[EMAIL PROTECTED] wrote:
All,
I finally got it working, but not yet as i want.
The trick that made it work is settings auth-type := MSCHAPv2 for the
You should not do that, and should not *have* to do that.
Most likely you have not put the mschap module in the authorize section,
*or* you have put another module higher up that it setting the auth-type
first e.g. LDAP.
You should have:
authorize {
preprocess
mschap
# other modules, maybe files?
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
user(s) and i also started radiusd as root(changed the rights without
success to radiusd, but once everything is working i will try to run
again with radiusd user)
That's probably permissions on the winbind socket - see
[EMAIL PROTECTED] var]$ ls -ld /var/cache/samba/winbindd_privileged/
drwxr-x--- 2 root root 4096 Jul 24 21:36
/var/cache/samba/winbindd_privileged/
...radius will need to be able to get into that directory and access the
unix socket inside.
Many distributions have the unix group "squid" setup to be able to read
it for the purposes of Squid+ntlm. If so, just add the "radiusd" user to
the "squid" group. Or, create an "ntlmauth" group and set permissions
appropriately.
If you are on an SELinux distribution, watch for that.
If i connect my user(s)s with [EMAIL PROTECTED] it works,
but if i use realm\userame the realm is found but no ntlm is used(and
authentication fails).
Below you find an extract from the debug where you can see that the
An extract is no use. Please show the full debug output for a failing
session.
HOWEVER, first you may want to check your mschap module definition:
modules {
mschap {
ntlm_auth = "/usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name:-None} \
--domain=%{mschap:NT-Domain:-None} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}"
...all on one line of course. Note the use of the "mschap:User-Name" and
"mschap:NT-Domain" values.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
