Problems freeradius and samba4
Hi all.
I trying deploy the environment beetween freeradius and samba4 for
wireless network. The topology follow bellow.
access point <> freeradius server <-> server samba4
I setting the access point for authenticate in freeradius server and
freeradius using ldap e authenticate in samba4, but not work
follow bellow log server freeradius:
[suffix] No '@' in User-Name = "user", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for user
[ldap] expand: (&(objectClass=user)(sAMAccountName=%{User-Name})) ->
(&(objectClass=user)(sAMAccountName=user))
[ldap] expand: dc=batlab,dc=corp -> dc=batlab,dc=corp
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] closing existing LDAP connection
[ldap] (re)connect to 192.168.0.4:389, authentication 0
[ldap] bind as CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp/
to 192.168.0.4:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=batlab,dc=corp, with filter
(&(objectClass=user)(sAMAccountName=user))
[ldap] ldap_search() failed: Operations error
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Invalid user: [user/] (from client
192.168.0.200 port 0 cli 001f3a528f60)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
I note this ldapsearch executed successfull
# ldapsearch -LLL -h 192.168.0.4 -b dc=batlab,dc=corp -D
us...@batlab.corp -W '(&(objectClass=user)(sAMAccountName=user))'
dn: CN=user test,OU=noc,OU=batlab,DC=batlab,DC=corp
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user test
instanceType: 4
whenCreated: 20130404161519.0Z
displayName: user test
uSNCreated: 3728
name: user test
objectGUID:: x9uu1FOl70u8ovEwuZ72Rw==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAUV2w3N/Xfij4HyH/nmUQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: user
sAMAccountType: 805306368
userPrincipalName: u...@batlab.corp
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=batlab,DC=corp
pwdLastSet: 1300956572
userAccountControl: 66048
memberOf: CN=Administrators,CN=Builtin,DC=batlab,DC=corp
memberOf: CN=Domain Admins,CN=Users,DC=batlab,DC=corp
memberOf: CN=Enterprise Admins,CN=Users,DC=batlab,DC=corp
memberOf: CN=g_noc,OU=noc,OU=batlab,DC=batlab,DC=corp
mail: u...@batlab.ufms.br
whenChanged: 20130427195156.0Z
uSNChanged: 4204
distinguishedName: CN=user test,OU=noc,OU=batlab,DC=batlab,DC=corp
I noticed that the ldap Samba4 does not possess the attribute
user-password, is this the cause?
My settings:
Ubuntu Linux 12.04.2
Access Point: Linksys Cisco wrtp54g
Any ideas.
Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
ricardobarbosams wrote: > [ldap] ldap_search() failed: Operations error Read raddb/modules/ldap. Look for "operations error". > I noticed that the ldap Samba4 does not possess the attribute > user-password, is this the cause? No. > My settings: > > Ubuntu Linux 12.04.2 > Access Point: Linksys Cisco wrtp54g But not the version of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
On 10.06.2013 23:29, ricardobarbosams wrote: [ldap] bind as CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp/ to 192.168.0.4:389 [skipped] # ldapsearch -LLL -h 192.168.0.4 -b dc=batlab,dc=corp -D us...@batlab.corp -W '(&(objectClass=user)(sAMAccountName=user))' freeradius binds as CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp and ldapsearch binds as us...@batlab.corp. Maybe this is the cause of different search operation results. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
Hi Alan, my version freeradius root@maxwell:~# freeradius -v freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 24 2012 at 17:58:57 Copyright (C) 1999-2010 The FreeRADIUS server project and contributors. Regards. Em 06/10/13 15:33, Alan DeKok escreveu: ricardobarbosams wrote: [ldap] ldap_search() failed: Operations error Read raddb/modules/ldap. Look for "operations error". I noticed that the ldap Samba4 does not possess the attribute user-password, is this the cause? No. My settings: Ubuntu Linux 12.04.2 Access Point: Linksys Cisco wrtp54g But not the version of FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
freeradius binds as CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp
and ldapsearch binds as us...@batlab.corp.
Maybe this is the cause of different search operation results.
-
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
Regards.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the directory.
Your ldapsearch binds to the directory using one user and your radiusd
binds to directory as another user. These users can have different
authorization levels in the directory server. Directory may allow to
retrieve objects to us...@batlab.corp user but disallow it to
CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user.
Configure radiusd to use the us...@batlab.corp user to bind to the
directory and you'll get same results as with ldapsearch.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
Hi,
but not any other settins, only file ldap.
ldap {
server = "192.168.0.4"
identity = "CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp"
password = X
basedn = "dc=batlab,dc=corp"
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
base_filter = "(objectClass=user)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
What other file setting user for directory?
Regards.
Em 06/13/13 03:37, Iliya Peregoudov escreveu:
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the directory.
Your ldapsearch binds to the directory using one user and your radiusd
binds to directory as another user. These users can have different
authorization levels in the directory server. Directory may allow to
retrieve objects to us...@batlab.corp user but disallow it to
CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user.
Configure radiusd to use the us...@batlab.corp user to bind to the
directory and you'll get same results as with ldapsearch.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
Hi.
Executing ldapsearch with user freeradius
root@maxwell:~# ldapsearch -LLL -x -h 192.168.0.4 -b "dc=batlab,dc=corp"
-D "CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp" -W
"(sAMAccountName=administrator)" cn
Enter LDAP Password:
dn: CN=Administrator,CN=Users,DC=batlab,DC=corp
cn: Administrator
Its Works.
Regards.
Em 06/13/13 03:37, Iliya Peregoudov escreveu:
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the directory.
Your ldapsearch binds to the directory using one user and your radiusd
binds to directory as another user. These users can have different
authorization levels in the directory server. Directory may allow to
retrieve objects to us...@batlab.corp user but disallow it to
CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user.
Configure radiusd to use the us...@batlab.corp user to bind to the
directory and you'll get same results as with ldapsearch.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
Hi, i'm starter here but, the user freeradius in your ldap must be able to
read user's passwords.
Try with administrator in /etc/raddb/modules/ldap and if it works, the user
freeradius won't has rigths for this.
By
El viernes, 14 de junio de 2013, ricardobarbosams escribió:
> Hi.
>
> Executing ldapsearch with user freeradius
>
> root@maxwell:~# ldapsearch -LLL -x -h 192.168.0.4 -b "dc=batlab,dc=corp"
> -D "CN=freeradius,OU=noc,OU=**batlab,DC=batlab,DC=corp" -W
> "(sAMAccountName=**administrator)" cn
> Enter LDAP Password:
> dn: CN=Administrator,CN=Users,DC=**batlab,DC=corp
> cn: Administrator
>
>
> Its Works.
>
> Regards.
>
> Em 06/13/13 03:37, Iliya Peregoudov escreveu:
>
>> On 12.06.2013 4:19, ricardobarbosams wrote:
>>
>>>
>>> No my filter is
>>>
>>> filter = "(&(objectClass=user)(**sAMAccountName=%{User-Name}))"
>>>
>>
>> I do not talk about filter, I do talk about binding to the directory.
>> Your ldapsearch binds to the directory using one user and your radiusd
>> binds to directory as another user. These users can have different
>> authorization levels in the directory server. Directory may allow to
>> retrieve objects to us...@batlab.corp user but disallow it to
>> CN=freeradius,OU=noc,OU=**batlab,DC=batlab,DC=corp user.
>>
>> Configure radiusd to use the us...@batlab.corp user to bind to the
>> directory and you'll get same results as with ldapsearch.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
>> list/users.html
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html
>
--
--
Un saludo.
Roberto Ortega
Profesor de Informática.
http://www.proyectoret.es
Escuelas San José Valencia
Avd.Cortes Valencianas nº1
46015 Valencia
R4600489A
Tf:963499011 ext. 262
Fax:963488835
http://www.escuelassj.com
No imprimas este correo si no es necesario. Protejamos el medio ambiente.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
Hi Ortega,
With user administrator not worked. look log file
[ldap] performing user authorization for test
[ldap] expand: (&(objectClass=user)(sAMAccountName=%{User-Name})) ->
(&(objectClass=user)(sAMAccountName=test))
[ldap] expand: dc=batlab,dc=corp -> dc=batlab,dc=corp
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] closing existing LDAP connection
[ldap] (re)connect to 192.168.0.4:389, authentication 0
[ldap] bind as /X to 192.168.0.4:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=batlab,dc=corp, with filter
(&(objectClass=user)(sAMAccountName=test))
[ldap] ldap_search() failed: Operations error
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Any Idea
Em 06/14/13 03:40, Roberto Ortega Ramiro escreveu:
Hi, i'm starter here but, the user freeradius in your ldap must be
able to read user's passwords.
Try with administrator in /etc/raddb/modules/ldap and if it works, the
user freeradius won't has rigths for this.
By
El viernes, 14 de junio de 2013, ricardobarbosams escribió:
Hi.
Executing ldapsearch with user freeradius
root@maxwell:~# ldapsearch -LLL -x -h 192.168.0.4 -b
"dc=batlab,dc=corp" -D
"CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp" -W
"(sAMAccountName=administrator)" cn
Enter LDAP Password:
dn: CN=Administrator,CN=Users,DC=batlab,DC=corp
cn: Administrator
Its Works.
Regards.
Em 06/13/13 03:37, Iliya Peregoudov escreveu:
On 12.06.2013 4:19, ricardobarbosams wrote:
No my filter is
filter = "(&(objectClass=user)(sAMAccountName=%{User-Name}))"
I do not talk about filter, I do talk about binding to the
directory. Your ldapsearch binds to the directory using one
user and your radiusd binds to directory as another user.
These users can have different authorization levels in the
directory server. Directory may allow to retrieve objects to
us...@batlab.corp user but disallow it to
CN=freeradius,OU=noc,OU=batlab,DC=batlab,DC=corp user.
Configure radiusd to use the us...@batlab.corp user to bind to
the directory and you'll get same results as with ldapsearch.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
Un saludo.
Roberto Ortega
Profesor de Informática.
http://www.proyectoret.es
Re: Problems freeradius and samba4
ricardobarbosams wrote: > [ldap] ldap_search() failed: Operations error > [ldap] search failed > [ldap] ldap_release_conn: Release Id: 0 > ++[ldap] returns fail Read raddb/modules/ldap. Look for "operations error". This is documented in v2.2.0. If you're not running 2.2.0, then upgrade. Or, still *read* the configuration file you edited. It has instructions for what to do in this situation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems freeradius and samba4
Hi,
>With user administrator not worked. look log file
>
>[ldap] performing user authorization for test
>[ldap] expand: (&(objectClass=user)(sAMAccountName=%{User-Name})) ->
>(&(objectClass=user)(sAMAccountName=test))
>[ldap] expand: dc=batlab,dc=corp -> dc=batlab,dc=corp
> [ldap] ldap_get_conn: Checking Id: 0
> [ldap] ldap_get_conn: Got Id: 0
> [ldap] attempting LDAP reconnection
> [ldap] closing existing LDAP connection
> [ldap] (re)connect to 192.168.0.4:389, authentication 0
> [ldap] bind as /X to 192.168.0.4:389
> [ldap] waiting for bind result ...
> [ldap] Bind was successful
^
> [ldap] performing search in dc=batlab,dc=corp, with filter
>(&(objectClass=user)(sAMAccountName=test))
> [ldap] ldap_search() failed: Operations error
>[ldap] search failed
^
> [ldap] ldap_release_conn: Release Id: 0
>++[ldap] returns fail
>
>Any Idea
i'd suggest that you get aquainted with your LDAP directory structure and
ensure that you are looking in the right place with the right filter
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
