Re: Problem with ntlm_auth
That was example,to check with different Users,DEFAULT should be used as
rightly said by Ivan.
On Thu, Oct 9, 2008 at 1:22 PM, <[EMAIL PROTECTED]> wrote:
> So to understand you right:
>
> Every user that should be authenticated has to be an entry in the users
> file?
>
> Isn't it possible to add an forwarding for every user so that all requests
> are just forwarded and checked?
>
> If not I must add all users from the AD to the users file, mustn't I?
>
>
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 13:16
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> And also don't remove ntlm_auth from authenticate section of both default
> and inner-tunnel files.
>
> On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <
> [EMAIL PROTECTED]> wrote:
>
> Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
> Bind as User. That is USer Entry is added in Users file and after using
> ntlm_auth, it is checked against a Active Directory or LDAP server backend
> using NT Lan manager Authentication Protocol.
>
> For example:
> Users file:
> User Auth-Type :- ntlm_auth
>
> In Active Directory
> User should be a member.
>
> So, then ntlm_auth requests will be passed from your Server to Active
> Directory or LDAP Server.
>
> Otherwise you will not setup ntlm_auth.
>
> SYED
>
>
>
> On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]>
> wrote:
>
> OK, I have tested it with "radtest MyUser MyPassword localhost 0
> testing123" and this is what the server gave back:
>
>
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
> length=58
>
> User-Name = "MyUser"
>
> User-Password = "MyPassword"
>
> NAS-IP-Address = IP.OF.THE.SERVER
>
> NAS-Port = 0
>
> +- entering group authorize {...}
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>
> [suffix] No such realm "NULL"
>
> ++[suffix] returns noop
>
> [eap] No EAP-Message, not doing EAP
>
> ++[eap] returns noop
>
> ++[unix] returns notfound
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
>
> ++[pap] returns noop
>
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
>
> Failed to authenticate the user.
>
> Using Post-Auth-Type Reject
>
> +- entering group REJECT {...}
>
> [attr_filter.access_reject] expand: %{User-Name} -> MyUser
>
> attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] returns updated
>
> Delaying reject of request 0 for 1 seconds
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> Sending delayed reject for request 0
>
> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 0 ID 92 with timestamp +3710
>
> Ready to process requests.
>
>
>
> Now what should I do?
> Thanks in advance.
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi,
> You can use radtest tool to check with the Server.The Server will return
> accept-accept message.
> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
> you have)
>
> SYED
>
> On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>
> wrote:
>
> Thanks, now it works :)
>
>
>
> Now the last step: How can I test it? What tool/program etc. can/should I
> use to test it?
>
> "The radclient cannot currently be used to send this request,
> unfortunately, which makes testing a little difficult If everything goes
Re: Problem with ntlm_auth
And also don't remove ntlm_auth from authenticate section of both default
and inner-tunnel files.
On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan <
[EMAIL PROTECTED]> wrote:
> Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
> Bind as User. That is USer Entry is added in Users file and after using
> ntlm_auth, it is checked against a Active Directory or LDAP server backend
> using NT Lan manager Authentication Protocol.
>
> For example:
> Users file:
> User Auth-Type :- ntlm_auth
>
> In Active Directory
> User should be a member.
>
> So, then ntlm_auth requests will be passed from your Server to Active
> Directory or LDAP Server.
>
> Otherwise you will not setup ntlm_auth.
>
> SYED
>
>
> On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]>wrote:
>
>> OK, I have tested it with "radtest MyUser MyPassword localhost 0
>> testing123" and this is what the server gave back:
>>
>>
>>
>> Ready to process requests.
>>
>> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
>> length=58
>>
>> User-Name = "MyUser"
>>
>> User-Password = "MyPassword"
>>
>> NAS-IP-Address = IP.OF.THE.SERVER
>>
>> NAS-Port = 0
>>
>> +- entering group authorize {...}
>>
>> ++[preprocess] returns ok
>>
>> ++[chap] returns noop
>>
>> ++[mschap] returns noop
>>
>> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>>
>> [suffix] No such realm "NULL"
>>
>> ++[suffix] returns noop
>>
>> [eap] No EAP-Message, not doing EAP
>>
>> ++[eap] returns noop
>>
>> ++[unix] returns notfound
>>
>> ++[files] returns noop
>>
>> ++[expiration] returns noop
>>
>> ++[logintime] returns noop
>>
>> [pap] WARNING! No "known good" password found for the user.
>> Authentication may fail because of this.
>>
>> ++[pap] returns noop
>>
>> No authenticate method (Auth-Type) configuration found for the request:
>> Rejecting the user
>>
>> Failed to authenticate the user.
>>
>> Using Post-Auth-Type Reject
>>
>> +- entering group REJECT {...}
>>
>> [attr_filter.access_reject] expand: %{User-Name} -> MyUser
>>
>> attr_filter: Matched entry DEFAULT at line 11
>>
>> ++[attr_filter.access_reject] returns updated
>>
>> Delaying reject of request 0 for 1 seconds
>>
>> Going to the next request
>>
>> Waking up in 0.9 seconds.
>>
>> Sending delayed reject for request 0
>>
>> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>>
>> Waking up in 4.9 seconds.
>>
>> Cleaning up request 0 ID 92 with timestamp +3710
>>
>> Ready to process requests.
>>
>>
>>
>> Now what should I do?
>> Thanks in advance.
>>
>>
>>
>> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
>> lists.freeradius.org [mailto:
>> freeradius-users-bounces+frederik.niedernolte
>> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
>> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>>
>> *An:* FreeRadius users mailing list
>> *Betreff:* Re: Problem with ntlm_auth
>>
>>
>>
>> Hi,
>> You can use radtest tool to check with the Server.The Server will return
>> accept-accept message.
>> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
>> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
>> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
>> you have)
>>
>> SYED
>>
>> On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>
>> wrote:
>>
>> Thanks, now it works :)
>>
>>
>>
>> Now the last step: How can I test it? What tool/program etc. can/should I
>> use to test it?
>>
>> "The radclient cannot currently be used to send this request,
>> unfortunately, which makes testing a little difficult If everything goes
>> well, you should see the server returning an
>> Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message
>> as above."
>>
>>
>>
>> Mit freundlichen Grüßen / Kind regards
>>
>> Frederik Niedernolte
>> ---
>> arvato services
>> An der Autobahn
>> 33310 Gütersloh
>> Germany
>> http://www.a
Re: Problem with ntlm_auth
Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
Bind as User. That is USer Entry is added in Users file and after using
ntlm_auth, it is checked against a Active Directory or LDAP server backend
using NT Lan manager Authentication Protocol.
For example:
Users file:
User Auth-Type :- ntlm_auth
In Active Directory
User should be a member.
So, then ntlm_auth requests will be passed from your Server to Active
Directory or LDAP Server.
Otherwise you will not setup ntlm_auth.
SYED
On Thu, Oct 9, 2008 at 12:58 PM, <[EMAIL PROTECTED]>wrote:
> OK, I have tested it with "radtest MyUser MyPassword localhost 0
> testing123" and this is what the server gave back:
>
>
>
> Ready to process requests.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92,
> length=58
>
> User-Name = "MyUser"
>
> User-Password = "MyPassword"
>
> NAS-IP-Address = IP.OF.THE.SERVER
>
> NAS-Port = 0
>
> +- entering group authorize {...}
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
> [suffix] No '@' in User-Name = "MyUser", looking up realm NULL
>
> [suffix] No such realm "NULL"
>
> ++[suffix] returns noop
>
> [eap] No EAP-Message, not doing EAP
>
> ++[eap] returns noop
>
> ++[unix] returns notfound
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
>
> ++[pap] returns noop
>
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
>
> Failed to authenticate the user.
>
> Using Post-Auth-Type Reject
>
> +- entering group REJECT {...}
>
> [attr_filter.access_reject] expand: %{User-Name} -> MyUser
>
> attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] returns updated
>
> Delaying reject of request 0 for 1 seconds
>
> Going to the next request
>
> Waking up in 0.9 seconds.
>
> Sending delayed reject for request 0
>
> Sending Access-Reject of id 92 to 127.0.0.1 port 32793
>
> Waking up in 4.9 seconds.
>
> Cleaning up request 0 ID 92 with timestamp +3710
>
> Ready to process requests.
>
>
>
> Now what should I do?
> Thanks in advance.
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 12:12
>
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi,
> You can use radtest tool to check with the Server.The Server will return
> accept-accept message.
> Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
> Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
> requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
> you have)
>
> SYED
>
> On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>
> wrote:
>
> Thanks, now it works :)
>
>
>
> Now the last step: How can I test it? What tool/program etc. can/should I
> use to test it?
>
> "The radclient cannot currently be used to send this request,
> unfortunately, which makes testing a little difficult If everything goes
> well, you should see the server returning an
> Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as
> above."
>
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Frederik Niedernolte
> ---
> arvato services
> An der Autobahn
> 33310 Gütersloh
> Germany
> http://www.arvato-services.de
> [EMAIL PROTECTED]<[EMAIL PROTECTED]>
> Tel.: +49 (0)5241 80-40554
>
> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
> Südmersen
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 11:44
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi Frederik,
>
> 1) Put User entry on *TOP* of users file.
> 2) In default file, in authenticate section, add *ntlm_auth. *Don't set
> using
Re: Problem with ntlm_auth
Hi,
You can use radtest tool to check with the Server.The Server will return
accept-accept message.
Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
requests to use ntlm_auth with Active DIRECTORY or LDAP server backend.(if
you have)
SYED
On Thu, Oct 9, 2008 at 11:54 AM, <[EMAIL PROTECTED]>wrote:
> Thanks, now it works :)
>
>
>
> Now the last step: How can I test it? What tool/program etc. can/should I
> use to test it?
>
> "The radclient cannot currently be used to send this request,
> unfortunately, which makes testing a little difficult If everything goes
> well, you should see the server returning an
> Access-Accept<http://freeradius.org/rfc/rfc2865.html#Access-Accept>message as
> above."
>
>
>
> Mit freundlichen Grüßen / Kind regards
>
> Frederik Niedernolte
> ---
> arvato services
> An der Autobahn
> 33310 Gütersloh
> Germany
> http://www.arvato-services.de
> [EMAIL PROTECTED]<[EMAIL PROTECTED]>
> Tel.: +49 (0)5241 80-40554
>
> arvato services GmbH: Sitz Gütersloh | Amtsgericht Gütersloh HRB 3826 |
> Geschäftsführer Ralf Bierfischer, Bodo Krönfeld, Markus Schmedtmann, Eckhard
> Südmersen
>
>
>
> *Von:* freeradius-users-bounces+frederik.niedernolte=bertelsmann.de@
> lists.freeradius.org
> [mailto:freeradius-users-bounces+frederik.niedernolte
> [EMAIL PROTECTED] *Im Auftrag von *Syed Anwarul Hasan
> *Gesendet:* Donnerstag, 9. Oktober 2008 11:44
> *An:* FreeRadius users mailing list
> *Betreff:* Re: Problem with ntlm_auth
>
>
>
> Hi Frederik,
>
> 1) Put User entry on *TOP* of users file.
> 2) In default file, in authenticate section, add *ntlm_auth. *Don't set
> using Auth-Type.
> 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel.
> Add *ntlm_auth* in Authenticate Section.
>
> I hope it will solve your problem.
> SYED
>
>
> On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]>
> wrote:
>
> I have finished all steps till „*user* Auth-Type := ntlm_auth" from
> http://deployingradius.com/documents/configuration/active_directory.html.
>
> With this command I get this error message at the end of
> "/usr/sbin/freeradius –X":
>
>
>
> /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
> value ntlm_auth for attribute Auth-Type
>
> Errors reading /etc/freeradius/users
>
> /etc/freeradius/modules/files[7]: Instantiation failed for module "files"
>
> /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module
> "files".
>
> /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize
> section.
>
> }
>
> }
>
> Errors initializing modules
>
>
>
> The authenticate section in the /etc/freeradius/sites-enabled/default looks
> like this (only important part):
>
>
>
> authenticate {
>
> #
>
> # NTML_AUTH authentication.
>
> Auth-Type ntlm_auth {
>
>ntlm_auth
>
> }
>
>
>
> What is wrong and what can I do to solve the problem?
>
> Thanks in advance.
>
> Best regards, F. Niedernolte
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm_auth
Hi Frederik,
1) Put User entry on *TOP* of users file.
2) In default file, in authenticate section, add *ntlm_auth. *Don't set
using Auth-Type.
3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel.
Add *ntlm_auth* in Authenticate Section.
I hope it will solve your problem.
SYED
On Thu, Oct 9, 2008 at 11:17 AM, <[EMAIL PROTECTED]>wrote:
> I have finished all steps till „*user* Auth-Type := ntlm_auth" from
> http://deployingradius.com/documents/configuration/active_directory.html.
>
> With this command I get this error message at the end of
> "/usr/sbin/freeradius –X":
>
>
>
> /etc/freeradius/users[1]: Parse error (check) for entry MyUser: Unknown
> value ntlm_auth for attribute Auth-Type
>
> Errors reading /etc/freeradius/users
>
> /etc/freeradius/modules/files[7]: Instantiation failed for module "files"
>
> /etc/freeradius/sites-enabled/inner-tunnel[111]: Failed to find module
> "files".
>
> /etc/freeradius/sites-enabled/inner-tunnel[34]: Errors parsing authorize
> section.
>
> }
>
> }
>
> Errors initializing modules
>
>
>
> The authenticate section in the /etc/freeradius/sites-enabled/default looks
> like this (only important part):
>
>
>
> authenticate {
>
> #
>
> # NTML_AUTH authentication.
>
> Auth-Type ntlm_auth {
>
>ntlm_auth
>
> }
>
>
>
> What is wrong and what can I do to solve the problem?
>
> Thanks in advance.
>
> Best regards, F. Niedernolte
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problem with ntlm_auth
> -Original Message- > On Behalf Of Phil Mayers > > It is supposed to be like that. It's been like that forever > as far as I know. I don't know why it was working for you - > is your samba from an OS package and it's possible they > changed the perms? > > (It's even worse on RHEL4 systems - there's a buggy SELinux > policy that labels that directory so ntlm_auth can't access it!) Ack, it's even worse than I thought. I was running my previous FreeRADIUS server as root! So, that's why it didn't bite me before, it had root access. When I setup my new server, I had it running as it's own user account. Thanks for the answer. It always seems to be the simple things. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with ntlm_auth
King, Michael wrote: I found that the windbindd_privileged directory was drwxr-x--- 2 root root 4096 2006-02-28 18:10 winbindd_privileged Is this a recent change of Samba? I didn't have to do this a few months ago. More importantly, did I do something wrong? Or is this normal, and I just did notate that I did this before. It is supposed to be like that. It's been like that forever as far as I know. I don't know why it was working for you - is your samba from an OS package and it's possible they changed the perms? (It's even worse on RHEL4 systems - there's a buggy SELinux policy that labels that directory so ntlm_auth can't access it!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
