privileged > >Note that (at least as of v3.0.33), samba is apparently very picky about >this directory's permissions; changing the group is okay, but it must be >owned by root and chmod 750 (drwxr-x---) in order to work. > >Finally, I've attached a perl script I wrote that performs this same test >using a *working* input file stored on disk (generated by running it once >with --create and giving it a real username and password); you'll >probably want to change the hardcoded location of this file ($queryfile) >to make sense for your system. On my radius servers I have a cron task >which runs this script with -q every few minutes and automatically >restarts winbind if it ever fails. :) > >Hope this helps! > >David > >P.S. Caveat: I'm running radiator as a regular user, but I'm running >winbind as root (launched via sudo). It sounds like you're trying to >avoid even that, so the chgrp may not be enough to solve your problem, >but if not then hopefully my troubleshooting approach will still get you >closer to understanding what's wrong. >_______________________________________________ >radiator mailing list >[email protected] >http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
