[RADIATOR] need help with radiator & winbindd running as user "radiator"

Joy Veronneau jv11 at cornell.edu
Wed Nov 2 15:53:20 CDT 2011


Hi,
The solution that is working for me is to run winbindd as root - then with
proper file permissions, radiator can run as user "radiator" and the ntlm
authentication works.

Thanks so much for the help!!

Joy


On 11/2/11 9:19 AM, "David Zych" <dmrz at illinois.edu> wrote:

>Joy Veronneau wrote:
>> Hi,
>> I am stumped! I have implemented samba and MSCHAPv2 and everything
>>works when running as user root. (Winbindd and radiator running as
>>root.) But I need to run the radiator process as user "radiator". I also
>>had to install samba in an alternate directory.
>> 
>> So ? when running radiator and winbindd as "root" everything works
>>including ntlm_auth from command line and also MSCHAPv2 connections
>>through radiator. When running radiator and winbindd as user "radiator"
>>ntlm_auth from command line works but MCHAPv2 connection through
>>radiator fails. The log file looks like this:
>> 
>...
>> Mon Oct 31 10:50:03 2011: INFO: Starting NtlmAuthProg:
>>/app/radius/samba/bin/ntlm_auth --helper-protocol=ntlm-server-1
>...
>>  As user radiator, this works:
>> 
>> /app/radius/samba/bin/ntlm_auth --request-nt-key --domain=CORNELL
>>--username=jv11 --password=xxxxxxxxxx
>
>I had exactly the same problem when I first set up radiator.  The gotcha
>is that for some reason ntlm_auth actually requires more special
>permissions to run with --helper-protocol=ntlm-server-1 than it does to
>do a simple auth check from the command line.
>
>The best way to troubleshoot this is to invoke ntlm_auth from the command
>line in the same way that Radiator actually invokes it to do MS-CHAPv2.
>
>For example, run
>
>ntlm_auth --helper-protocol=ntlm-server-1
>
>And then paste as input:
>
>Username: yourusernamehere
>NT-Domain: YOURDOMAINHERE
>LANMAN-Challenge: 0102030405060708
>NT-Response: 0102030405060708090A0B0C0D0E0F101112131415161718
>.
>
>(the dot on a line by itself followed by another newline tells the helper
>protocol that you're done entering attributes)
>
>The desired output of this test, since the NT-Response value is
>completely bogus, is:
>
>Authenticated: No
>Authentication-Error: Wrong Password
>
>What it said for me instead, the first time I tried it, was:
>
>Authenticated: No
>Authentication-Error: winbind client not authorized to use
>winbindd_pam_auth_crap. Ensure permissions on
>/var/cache/samba/winbindd_privileged are set correctly.
>
>which pointed me to the problem.  The solution that worked for me was to
>change the group ownership of this directory (which will of course be in
>a different location for you):
>
>chgrp radiator /var/cache/samba/winbindd_privileged
>
>Note that (at least as of v3.0.33), samba is apparently very picky about
>this directory's permissions; changing the group is okay, but it must be
>owned by root and chmod 750 (drwxr-x---) in order to work.
>
>Finally, I've attached a perl script I wrote that performs this same test
>using a *working* input file stored on disk (generated by running it once
>with --create and giving it a real username and password); you'll
>probably want to change the hardcoded location of this file ($queryfile)
>to make sense for your system.  On my radius servers I have a cron task
>which runs this script with -q every few minutes and automatically
>restarts winbind if it ever fails.  :)
>
>Hope this helps!
>
>David
>
>P.S.  Caveat: I'm running radiator as a regular user, but I'm running
>winbind as root (launched via sudo).  It sounds like you're trying to
>avoid even that, so the chgrp may not be enough to solve your problem,
>but if not then hopefully my troubleshooting approach will still get you
>closer to understanding what's wrong.
>_______________________________________________
>radiator mailing list
>radiator at open.com.au
>http://www.open.com.au/mailman/listinfo/radiator



More information about the radiator mailing list