Re: FR + ADS 2003 + ntlm_auth
For any1 else who might have the same problem, it was resolved by the
following cmd:
chgrp radiusd /var/cache/samba/winbindd_privileged/
original article:
http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_10.htm
Thanks to google and Alan for tipping me off.
Yes I am about to backup everything :P before resuming ldap.
On 4/24/07, Jacob Jarick <[EMAIL PROTECTED]> wrote:
> radiusd -X -f: http://pastebin.ca/455497
>
> Alan, I have been trying todo my groundwork / homework is all, ie
> research before asking.
> Its simply a case of taking whatever support is available and not
> always being aware who the devs are. When nothing you have tried works
> try something you havent. Its rare to be told, dont google, ask.
>
> Anyway, I appoligize for getting testy, I should have said if there is
> a doc I should be reading paste the link, rather than have me google,
> find the incorrect one then be told the howto/document is incorrect.
>
> Now regarding your document Alan,
>
> Page 12 of 20
>
> "Make sure that fhe following lines are uncommented and that the value
> is the same as indicated here
>
> authtype = MS-CHAP"
>
> Is this the line in question
>
> "
># An example configuration for using /etc/smbpasswd.
>#
>#passwd etc_smbpasswd {
># filename = /etc/smbpasswd
># format =
> "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
> > # authtype = MS-CHAP
># hashsize = 100
># ignorenislike = no
># allowmultiplekeys = no
>#}
> "
>
> I have checked through the tutorial again, all my config files were in
> order but ntlm_auth was failing for some reason, a reboot later and
> all was well again.
>
> Here is the output of my testing ntlm_auth, so you know I have the
> samba side working.
>
> "
> [EMAIL PROTECTED] ~]# net join -U Administrator
> Administrator's password:
> Using short domain name -- TFXSCHOOL
> Joined 'LOCALHOST' to realm 'TFXSCHOOL.INTERNAL'
> [EMAIL PROTECTED] ~]# wbinfo -a jacob%pass
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc064)
> error messsage was: No such user
> Could not authenticate user jacob%pass with plaintext password
> challenge/response password authentication succeeded
> [EMAIL PROTECTED] ~]# ntlm_auth --request-nt-key --domain=tfxschool
> --username=jacob
> password:
> NT_STATUS_OK: Success (0x0)
> [EMAIL PROTECTED] ~]#
> "
>
> So thats samba checking passwords fine.
>
> I ask because it is not under the "# Microsoft CHAP authentication"
> section at all.
>
> I went through the whole log this time (sorry bad habbit of scrolling
> up for the last error then working on that 1 1st)
>
> "
> modcall: entering group MS-CHAP for request 6
> rlm_mschap: No User-Password configured. Cannot create LM-Password.
> rlm_mschap: No User-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for jacob with NT-Password
> "
>
> ^ Does that mean it did not get sent the password, or simply that it
> didnt find User-Password so its using the found NT-Password ?.
>
> And just below that (mem feels silly) I see:
> "
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=jacob
> --domain=TFXSCHOOL --challenge=a1a6b069c8d565ac
> --nt-response=abd3d6a8f9fdef0cf50b4ea12325cbaa9fbeccfd716c07ec
> Exec-Program output: winbind client not authorized to use
> winbindd_pam_auth_crap. Ensure permissions on
> /var/cache/samba/winbindd_privileged are set correctly. (0xc022)
> Exec-Program-Wait: plaintext: winbind client not authorized to use
> winbindd_pam_auth_crap. Ensure permissions on
> /var/cache/samba/winbindd_privileged are set correctly. (0xc022)
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> modcall[authenticate]: module "mschap" returns reject for request 6
> modcall: leaving group MS-CHAP (returns reject) for request 6
> "
>
> Looking at resolving that issue right now.
>
>
>
> On 4/24/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> > Jacob Jarick wrote:
> > > Sorry to offend,
> > > But I have been seeing alot of "Docs warn u of this etc" but seeing as
> > > there are so many conflicting documents seeing the generic reply when
> > > I have read / googled high and low is quite frustrating.
> >
> > The authors of the program you're using have told you what works and
> > what doesn't. You have a hard time believing them, because of some
> > random web page that isn't associated with the project.
> >
> > Is that really what you're saying?
> >
> > If your boss tells you to come in to work at 9am, do you show up at
> > noon, claiming confusion, because the 10 year old newspaper boy down the
> > street said you could show up at noon?
> >
> > Alan DeKok.
> > --
> > http://deployingradius.com - The web site of the book
> > http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscr
Re: FR + ADS 2003 + ntlm_auth
radiusd -X -f: http://pastebin.ca/455497
Alan, I have been trying todo my groundwork / homework is all, ie
research before asking.
Its simply a case of taking whatever support is available and not
always being aware who the devs are. When nothing you have tried works
try something you havent. Its rare to be told, dont google, ask.
Anyway, I appoligize for getting testy, I should have said if there is
a doc I should be reading paste the link, rather than have me google,
find the incorrect one then be told the howto/document is incorrect.
Now regarding your document Alan,
Page 12 of 20
"Make sure that fhe following lines are uncommented and that the value
is the same as indicated here
authtype = MS-CHAP"
Is this the line in question
"
# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
> # authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
"
I have checked through the tutorial again, all my config files were in
order but ntlm_auth was failing for some reason, a reboot later and
all was well again.
Here is the output of my testing ntlm_auth, so you know I have the
samba side working.
"
[EMAIL PROTECTED] ~]# net join -U Administrator
Administrator's password:
Using short domain name -- TFXSCHOOL
Joined 'LOCALHOST' to realm 'TFXSCHOOL.INTERNAL'
[EMAIL PROTECTED] ~]# wbinfo -a jacob%pass
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user jacob%pass with plaintext password
challenge/response password authentication succeeded
[EMAIL PROTECTED] ~]# ntlm_auth --request-nt-key --domain=tfxschool
--username=jacob
password:
NT_STATUS_OK: Success (0x0)
[EMAIL PROTECTED] ~]#
"
So thats samba checking passwords fine.
I ask because it is not under the "# Microsoft CHAP authentication"
section at all.
I went through the whole log this time (sorry bad habbit of scrolling
up for the last error then working on that 1 1st)
"
modcall: entering group MS-CHAP for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for jacob with NT-Password
"
^ Does that mean it did not get sent the password, or simply that it
didnt find User-Password so its using the found NT-Password ?.
And just below that (mem feels silly) I see:
"
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=jacob
--domain=TFXSCHOOL --challenge=a1a6b069c8d565ac
--nt-response=abd3d6a8f9fdef0cf50b4ea12325cbaa9fbeccfd716c07ec
Exec-Program output: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc022)
Exec-Program-Wait: plaintext: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc022)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
"
Looking at resolving that issue right now.
On 4/24/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> Jacob Jarick wrote:
> > Sorry to offend,
> > But I have been seeing alot of "Docs warn u of this etc" but seeing as
> > there are so many conflicting documents seeing the generic reply when
> > I have read / googled high and low is quite frustrating.
>
> The authors of the program you're using have told you what works and
> what doesn't. You have a hard time believing them, because of some
> random web page that isn't associated with the project.
>
> Is that really what you're saying?
>
> If your boss tells you to come in to work at 9am, do you show up at
> noon, claiming confusion, because the 10 year old newspaper boy down the
> street said you could show up at noon?
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
Jacob Jarick wrote: > Sorry to offend, > But I have been seeing alot of "Docs warn u of this etc" but seeing as > there are so many conflicting documents seeing the generic reply when > I have read / googled high and low is quite frustrating. The authors of the program you're using have told you what works and what doesn't. You have a hard time believing them, because of some random web page that isn't associated with the project. Is that really what you're saying? If your boss tells you to come in to work at 9am, do you show up at noon, claiming confusion, because the 10 year old newspaper boy down the street said you could show up at noon? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
Sorry to offend, But I have been seeing alot of "Docs warn u of this etc" but seeing as there are so many conflicting documents seeing the generic reply when I have read / googled high and low is quite frustrating. On 4/24/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hi, > > > good docs, link it or shutup). > > I will now no longer be replying to you > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth (including config files)
Jacob Jarick wrote: > I have gone back to ntlm_auth for the time being instead of ldap due > to the incredibly frustrating lack of good documentation (if there are > good docs, link it or shutup). A large part of the problem is that you seem to be making random changes, and following various bits of various documentation. The way to get it to work is this: 1. Start with the default configuration. ALWAYS start with the default configuration. 2. Make one small change. 3. Test it. 4. If it works, go back to step 2 and make another change 5. If it doesn't work, try again. Also, keep backups of everything. If something works, make a copy. Also, in step 4, repeat all of the tests that worked earlier. > None of the howtos/ tutorials I have followed end in success its > always some ldap error of some kind. Then fix the LDAP errors before trying to debug FreeRADIUS. If FreeRADIUS can't connect to the LDAP server, then your setup won't work. > At least 1/2 the FR + LDAP howtos > say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is > incorrect. It's wrong. It's not needed. You can believe the random people on the net who don't understand FreeRADIUS, or you can believe the people here, who do understand it. > I followed Alans Active Directory Intergation tutorial and everything > is setup as the guide says, But eap fails with this message: > " > rlm_eap: Handler failed in EAP/peap > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 7 > modcall: leaving group authenticate (returns invalid) for request 7 > auth: Failed to validate the user. > " You are NOT reading the whole debug output. That's part of the reason you're finding this so difficult. The real cause of the authentication failure, AND THE SUGGESTED FIX are in the debugging output: Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) What part of that is not clear? It also looks like you did NOT follow my guide, which says to run ntlm_auth from the command line first. > On another note Id like to volenteer to help update some of the > documentation out there on FR, some is horribly out of date and makes > for a very frustrating introduction for people. It's almost as frustrating to write documentation and then have it ignored. When the documentation says 10 times read the debugging output, it really, truly, honestly, means that you should read it. Looking at the last few lines that say "authentication failed" is useless. The rest of the output contains the information as to WHY it failed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
Hi, > good docs, link it or shutup). I will now no longer be replying to you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
