Bartłomiej Solarz-Niesłuchowski
2019-Sep-28 18:40 UTC
[Samba] problems after migrating NT domain to AD (samba 4.7.x)
Dear List, My domain +/- works, so I try to fix rest services based on domain NT/AD.... I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before migration it works). And after migration autorization does not work. Freeradius server is on samba domain member. So i check domain connectivity: [root at see-you-later samba]# net ads testjoin Join is OK [root at see-you-later samba]# wbinfo -a test%XXXX plaintext password authentication succeeded challenge/response password authentication succeeded [root at see-you-later samba]# wbinfo -g here list of domain group smb.conf [global] ?????? dos charset = CP852 ??????? unix charset = UTF8 ??????? workgroup = WSISIZ.EDU.PL ??????? realm = ad.wsisiz.edu.pl ??????? server role = member server ??????? security = ads ??????? allow trusted domains = No ??????? log level = 0 ??????? time server = Yes ??????? deadtime = 60 ??????? hostname lookups = Yes ??????? printcap cache time = 600 ??????? printcap name = cups ??????? wins support = Yes ??????? remote browse sync = oxygene.ibspan.waw.pl antarctica china direct odyssey ??????? winbind use default domain = Yes ??????? create mask = 0644 ??????? inherit acls = Yes ??????? remote browse sync = oceanic.wsisiz.edu.pl ??????? create mask = 0644 ??????? hosts allow = 127., 213.135.34.0/255.255.255.0, 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, 2001:1a68:a::/48, ::1 ??????? hide dot files = No ??????? ea support = Yes ??????? map acl inherit = Yes ??????? cups options = raw ??????? hide dot files = No ??????? store dos attributes = Yes ??????? wide links = Yes ??????? acl allow execute always = yes ??????? ntlm auth = mschapv2-and-ntlmv2-only smb.conf on domain master: [global] ??????? realm = AD.WSISIZ.EDU.PL ??????? server role = active directory domain controller ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ??????? workgroup = WSISIZ.EDU.PL ??????? idmap_ldb:use rfc2307 = yes ??????? dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool ??????? wins server =? 213.135.44.33 ??????? ntlm auth = mschapv2-and-ntlmv2-only ntlm_auth by hand works [root at see-you-later samba]# /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=WSISIZ.EDU.PL --username=test Password: NT_STATUS_OK: The operation completed successfully. (0x0) relevant info from radius config /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=WSISIZ.EDU.PL --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" } (I tested the same with: winbind_username = "%{mschap:User-Name}" winbind_domain = WSISIZ.EDU.PL with no positive result ) But authorization not works: [root at see-you-later samba]# radtest -t mschap test XXXX 127.0.0.1 0 testing123 Sent Access-Request Id 123 from 0.0.0.0:54977 to 127.0.0.1:1812 length 130 ??????? User-Name = "test" ??????? MS-CHAP-Password = "XXXX" ??????? NAS-IP-Address = 213.135.44.40 ??????? NAS-Port = 0 ??????? Message-Authenticator = 0x00 ??????? Cleartext-Password = "XXXX" ??????? MS-CHAP-Challenge = 0x06c21051f5afe8c4 ??????? MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000085f264f761fdc1ed66f54e496bd14441aac94848336e49fc Received Access-Reject Id 123 from 127.0.0.1:1812 to 127.0.0.1:54977 length 61 ??????? MS-CHAP-Error = "\000E=691 R=1 C=31fc8a6f22e0e329 V=2" (0) -: Expected Access-Accept got Access-Reject Output from radiusd -X (614) Found Auth-Type = MSCHAP (614) # Executing group from file /etc/raddb/sites-enabled/default (614)?? authenticate { (614) mschap: Client is using MS-CHAPv1 with NT-Password (614) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --domain=WSISIZ.EDU.PL --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (614) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (614) mschap:??? --> --username=test (614) mschap: mschap1: bc (614) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (614) mschap:??? --> --challenge=bc5657d8c8eeedbb (614) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (614) mschap:??? --> --nt-response=5cb1d1a7f6cca180a405880b18a68c3fd904f5bd8931f46b (614) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (614) mschap: External script failed (614) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (614) mschap: ERROR: MS-CHAP2-Response is incorrect (614)???? [mschap] = reject (614)?? } # authenticate = reject (614) Failed to authenticate the user (614) Using Post-Auth-Type Reject (614) # Executing group from file /etc/raddb/sites-enabled/default (614)?? Post-Auth-Type REJECT { (614) attr_filter.access_reject: EXPAND %{User-Name} (614) attr_filter.access_reject:??? --> test (614) attr_filter.access_reject: Matched entry DEFAULT at line 11 (614)???? [attr_filter.access_reject] = updated (614)???? [eap] = noop (614)???? policy remove_reply_message_if_eap { (614)?????? if (&reply:EAP-Message && &reply:Reply-Message) { (614)?????? if (&reply:EAP-Message && &reply:Reply-Message)? -> FALSE (614)?????? else { (614)???????? [noop] = noop (614)?????? } # else = noop (614)???? } # policy remove_reply_message_if_eap = noop (614)?? } # Post-Auth-Type REJECT = updated (614) Login incorrect (mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'): [test/<via Auth-Type = MSCHAP>] (from client localhost port 0) (614) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (614) Sending delayed response (614) Sent Access-Reject Id 112 from 127.0.0.1:1812 to 127.0.0.1:51747 length 61 (614)?? MS-CHAP-Error = "\000E=691 R=1 C=1ea8abc7f8bc2ca7 V=2" Waking up in 3.9 seconds. I read: https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory (where i found audit.log?) https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory-Integration-HOWTO https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind I have no idea why it does not work - maybe somebody on list have idea? Best Regards -- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 JID: solarz at jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
Rowland penny
2019-Sep-28 19:29 UTC
[Samba] problems after migrating NT domain to AD (samba 4.7.x)
On 28/09/2019 19:40, Bart?omiej Solarz-Nies?uchowski via samba wrote:> Dear List, > > My domain +/- works, so I try to fix rest services based on domain > NT/AD.... > > I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before > migration it works). > > And after migration autorization does not work. > > Freeradius server is on samba domain member. > > So i check domain connectivity: > > [root at see-you-later samba]# net ads testjoin > Join is OK > [root at see-you-later samba]# wbinfo -a test%XXXX > plaintext password authentication succeeded > challenge/response password authentication succeeded > [root at see-you-later samba]# wbinfo -g > > here list of domain group > > smb.conf > > [global] > ?????? dos charset = CP852 > ??????? unix charset = UTF8 > ??????? workgroup = WSISIZ.EDU.PL > ??????? realm = ad.wsisiz.edu.pl > ??????? server role = member server > ??????? security = ads > ??????? allow trusted domains = No > ??????? log level = 0 > ??????? time server = Yes > ??????? deadtime = 60 > ??????? hostname lookups = Yes > ??????? printcap cache time = 600 > ??????? printcap name = cups > ??????? wins support = Yes > ??????? remote browse sync = oxygene.ibspan.waw.pl antarctica china > direct odyssey > ??????? winbind use default domain = Yes > ??????? create mask = 0644 > ??????? inherit acls = Yes > ??????? remote browse sync = oceanic.wsisiz.edu.pl > ??????? create mask = 0644 > ??????? hosts allow = 127., 213.135.34.0/255.255.255.0, > 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, > 2001:1a68:a::/48, ::1 > ??????? hide dot files = No > ??????? ea support = Yes > ??????? map acl inherit = Yes > ??????? cups options = raw > ??????? hide dot files = No > ??????? store dos attributes = Yes > ??????? wide links = Yes > ??????? acl allow execute always = yes > ??????? ntlm auth = mschapv2-and-ntlmv2-onlyI suspect you are back on a red-hat distro here or at least you are using sssd, if so do this: yum remove sssd* you cannot use sssd with Samba on a Unix domain member, you must use winbind, sssd and winbind are mutually exclusive. Samba does not provide support for sssd because we do not produce it, you will need to ask on the sssd-users mailing list. If you are not using sssd, your smb.conf does not have any 'idmap config'? lines, see here for more info: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Bartłomiej Solarz-Niesłuchowski
2019-Sep-28 20:39 UTC
[Samba] problems after migrating NT domain to AD (samba 4.7.x)
W dniu 28.09.2019 o?21:29, Rowland penny via samba pisze:> On 28/09/2019 19:40, Bart?omiej Solarz-Nies?uchowski via samba wrote: >> Dear List, >> >> My domain +/- works, so I try to fix rest services based on domain >> NT/AD.... >> >> I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before >> migration it works). >> >> And after migration autorization does not work. >> >> Freeradius server is on samba domain member. >> >> So i check domain connectivity: >> >> [root at see-you-later samba]# net ads testjoin >> Join is OK >> [root at see-you-later samba]# wbinfo -a test%XXXX >> plaintext password authentication succeeded >> challenge/response password authentication succeeded >> [root at see-you-later samba]# wbinfo -g >> >> here list of domain group >> >> smb.conf >> >> [global] >> ?????? dos charset = CP852 >> ??????? unix charset = UTF8 >> ??????? workgroup = WSISIZ.EDU.PL >> ??????? realm = ad.wsisiz.edu.pl >> ??????? server role = member server >> ??????? security = ads >> ??????? allow trusted domains = No >> ??????? log level = 0 >> ??????? time server = Yes >> ??????? deadtime = 60 >> ??????? hostname lookups = Yes >> ??????? printcap cache time = 600 >> ??????? printcap name = cups >> ??????? wins support = Yes >> ??????? remote browse sync = oxygene.ibspan.waw.pl antarctica china >> direct odyssey >> ??????? winbind use default domain = Yes >> ??????? create mask = 0644 >> ??????? inherit acls = Yes >> ??????? remote browse sync = oceanic.wsisiz.edu.pl >> ??????? create mask = 0644 >> ??????? hosts allow = 127., 213.135.34.0/255.255.255.0, >> 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, >> 2001:1a68:a::/48, ::1 >> ??????? hide dot files = No >> ??????? ea support = Yes >> ??????? map acl inherit = Yes >> ??????? cups options = raw >> ??????? hide dot files = No >> ??????? store dos attributes = Yes >> ??????? wide links = Yes >> ??????? acl allow execute always = yes >> ??????? ntlm auth = mschapv2-and-ntlmv2-only > > I suspect you are back on a red-hat distro here or at least you are > using sssd, if so do this: > > yum remove sssd*on those machine i have no sssd installed> > you cannot use sssd with Samba on a Unix domain member, you must use > winbind, sssd and winbind are mutually exclusive.> Samba does not provide support for sssd because we do not produce it, > you will need to ask on the sssd-users mailing list. > > If you are not using sssd, your smb.conf does not have any 'idmap > config'? lines, see here for more info: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Memberso if i have on every user on my ad domain rfc2307 attributes lines must looks like: ??????? idmap config WSISIZ.EDU.PL:backend = ad ??????? idmap config WSISIZ.EDU.PL:schema_mode = rfc2307 ??????? idmap config *:range = 500-200000 ?> > Rowland > >-- Bart?omiej Solarz-Nies?uchowski, Administrator WSISiZ e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl tel. 223486547, fax 223486501 JID: solarz at jabber.wit.edu.pl 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 Motto - Jak sobie po?cielisz tak sie wy?pisz
Marco Gaiarin
2019-Sep-30 07:51 UTC
[Samba] problems after migrating NT domain to AD (samba 4.7.x)
Mandi! Bart?omiej Solarz-Nies?uchowski via samba In chel di` si favelave...> smb.conf > [global][...]> ??????? ntlm auth = mschapv2-and-ntlmv2-onlyGood. But this have to be atted to DCs (all DCs), not the DM that run freeradius...> winbind_username = "%{mschap:User-Name}" > winbind_domain = WSISIZ.EDU.PL with no positive result )I thinik don't bother, but i use: winbind_username = "%{mschap:%{User-Name}:-None}" winbind_domain = "%{mschap:%{NT-Domain}:-WSISIZ.EDU.PL}"> Output from radiusd -XYou have enabled modules 'ntdomain' in 'default' and 'inner-tunnel' virtualhosts? Have you added a proxy to yourself in proxy.conf: realm WSISIZ.EDU.PL { type = radius authhost = LOCAL accthost = LOCAL } have you removed/commented out all realm apart LOCAL and above from proxy.conf? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2019-Sep-30 08:03 UTC
[Samba] problems after migrating NT domain to AD (samba 4.7.x)
Just follow this and it "just works" https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory And this is asking for problems. workgroup = WSISIZ.EDU.PL Read : https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx And from this link : https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and Names can contain a period (.). However, the name cannot start with a period. The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Microsoft Windows 2000 or in later versions of Windows. If you are upgrading a computer whose NetBIOS name contains a period, change the machine name. For more information, see the "Special characters" section. And, Warning The use of NetBIOS scopes in names is a legacy configuration and should not be used with Active Directory forests A bit later.. Domain names NetBIOS domain names The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Active Directory domains. If you are upgrading a domain whose NetBIOS name contains a period, change the name by migrating the domain to a new domain structure. Do not use periods in new NetBIOS domain names. Rest my case. Solution: Fix you netbois domainname and your good to go. And setup as shown in the link of the samba wiki. I've verified that with Alan DeKok of freeradius. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Bart??omiej Solarz-Nies??uchowski via samba > Verzonden: zaterdag 28 september 2019 20:40 > Aan: samba at lists.samba.org > CC: Maciej Wysocki [WSISiZ]; Administrator WIT > Onderwerp: [Samba] problems after migrating NT domain to AD > (samba 4.7.x) > > Dear List, > > My domain +/- works, so I try to fix rest services based on > domain NT/AD.... > > I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before > migration it works). > > And after migration autorization does not work. > > Freeradius server is on samba domain member. > > So i check domain connectivity: > > [root at see-you-later samba]# net ads testjoin > Join is OK > [root at see-you-later samba]# wbinfo -a test%XXXX > plaintext password authentication succeeded > challenge/response password authentication succeeded > [root at see-you-later samba]# wbinfo -g > > here list of domain group > > smb.conf > > [global] > ?????? dos charset = CP852 > ??????? unix charset = UTF8 > ??????? workgroup = WSISIZ.EDU.PL > ??????? realm = ad.wsisiz.edu.pl > ??????? server role = member server > ??????? security = ads > ??????? allow trusted domains = No > ??????? log level = 0 > ??????? time server = Yes > ??????? deadtime = 60 > ??????? hostname lookups = Yes > ??????? printcap cache time = 600 > ??????? printcap name = cups > ??????? wins support = Yes > ??????? remote browse sync = oxygene.ibspan.waw.pl antarctica china > direct odyssey > ??????? winbind use default domain = Yes > ??????? create mask = 0644 > ??????? inherit acls = Yes > ??????? remote browse sync = oceanic.wsisiz.edu.pl > ??????? create mask = 0644 > ??????? hosts allow = 127., 213.135.34.0/255.255.255.0, > 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, > 2001:1a68:a::/48, ::1 > ??????? hide dot files = No > ??????? ea support = Yes > ??????? map acl inherit = Yes > ??????? cups options = raw > ??????? hide dot files = No > ??????? store dos attributes = Yes > ??????? wide links = Yes > ??????? acl allow execute always = yes > ??????? ntlm auth = mschapv2-and-ntlmv2-only > > smb.conf on domain master: > > [global] > ??????? realm = AD.WSISIZ.EDU.PL > ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > ??????? workgroup = WSISIZ.EDU.PL > ??????? idmap_ldb:use rfc2307 = yes > ??????? dns update command = /usr/sbin/samba_dnsupdate > --use-samba-tool > ??????? wins server =? 213.135.44.33 > ??????? ntlm auth = mschapv2-and-ntlmv2-only > > > ntlm_auth by hand works > > [root at see-you-later samba]# /usr/bin/ntlm_auth --allow-mschapv2 > --request-nt-key --domain=WSISIZ.EDU.PL --username=test > Password: > NT_STATUS_OK: The operation completed successfully. (0x0) > > > relevant info from radius config /etc/raddb/mods-enabled/mschap > > mschap { > use_mppe = yes > > require_encryption = yes > > require_strong = yes > > ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key > --domain=WSISIZ.EDU.PL > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}" > > } > > (I tested the same with: > > winbind_username = "%{mschap:User-Name}" > > winbind_domain = WSISIZ.EDU.PL with no positive result ) > > > But authorization not works: > > [root at see-you-later samba]# radtest -t mschap test XXXX 127.0.0.1 0 > testing123 > Sent Access-Request Id 123 from 0.0.0.0:54977 to > 127.0.0.1:1812 length 130 > ??????? User-Name = "test" > ??????? MS-CHAP-Password = "XXXX" > ??????? NAS-IP-Address = 213.135.44.40 > ??????? NAS-Port = 0 > ??????? Message-Authenticator = 0x00 > ??????? Cleartext-Password = "XXXX" > ??????? MS-CHAP-Challenge = 0x06c21051f5afe8c4 > ??????? MS-CHAP-Response = > 0x000100000000000000000000000000000000000000000000000085f264f7 > 61fdc1ed66f54e496bd14441aac94848336e49fc > Received Access-Reject Id 123 from 127.0.0.1:1812 to 127.0.0.1:54977 > length 61 > ??????? MS-CHAP-Error = "\000E=691 R=1 C=31fc8a6f22e0e329 V=2" > (0) -: Expected Access-Accept got Access-Reject > > > Output from radiusd -X > > (614) Found Auth-Type = MSCHAP > (614) # Executing group from file /etc/raddb/sites-enabled/default > (614)?? authenticate { > (614) mschap: Client is using MS-CHAPv1 with NT-Password > (614) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 > --request-nt-key --domain=WSISIZ.EDU.PL > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > --challenge=%{%{mschap:Challenge}:-00} > --nt-response=%{%{mschap:NT-Response}:-00}: > (614) mschap: EXPAND > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} > (614) mschap:??? --> --username=test > (614) mschap: mschap1: bc > (614) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} > (614) mschap:??? --> --challenge=bc5657d8c8eeedbb > (614) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} > (614) mschap:??? --> > --nt-response=5cb1d1a7f6cca180a405880b18a68c3fd904f5bd8931f46b > (614) mschap: ERROR: Program returned code (1) and output > 'The attempted > logon is invalid. This is either due to a bad username or > authentication > information. (0xc000006d)' > (614) mschap: External script failed > (614) mschap: ERROR: External script says: The attempted logon is > invalid. This is either due to a bad username or authentication > information. (0xc000006d) > (614) mschap: ERROR: MS-CHAP2-Response is incorrect > (614)???? [mschap] = reject > (614)?? } # authenticate = reject > (614) Failed to authenticate the user > (614) Using Post-Auth-Type Reject > (614) # Executing group from file /etc/raddb/sites-enabled/default > (614)?? Post-Auth-Type REJECT { > (614) attr_filter.access_reject: EXPAND %{User-Name} > (614) attr_filter.access_reject:??? --> test > (614) attr_filter.access_reject: Matched entry DEFAULT at line 11 > (614)???? [attr_filter.access_reject] = updated > (614)???? [eap] = noop > (614)???? policy remove_reply_message_if_eap { > (614)?????? if (&reply:EAP-Message && &reply:Reply-Message) { > (614)?????? if (&reply:EAP-Message && &reply:Reply-Message)? -> FALSE > (614)?????? else { > (614)???????? [noop] = noop > (614)?????? } # else = noop > (614)???? } # policy remove_reply_message_if_eap = noop > (614)?? } # Post-Auth-Type REJECT = updated > (614) Login incorrect (mschap: Program returned code (1) and > output 'The > attempted logon is invalid. This is either due to a bad username or > authentication information. (0xc000006d)'): [test/<via Auth-Type = > MSCHAP>] (from client localhost port 0) > (614) Delaying response for 1.000000 seconds > Waking up in 0.2 seconds. > Waking up in 0.7 seconds. > (614) Sending delayed response > (614) Sent Access-Reject Id 112 from 127.0.0.1:1812 to > 127.0.0.1:51747 > length 61 > (614)?? MS-CHAP-Error = "\000E=691 R=1 C=1ea8abc7f8bc2ca7 V=2" > Waking up in 3.9 seconds. > > I read: > > https://wiki.samba.org/index.php/Authenticating_Freeradius_aga > inst_Active_Directory > > (where i found audit.log?) > > https://wiki.freeradius.org/guide/FreeRADIUS-Active-Directory- > Integration-HOWTO > > https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind > > > I have no idea why it does not work - maybe somebody on list > have idea? > > > Best Regards > > > -- > Bart??omiej Solarz-Nies??uchowski, Administrator WSISiZ > e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl > tel. 223486547, fax 223486501 > JID: solarz at jabber.wit.edu.pl > 01-447 Warszawa, ul. Newelska 6, pok?j 421, pon.-pt. 8-16 > Motto - Jak sobie po??cielisz tak sie wy??pisz > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2019-Sep-30 08:25 UTC
[Samba] problems after migrating NT domain to AD (samba 4.7.x)
On 30/09/2019 09:03, L.P.H. van Belle via samba wrote:> Just follow this and it "just works" > > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > > > And this is asking for problems. > workgroup = WSISIZ.EDU.PL >From my understanding, the OP inherited this, he also asked for help migrating to AD on a Friday saying that he must carry out out the migration on the Sunday. I offered to come round with a brush to sweep up the broken bits, because this wasn't sufficient time to test anything. Perhaps I should go round with my brush, as this could have been fixed before the migration. Rowland
Maybe Matching Threads
- problems after migrating NT domain to AD (samba 4.7.x)
- [EXTERNAL] Fwd: ntlm_auth and freeradius
- Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster
- problems after migrating NT domain to AD (samba 4.7.x)
- Samba 4.10.7 + freeradius 3.0.17 +ntlm_auth - Debian buster