Re: [PacketFence-users] PF ZEN 6.4.0: No user authentication against AD (Reading winbind reply failed!)

Ludovic Zammit Mon, 06 Feb 2017 06:17:35 -0800

Hello Markus,

Would you mind to give us the output of that command:


cat /usr/local/pf/conf/realm.conf

Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> ::  +1.514.447.4918 (x145) ::  
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) 
and PacketFence (http://packetfence.org <http://packetfence.org/>) 



> Le 6 févr. 2017 à 04:27, Markus Bolz <[email protected]> a écrit :
> 
> 
> Hello,
> 
> We are running a PacketFence 6.4.0 on a CentOS ZEN image. LAN 
> authentication on local and routed networks is running fine. Currently 
> we are trying to integrate our  wireless network infrastructure. 
> Authentication is to be done against our active directory, the winbind 
> join should be working according to
> 
> [root@packetfence ~]# chroot /chroots/MYDOMAIN.NET/ wbinfo --own-domain
> MYDOMAIN
> 
> We configured a realm on our wireless infrastucture to authenticate 
> @mydomain.net requests against the packetfence server. Authentication is 
> not successful, we see "'Reading winbind reply failed! (0xc0000001)'): 
> in the radius log files (also in radius debug log when we start the 
> radiusserver as user pf with -X )
> 
> Radius.log:
> 
> Mon Jan 30 11:34:09 2017 : Auth: (226) Login incorrect (eap: Failed 
> continuing EAP PEAP (25) session.  EAP sub-module failed): 
> [[email protected]] (from client 172.16.10.2 port 1 cli 
> bc:f5:ac:fe:d0:06)
> Mon Jan 30 11:34:09 2017 : [mac:bc:f5:ac:fe:d0:06] Rejected user: 
> [email protected]
> Mon Jan 30 11:34:27 2017 : ERROR: (234) mschap: ERROR: Program returned 
> code (1) and output 'Reading winbind reply failed! (0xc0000001)'
> Mon Jan 30 11:34:27 2017 : Auth: (234)   Login incorrect (mschap: 
> Program returned code (1) and output 'Reading winbind reply failed! 
> (0xc0000001)'): [[email protected]] (from client 172.16.10.2 port 1 
> cli bc:f5:ac:fe:d0:06 via TLS tunnel)
> Mon Jan 30 11:34:27 2017 : Info: rlm_sql (sql): Need 1 more connections 
> to reach 10 spares
> Mon Jan 30 11:34:27 2017 : Info: rlm_sql (sql): Opening additional 
> connection (152), 1 of 62 pending slots used
> Mon Jan 30 11:34:27 2017 : Info: (235) eap_peap:   The users session was 
> previously rejected: returning reject (again.)
> Mon Jan 30 11:34:27 2017 : Info: (235) eap_peap:   This means you need 
> to read the PREVIOUS messages in the debug output
> Mon Jan 30 11:34:27 2017 : Info: (235) eap_peap:   to find out the 
> reason why the user was rejected
> Mon Jan 30 11:34:27 2017 : Info: (235) eap_peap:   Look for "reject" or 
> "fail".  Those earlier messages will tell you
> Mon Jan 30 11:34:27 2017 : Info: (235) eap_peap:   what went wrong, and 
> how to fix the problem
> 
> 
> If we test the same auth request in the chroot-environment as user pf 
> manually, the auth seems to be OK:
> 
> -sh-4.1$ /usr/bin/sudo /usr/sbin/chroot /chroots/MYDOMAIN.NET/ 
> /usr/local/pf/bin/ntlm_auth_wrapper -- --request-nt-key --username=testuser
> password:
> NT_STATUS_OK: Success (0x0)
> -sh-4.1$
> 
> What are we missing?
> 
> Thanks for any help:
> 
> -- 
> -markus bolz
> 
> __________________________________________________________________________
> 
> Markus Bolz - Leiter Infrastrukturgruppe DFKI
>        Campus D 3.2, D-66123 Saarbruecken, Germany
> Phone: (+49 681) 85775-5572, Fax: ...-5020, E-Mail: [email protected]
> 
> Deutsches Forschungszentrum fuer Kuenstliche Intelligenz GmbH,
> Trippstadter Strasse 122, D-67663 Kaiserslautern, Germany, www.dfki.de *
> Geschaeftsfuehrung: Prof. Dr. Dr. h.c. mult. Wolfgang Wahlster (Vors.),
> Dr. Walter Olthoff * Vorsitzender des Aufsichtsrats: Prof. Dr. h.c. Hans
> A. Aukes * Amtsgericht Kaiserslautern, HRB 2313
> __________________________________________________________________________
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PF ZEN 6.4.0: No user authentication against AD (Reading winbind reply failed!)

Reply via email to