All,
I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto.
Can someone of the users look at the ouput below and point me to the correct solution/howto?
I setup smb.conf,krb5.conf and freeradius. I joined the server to the domain and tested the connection with ntlm_auth:
[EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --domain=KMT-EU.KMTG.NET
password:
NT_STATUS_OK: Success (0x0)
[EMAIL PROTECTED] ~]#
rights of the winbind pipe:
ls -l /var/cache/samba/winbindd_privileged
total 0
srwxrwxrwx 1 root root 0 Oct 25 14:46 pipe
below is the debug output of freeradius
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966
PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf
PEAP: Adding old state with a4 c3
PEAP: Sending tunneled request
EAP-Message = 0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000 0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "KMT-EU.KMTG.NET\\sstruyf"
State = 0xa4c337a92357e8d90a5f8c64b37d2df1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7
rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = "KMT-EU.KMTG.NET\sstruyf"
rlm_realm: Found realm "KMT-EU.KMTG.NET"
rlm_realm: Adding Stripped-User-Name = "sstruyf"
rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET
rlm_realm: Adding Realm = "KMT-EU.KMTG.NET"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "ntdomain" returns noop for request 7
rlm_eap: EAP packet type response id 9 length 82
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched sstruyf at 98
modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 7
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?
rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with NT-Password
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
mschap2: 95
rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack?
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challeng e=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=7b634e5c9dd73ddc --nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972
Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module "mschap" returns reject for request 7
modcall: group Auth-Type returns reject for request 7
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 7
modcall: group authenticate returns reject for request 7
auth: Failed to validate the user.
Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] (from client localhost port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group Post-Auth-Type for request 7
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html