[RADIATOR] need help with radiator & winbindd running as user "radiator"

Joy Veronneau jv11 at cornell.edu
Tue Nov 1 14:02:03 CDT 2011 

Hi,
I am stumped! I have implemented samba and MSCHAPv2 and everything works when running as user root. (Winbindd and radiator running as root.) But I need to run the radiator process as user "radiator". I also had to install samba in an alternate directory.

So – when running radiator and winbindd as "root" everything works including ntlm_auth from command line and also MSCHAPv2 connections through radiator. When running radiator and winbindd as user "radiator" ntlm_auth from command line works but MCHAPv2 connection through radiator fails. The log file looks like this:

Mon Oct 31 10:50:03 2011: DEBUG: Handling request with Handler 'TunnelledByPEAP=1, Client-Identifier=RRSec', Identifier ''
Mon Oct 31 10:50:03 2011: DEBUG: Deleting session for anonymous, 132.236.115.218, 1
Mon Oct 31 10:50:03 2011: DEBUG: Handling with Radius::AuthNTLM: NTLM_Auth
Mon Oct 31 10:50:03 2011: DEBUG: Handling with EAP: code 2, 12, 71, 26
Mon Oct 31 10:50:03 2011: DEBUG: Response type 26
Mon Oct 31 10:50:03 2011: DEBUG: Radius::AuthNTLM looks for match with jv11 [anonymous]
Mon Oct 31 10:50:03 2011: DEBUG: Radius::AuthNTLM ACCEPT: : jv11 [anonymous]
Mon Oct 31 10:50:03 2011: INFO: Starting NtlmAuthProg: /app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1
Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute Request-User-Session-Key: Yes
Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute LANMAN-Challenge: 127b94af6efbf1ef
Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute NT-Response: 58275ba370f360657e0867e1d41f6412d8d07dd50e7a503b
Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute NT-Domain:: Q09STkVMTA==
Mon Oct 31 10:50:03 2011: DEBUG: Passing attribute Username:: anYxMQ==
Mon Oct 31 10:50:03 2011: DEBUG: Received attribute: Authenticated: No
Mon Oct 31 10:50:03 2011: DEBUG: Received attribute: Authentication-Error: Reading winbind reply failed!
Mon Oct 31 10:50:03 2011: DEBUG: Received attribute: .
Mon Oct 31 10:50:03 2011: WARNING: NTLM Could not authenticate user: Reading winbind reply failed!
Mon Oct 31 10:50:03 2011: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication failure
Mon Oct 31 10:50:03 2011: DEBUG: AuthBy NTLM result: REJECT, EAP MSCHAP-V2 Authentication failure
Mon Oct 31 10:50:03 2011: INFO: Access rejected for anonymous: EAP MSCHAP-V2 Authentication failure
Mon Oct 31 10:50:04 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code: Access-Reject
Identifier: UNDEF
Authentic: <148>#<161>(<30><143><169><10><226><242>!<251>L<186><215><184>
Attributes:
EAP-Message = <4><12><0><4>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
Session-Timeout = 28800

 As user radiator, this works:

/app/radius/samba/bin/ntlm_auth --request-nt-key --domain=CORNELL --username=jv11 --password=xxxxxxxxxx
doing parameter log file = /app/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter winbind enum groups = yes
doing parameter winbind enum users = yes
doing parameter winbind use default domain = yes
doing parameter winbind nested groups = yes
doing parameter dns proxy = no
pm_process() returned Yes
NT_STATUS_OK: Success (0x0)


I have ntlm_auth set up as a script so that the proper libraries can be found -
so the contents of /app/radius/samba/bin/ntlm_auth are:

#!/bin/sh
export LD_LIBRARY_PATH=/app/radius/samba/lib
exec /app/radius/samba/bin/ntlm_auth.real "$@"

Similar setup for the other samba executables of winbindd and wbinfo and net.

I had to make sure that radiator is running the correct version of ntlm_auth, and used this in the radius config file:

NtlmAuthProg /app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1

I used this configure command for building samba:

./configure --prefix=/app/radius/samba/ --with-configdir=/app/radius/samba/conf --with-privatedir=/app/radius/samba/private --disable-cups --with-ads --with-ldap

and in /app/radius/samba/conf I have the krb5.conf file and the smb.conf file

I am changing the owner:group of these files when running as user radiator:

/app/log/samba/*


/app/radius/samba/var/*


/tmp/.win*


But I must be missing something somewhere!! What is it, any ideas?


Thanks in advance-

Joy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111101/9d67026a/attachment.html

More information about the radiator mailing list