Re: Problem with ntlm_auth
That was example,to check with different Users,DEFAULT should be used as rightly said by Ivan. On Thu, Oct 9, 2008 at 1:22 PM, <[EMAIL PROTECTED]> wrote: > So to understand you right: > > Every user that should be authenticated has to be an entry in the users > file? > > Isn't it possible to add an forwarding for every user so that all requests > are just forwarded and checked? > > If not I must add all users from the AD to the users file, mustn't I? > > > > > > *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ > lists.freeradius.org > [mailto:freeradius-users-bounces+frederik.niedernolte > [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan > *Gesendet:* Donnerstag, 9. Oktober 2008 13:16 > > *An:* FreeRadius users mailing list > *Betreff:* Re: Problem with ntlm_auth > > > > And also don't remove ntlm_auth from authenticate section of both default > and inner-tunnel files. > > On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan < > [EMAIL PROTECTED]> wrote: > > Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is > Bind as User. That is USer Entry is added in Users file and after using > ntlm_auth, it is checked against a Active Directory or LDAP server backend > using NT Lan manager Authentication Protocol. > > For example: > Users file: > User Auth-Type :- ntlm_auth > > In Active Directory > User should be a member. > > So, then ntlm_auth requests will be passed from your Server to Active > Directory or LDAP Server. > > Otherwise you will not setup ntlm_auth. > > SYED > > > > On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]> > wrote: > > OK, I have tested it with "radtest MyUser MyPassword localhost 0 > testing123" and this is what the server gave back: > > > > Ready to process requests. > > rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, > length=58 > > User-Name = "MyUser" > > User-Password = "MyPassword" > > NAS-IP-Address = IP.OF.THE.SERVER > > NAS-Port = 0 > > +- entering group authorize {...} > > ++[preprocess] returns ok > > ++[chap] returns noop > > ++[mschap] returns noop > > [suffix] No '@' in User-Name = "MyUser", looking up realm NULL > > [suffix] No such realm "NULL" > > ++[suffix] returns noop > > [eap] No EAP-Message, not doing EAP > > ++[eap] returns noop > > ++[unix] returns notfound > > ++[files] returns noop > > ++[expiration] returns noop > > ++[logintime] returns noop > > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > > ++[pap] returns noop > > No authenticate method (Auth-Type) configuration found for the request: > Rejecting the user > > Failed to authenticate the user. > > Using Post-Auth-Type Reject > > +- entering group REJECT {...} > > [attr_filter.access_reject] expand: %{User-Name} -> MyUser > > attr_filter: Matched entry DEFAULT at line 11 > > ++[attr_filter.access_reject] returns updated > > Delaying reject of request 0 for 1 seconds > > Going to the next request > > Waking up in 0.9 seconds. > > Sending delayed reject for request 0 > > Sending Access-Reject of id 92 to 127.0.0.1 port 32793 > > Waking up in 4.9 seconds. > > Cleaning up request 0 ID 92 with timestamp +3710 > > Ready to process requests. > > > > Now what should I do? > Thanks in advance. > > > > *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ > lists.freeradius.org > [mailto:freeradius-users-bounces+frederik.niedernolte > [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan > *Gesendet:* Donnerstag, 9. Oktober 2008 12:12 > > > *An:* FreeRadius users mailing list > *Betreff:* Re: Problem with ntlm_auth > > > > Hi, > You can use radtest tool to check with the Server.The Server will return > accept-accept message. > Other tool includes JRadius Simulator as IVAN told. bu I have not used it. > Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP > requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if > you have) > > SYED > > On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]> > wrote: > > Thanks, now it works :) > > > > Now the last step: How can I test it? What tool/program etc. can/should I > use to test it? > > "The radclient cannot currently be used to send this request, > unfortunately, which makes testing a little difficult If everything goes
Re: Problem with ntlm_auth
And also don't remove ntlm_auth from authenticate section of both default and inner-tunnel files. On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan < [EMAIL PROTECTED]> wrote: > Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is > Bind as User. That is USer Entry is added in Users file and after using > ntlm_auth, it is checked against a Active Directory or LDAP server backend > using NT Lan manager Authentication Protocol. > > For example: > Users file: > User Auth-Type :- ntlm_auth > > In Active Directory > User should be a member. > > So, then ntlm_auth requests will be passed from your Server to Active > Directory or LDAP Server. > > Otherwise you will not setup ntlm_auth. > > SYED > > > On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]>wrote: > >> OK, I have tested it with "radtest MyUser MyPassword localhost 0 >> testing123" and this is what the server gave back: >> >> >> >> Ready to process requests. >> >> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, >> length=58 >> >> User-Name = "MyUser" >> >> User-Password = "MyPassword" >> >> NAS-IP-Address = IP.OF.THE.SERVER >> >> NAS-Port = 0 >> >> +- entering group authorize {...} >> >> ++[preprocess] returns ok >> >> ++[chap] returns noop >> >> ++[mschap] returns noop >> >> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL >> >> [suffix] No such realm "NULL" >> >> ++[suffix] returns noop >> >> [eap] No EAP-Message, not doing EAP >> >> ++[eap] returns noop >> >> ++[unix] returns notfound >> >> ++[files] returns noop >> >> ++[expiration] returns noop >> >> ++[logintime] returns noop >> >> [pap] WARNING! No "known good" password found for the user. >> Authentication may fail because of this. >> >> ++[pap] returns noop >> >> No authenticate method (Auth-Type) configuration found for the request: >> Rejecting the user >> >> Failed to authenticate the user. >> >> Using Post-Auth-Type Reject >> >> +- entering group REJECT {...} >> >> [attr_filter.access_reject] expand: %{User-Name} -> MyUser >> >> attr_filter: Matched entry DEFAULT at line 11 >> >> ++[attr_filter.access_reject] returns updated >> >> Delaying reject of request 0 for 1 seconds >> >> Going to the next request >> >> Waking up in 0.9 seconds. >> >> Sending delayed reject for request 0 >> >> Sending Access-Reject of id 92 to 127.0.0.1 port 32793 >> >> Waking up in 4.9 seconds. >> >> Cleaning up request 0 ID 92 with timestamp +3710 >> >> Ready to process requests. >> >> >> >> Now what should I do? >> Thanks in advance. >> >> >> >> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ >> lists.freeradius.org [mailto: >> freeradius-users-bounces+frederik.niedernolte >> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan >> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12 >> >> *An:* FreeRadius users mailing list >> *Betreff:* Re: Problem with ntlm_auth >> >> >> >> Hi, >> You can use radtest tool to check with the Server.The Server will return >> accept-accept message. >> Other tool includes JRadius Simulator as IVAN told. bu I have not used it. >> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP >> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if >> you have) >> >> SYED >> >> On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]> >> wrote: >> >> Thanks, now it works :) >> >> >> >> Now the last step: How can I test it? What tool/program etc. can/should I >> use to test it? >> >> "The radclient cannot currently be used to send this request, >> unfortunately, which makes testing a little difficult If everything goes >> well, you should see the server returning an >> Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message >> as above." >> >> >> >> Mit freundlichen Grüßen / Kind regards >> >> Frederik Niedernolte >> --- >> arvato services >> An der Autobahn >> 33310 Gütersloh >> Germany >> http://www.a
Re: Problem with ntlm_auth
Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol. For example: Users file: User Auth-Type :- ntlm_auth In Active Directory User should be a member. So, then ntlm_auth requests will be passed from your Server to Active Directory or LDAP Server. Otherwise you will not setup ntlm_auth. SYED On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]>wrote: > OK, I have tested it with "radtest MyUser MyPassword localhost 0 > testing123" and this is what the server gave back: > > > > Ready to process requests. > > rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, > length=58 > > User-Name = "MyUser" > > User-Password = "MyPassword" > > NAS-IP-Address = IP.OF.THE.SERVER > > NAS-Port = 0 > > +- entering group authorize {...} > > ++[preprocess] returns ok > > ++[chap] returns noop > > ++[mschap] returns noop > > [suffix] No '@' in User-Name = "MyUser", looking up realm NULL > > [suffix] No such realm "NULL" > > ++[suffix] returns noop > > [eap] No EAP-Message, not doing EAP > > ++[eap] returns noop > > ++[unix] returns notfound > > ++[files] returns noop > > ++[expiration] returns noop > > ++[logintime] returns noop > > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > > ++[pap] returns noop > > No authenticate method (Auth-Type) configuration found for the request: > Rejecting the user > > Failed to authenticate the user. > > Using Post-Auth-Type Reject > > +- entering group REJECT {...} > > [attr_filter.access_reject] expand: %{User-Name} -> MyUser > > attr_filter: Matched entry DEFAULT at line 11 > > ++[attr_filter.access_reject] returns updated > > Delaying reject of request 0 for 1 seconds > > Going to the next request > > Waking up in 0.9 seconds. > > Sending delayed reject for request 0 > > Sending Access-Reject of id 92 to 127.0.0.1 port 32793 > > Waking up in 4.9 seconds. > > Cleaning up request 0 ID 92 with timestamp +3710 > > Ready to process requests. > > > > Now what should I do? > Thanks in advance. > > > > *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ > lists.freeradius.org > [mailto:freeradius-users-bounces+frederik.niedernolte > [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan > *Gesendet:* Donnerstag, 9. Oktober 2008 12:12 > > *An:* FreeRadius users mailing list > *Betreff:* Re: Problem with ntlm_auth > > > > Hi, > You can use radtest tool to check with the Server.The Server will return > accept-accept message. > Other tool includes JRadius Simulator as IVAN told. bu I have not used it. > Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP > requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if > you have) > > SYED > > On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]> > wrote: > > Thanks, now it works :) > > > > Now the last step: How can I test it? What tool/program etc. can/should I > use to test it? > > "The radclient cannot currently be used to send this request, > unfortunately, which makes testing a little difficult If everything goes > well, you should see the server returning an > Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as > above." > > > > Mit freundlichen Grüßen / Kind regards > > Frederik Niedernolte > --- > arvato services > An der Autobahn > 33310 Gütersloh > Germany > http://www.arvato-services.de > [EMAIL PROTECTED]<[EMAIL PROTECTED]> > Tel.: +49 (0)5241 80-40554 > > arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | > Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard > Südmersen > > > > *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ > lists.freeradius.org > [mailto:freeradius-users-bounces+frederik.niedernolte > [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan > *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 > *An:* FreeRadius users mailing list > *Betreff:* Re: Problem with ntlm_auth > > > > Hi Frederik, > > 1) Put User entry on *TOP* of users file. > 2) In default file, in authenticate section, add *ntlm_auth. *Don't set > using
Re: Problem with ntlm_auth
Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if you have) SYED On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>wrote: > Thanks, now it works :) > > > > Now the last step: How can I test it? What tool/program etc. can/should I > use to test it? > > "The radclient cannot currently be used to send this request, > unfortunately, which makes testing a little difficult If everything goes > well, you should see the server returning an > Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as > above." > > > > Mit freundlichen Grüßen / Kind regards > > Frederik Niedernolte > --- > arvato services > An der Autobahn > 33310 Gütersloh > Germany > http://www.arvato-services.de > [EMAIL PROTECTED]<[EMAIL PROTECTED]> > Tel.: +49 (0)5241 80-40554 > > arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 | > Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard > Südmersen > > > > *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@ > lists.freeradius.org > [mailto:freeradius-users-bounces+frederik.niedernolte > [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan > *Gesendet:* Donnerstag, 9. Oktober 2008 11:44 > *An:* FreeRadius users mailing list > *Betreff:* Re: Problem with ntlm_auth > > > > Hi Frederik, > > 1) Put User entry on *TOP* of users file. > 2) In default file, in authenticate section, add *ntlm_auth. *Don't set > using Auth-Type. > 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. > Add *ntlm_auth* in Authenticate Section. > > I hope it will solve your problem. > SYED > > > On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]> > wrote: > > I have finished all steps till „*user* Auth-Type := ntlm_auth" from > http://deployingradius.com/documents/configuration/active_directory.html. > > With this command I get this error message at the end of > "/usr/sbin/freeradius –X": > > > > /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown > value ntlm_auth for attribute Auth-Type > > Errors reading /etc/freeradius/users > > /etc/freeradius/modules/files[7]: Instantiation failed for module "files" > > /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module > "files". > > /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize > section. > > } > > } > > Errors initializing modules > > > > The authenticate section in the /etc/freeradius/sites-enabled/default looks > like this (only important part): > > > > authenticate { > > # > > # NTML_AUTH authentication. > > Auth-Type ntlm_auth { > >ntlm_auth > > } > > > > What is wrong and what can I do to solve the problem? > > Thanks in advance. > > Best regards, F. Niedernolte > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm_auth
Hi Frederik, 1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section. I hope it will solve your problem. SYED On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]>wrote: > I have finished all steps till „*user* Auth-Type := ntlm_auth" from > http://deployingradius.com/documents/configuration/active_directory.html. > > With this command I get this error message at the end of > "/usr/sbin/freeradius –X": > > > > /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown > value ntlm_auth for attribute Auth-Type > > Errors reading /etc/freeradius/users > > /etc/freeradius/modules/files[7]: Instantiation failed for module "files" > > /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module > "files". > > /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize > section. > > } > > } > > Errors initializing modules > > > > The authenticate section in the /etc/freeradius/sites-enabled/default looks > like this (only important part): > > > > authenticate { > > # > > # NTML_AUTH authentication. > > Auth-Type ntlm_auth { > >ntlm_auth > > } > > > > What is wrong and what can I do to solve the problem? > > Thanks in advance. > > Best regards, F. Niedernolte > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ntlm_auth
> -Original Message- > On Behalf Of Phil Mayers > > It is supposed to be like that. It's been like that forever > as far as I know. I don't know why it was working for you - > is your samba from an OS package and it's possible they > changed the perms? > > (It's even worse on RHEL4 systems - there's a buggy SELinux > policy that labels that directory so ntlm_auth can't access it!) Ack, it's even worse than I thought. I was running my previous FreeRADIUS server as root! So, that's why it didn't bite me before, it had root access. When I setup my new server, I had it running as it's own user account. Thanks for the answer. It always seems to be the simple things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm_auth
King, Michael wrote: I found that the windbindd_privileged directory was drwxr-x--- 2 root root 4096 2006-02-28 18:10 winbindd_privileged Is this a recent change of Samba? I didn't have to do this a few months ago. More importantly, did I do something wrong? Or is this normal, and I just did notate that I did this before. It is supposed to be like that. It's been like that forever as far as I know. I don't know why it was working for you - is your samba from an OS package and it's possible they changed the perms? (It's even worse on RHEL4 systems - there's a buggy SELinux policy that labels that directory so ntlm_auth can't access it!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html