I am trying to use mschap and the following is logged suggesting that
ldap authorize succeeds but unix authorize fails but the passwords are
the same (aside from the fact that samba hashes the password). I can ssh
into the radius server with the user name and password...
# getent passwd|grep craigwhite
craigwhite:x:1013:1000:Craig White:/home/users/craigwhite:/bin/sh
# radtest craigwhite MY_PASSWORD MY_RADIUS_SERVER 0 whatever
and on the radius server running 'radiusd -X -f'
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812 Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.100.7:60829, id=45,
length=62
User-Name = craigwhite
User-Password = MY_PASSWORD
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = craigwhite, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for craigwhite
radius_xlat: '(uid=craigwhite)'
radius_xlat: 'ou=People,ou=Accounts,o=MY_ORG,c=US'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
rlm_ldap: bind as cn=admin,o=Mullen,c=US/riod to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,ou=Accounts,o=MY_ORG,c=US, with
filter (uid=craigwhite)
rlm_ldap: checking if remote access for craigwhite is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value
[UX ] op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value HASHED_PASSWORD
op=21
rlm_ldap: Adding sambaLMPassword as LM-Password, value HASHED_PASSWORD
op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user craigwhite authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type System
auth: type System
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_unix: [craigwhite]: invalid password
modcall[authenticate]: module unix returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.
Obviously this is something to do with the 'users' file configuration
which is still at it's default and apparently this is the problem
here...
DEFAULT Auth-Type = System
Fall-Through = 1
What nugget am I missing?
Craig
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
