Re: Problem with ntlm_auth
And also don't remove ntlm_auth from authenticate section of both default and inner-tunnel files. On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan [EMAIL PROTECTED] wrote: Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol. For example: Users file: User Auth-Type :- ntlm_auth In Active Directory User should be a member. So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server. Otherwise you will not setup ntlm_auth. SYED On Thu, Oct 9, 2008 at 12:58 PM, [EMAIL PROTECTED]wrote: OK, I have tested it with radtest MyUser MyPassword localhost 0 testing123 and this is what the server gave back: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58 User-Name = MyUser User-Password = MyPassword NAS-IP-Address = IP.OF.THE.SERVER NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = MyUser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - MyUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 92 to 127.0.0.1 port 32793 Waking up in 4.9 seconds. Cleaning up request 0 ID 92 with timestamp +3710 Ready to process requests. Now what should I do? Thanks in advance. *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto: freeradius-users-bounces+frederik.niedernoltefreeradius-users-bounces%2Bfrederik.niedernolte [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 12:12 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have) SYED On Thu, Oct 9, 2008 at 11:54 AM, [EMAIL PROTECTED] wrote: Thanks, now it works :) Now the last step: How can I test it? What tool/program etc. can/should I use to test it? The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accepthttp://freeradius.org/rfc/rfc2865.html#Access-Acceptmessage as above. Mit freundlichen Grüßen / Kind regards Frederik Niedernolte --- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de [EMAIL PROTECTED][EMAIL PROTECTED] Tel.: +49 (0)5241 80-40554 arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto: freeradius-users-bounces+frederik.niedernoltefreeradius-users-bounces%2Bfrederik.niedernolte [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth Hi Frederik, 1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, [EMAIL PROTECTED] wrote: I have finished all steps till „*user* Auth-Type := ntlm_auth from http://deployingradius.com/documents/configuration/active_directory.html. With this command I get this error message at the end of /usr/sbin/freeradius –X: /etc/freeradius
Re: Problem with ntlm_auth
Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol. For example: Users file: User Auth-Type :- ntlm_auth In Active Directory User should be a member. So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server. Otherwise you will not setup ntlm_auth. SYED On Thu, Oct 9, 2008 at 12:58 PM, [EMAIL PROTECTED]wrote: OK, I have tested it with radtest MyUser MyPassword localhost 0 testing123 and this is what the server gave back: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58 User-Name = MyUser User-Password = MyPassword NAS-IP-Address = IP.OF.THE.SERVER NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = MyUser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - MyUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 92 to 127.0.0.1 port 32793 Waking up in 4.9 seconds. Cleaning up request 0 ID 92 with timestamp +3710 Ready to process requests. Now what should I do? Thanks in advance. *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernoltefreeradius-users-bounces%2Bfrederik.niedernolte [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 12:12 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have) SYED On Thu, Oct 9, 2008 at 11:54 AM, [EMAIL PROTECTED] wrote: Thanks, now it works :) Now the last step: How can I test it? What tool/program etc. can/should I use to test it? The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accepthttp://freeradius.org/rfc/rfc2865.html#Access-Acceptmessage as above. Mit freundlichen Grüßen / Kind regards Frederik Niedernolte --- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de [EMAIL PROTECTED][EMAIL PROTECTED] Tel.: +49 (0)5241 80-40554 arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernoltefreeradius-users-bounces%2Bfrederik.niedernolte [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth Hi Frederik, 1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, [EMAIL PROTECTED] wrote: I have finished all steps till „*user* Auth-Type := ntlm_auth from http://deployingradius.com/documents/configuration/active_directory.html. With this command I get this error message at the end of /usr/sbin/freeradius –X: /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users /etc/freeradius/modules/files[7]: Instantiation failed
Re: Problem with ntlm_auth
That was example,to check with different Users,DEFAULT should be used as rightly said by Ivan. On Thu, Oct 9, 2008 at 1:22 PM, [EMAIL PROTECTED] wrote: So to understand you right: Every user that should be authenticated has to be an entry in the users file? Isn't it possible to add an forwarding for every user so that all requests are just forwarded and checked? If not I must add all users from the AD to the users file, mustn't I? *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernoltefreeradius-users-bounces%2Bfrederik.niedernolte [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 13:16 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth And also don't remove ntlm_auth from authenticate section of both default and inner-tunnel files. On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan [EMAIL PROTECTED] wrote: Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol. For example: Users file: User Auth-Type :- ntlm_auth In Active Directory User should be a member. So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server. Otherwise you will not setup ntlm_auth. SYED On Thu, Oct 9, 2008 at 12:58 PM, [EMAIL PROTECTED] wrote: OK, I have tested it with radtest MyUser MyPassword localhost 0 testing123 and this is what the server gave back: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58 User-Name = MyUser User-Password = MyPassword NAS-IP-Address = IP.OF.THE.SERVER NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = MyUser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - MyUser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 92 to 127.0.0.1 port 32793 Waking up in 4.9 seconds. Cleaning up request 0 ID 92 with timestamp +3710 Ready to process requests. Now what should I do? Thanks in advance. *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernoltefreeradius-users-bounces%2Bfrederik.niedernolte [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 12:12 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have) SYED On Thu, Oct 9, 2008 at 11:54 AM, [EMAIL PROTECTED] wrote: Thanks, now it works :) Now the last step: How can I test it? What tool/program etc. can/should I use to test it? The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accepthttp://freeradius.org/rfc/rfc2865.html#Access-Acceptmessage as above. Mit freundlichen Grüßen / Kind regards Frederik Niedernolte --- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de [EMAIL PROTECTED][EMAIL PROTECTED] Tel.: +49 (0)5241 80-40554 arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernoltefreeradius-users
Re: Problem with ntlm_auth
Hi Frederik, 1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, [EMAIL PROTECTED]wrote: I have finished all steps till „*user* Auth-Type := ntlm_auth from http://deployingradius.com/documents/configuration/active_directory.html. With this command I get this error message at the end of /usr/sbin/freeradius –X: /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users /etc/freeradius/modules/files[7]: Instantiation failed for module files /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module files. /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part): authenticate { # # NTML_AUTH authentication. Auth-Type ntlm_auth { ntlm_auth } What is wrong and what can I do to solve the problem? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm_auth
Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have) SYED On Thu, Oct 9, 2008 at 11:54 AM, [EMAIL PROTECTED]wrote: Thanks, now it works :) Now the last step: How can I test it? What tool/program etc. can/should I use to test it? The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning an Access-Accepthttp://freeradius.org/rfc/rfc2865.html#Access-Acceptmessage as above. Mit freundlichen Grüßen / Kind regards Frederik Niedernolte --- arvato services An der Autobahn 33310 Gütersloh Germany http://www.arvato-services.de [EMAIL PROTECTED][EMAIL PROTECTED] Tel.: +49 (0)5241 80-40554 arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard Südmersen *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernoltefreeradius-users-bounces%2Bfrederik.niedernolte [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 *An:* FreeRadius users mailing list *Betreff:* Re: Problem with ntlm_auth Hi Frederik, 1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, [EMAIL PROTECTED] wrote: I have finished all steps till „*user* Auth-Type := ntlm_auth from http://deployingradius.com/documents/configuration/active_directory.html. With this command I get this error message at the end of /usr/sbin/freeradius –X: /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown value ntlm_auth for attribute Auth-Type Errors reading /etc/freeradius/users /etc/freeradius/modules/files[7]: Instantiation failed for module files /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module files. /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize section. } } Errors initializing modules The authenticate section in the /etc/freeradius/sites-enabled/default looks like this (only important part): authenticate { # # NTML_AUTH authentication. Auth-Type ntlm_auth { ntlm_auth } What is wrong and what can I do to solve the problem? Thanks in advance. Best regards, F. Niedernolte - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm_auth
King, Michael wrote: I found that the windbindd_privileged directory was drwxr-x--- 2 root root 4096 2006-02-28 18:10 winbindd_privileged Is this a recent change of Samba? I didn't have to do this a few months ago. More importantly, did I do something wrong? Or is this normal, and I just did notate that I did this before. It is supposed to be like that. It's been like that forever as far as I know. I don't know why it was working for you - is your samba from an OS package and it's possible they changed the perms? (It's even worse on RHEL4 systems - there's a buggy SELinux policy that labels that directory so ntlm_auth can't access it!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ntlm_auth
-Original Message- On Behalf Of Phil Mayers It is supposed to be like that. It's been like that forever as far as I know. I don't know why it was working for you - is your samba from an OS package and it's possible they changed the perms? (It's even worse on RHEL4 systems - there's a buggy SELinux policy that labels that directory so ntlm_auth can't access it!) Ack, it's even worse than I thought. I was running my previous FreeRADIUS server as root! So, that's why it didn't bite me before, it had root access. When I setup my new server, I had it running as it's own user account. Thanks for the answer. It always seems to be the simple things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html