Jacob Jarick wrote:
I have gone back to ntlm_auth for the time being instead of ldap due
to the incredibly frustrating lack of good documentation (if there are
good docs, link it or shutup).
A large part of the problem is that you seem to be making random
changes, and following various bits of various documentation.
The way to get it to work is this:
1. Start with the default configuration. ALWAYS start with the default
configuration.
2. Make one small change.
3. Test it.
4. If it works, go back to step 2 and make another change
5. If it doesn't work, try again.
Also, keep backups of everything. If something works, make a copy.
Also, in step 4, repeat all of the tests that worked earlier.
None of the howtos/ tutorials I have followed end in success its
always some ldap error of some kind.
Then fix the LDAP errors before trying to debug FreeRADIUS. If
FreeRADIUS can't connect to the LDAP server, then your setup won't work.
At least 1/2 the FR + LDAP howtos
say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is
incorrect.
It's wrong. It's not needed. You can believe the random people on
the net who don't understand FreeRADIUS, or you can believe the people
here, who do understand it.
I followed Alans Active Directory Intergation tutorial and everything
is setup as the guide says, But eap fails with this message:
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module eap returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
You are NOT reading the whole debug output. That's part of the reason
you're finding this so difficult. The real cause of the authentication
failure, AND THE SUGGESTED FIX are in the debugging output:
Exec-Program-Wait: plaintext: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc022)
What part of that is not clear?
It also looks like you did NOT follow my guide, which says to run
ntlm_auth from the command line first.
On another note Id like to volenteer to help update some of the
documentation out there on FR, some is horribly out of date and makes
for a very frustrating introduction for people.
It's almost as frustrating to write documentation and then have it
ignored. When the documentation says 10 times read the debugging
output, it really, truly, honestly, means that you should read it.
Looking at the last few lines that say authentication failed is
useless. The rest of the output contains the information as to WHY it
failed.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
