Исходное сообщение
"FreeRadius + AD" Отправлено Андрей, 21-Ноя-07 12:49
Все настраивал по официальной документации. 1)Машина в домене 2)wbinfo работает 3)ntlm_auth тоже из командной строки На Радиусе пользователи авторизуются Локальный(/etc/passwd) и те что указаны в файле users.... а вот из Домена не хотят. Вот лог radiusd -X Config:   including file: /usr/local/freeradius//etc/raddb/proxy.conf Config:   including file: /usr/local/freeradius//etc/raddb/clients.conf Config:   including file: /usr/local/freeradius//etc/raddb/snmp.conf Config:   including file: /usr/local/freeradius//etc/raddb/eap.conf Config:   including file: /usr/local/freeradius//etc/raddb/sql.conf main: prefix = "/usr/local/freeradius/" main: localstatedir = "/usr/local/freeradius//var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/local/freeradius//lib" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/freeradius//var/run/radiusd/radiusd.pid" main: bind_address = 192.168.0.1 IP address [192.168.0.1] main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/freeradius//sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files:  reading dictionary read_config_files:  reading naslist Using deprecated naslist file.  Support for this will go away soon. read_config_files:  reading clients read_config_files:  reading realms radiusd:  entering modules setup Module: Library search path is /usr/local/freeradius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/my.key" tls: certificate_file = "/usr/local/freeradius/etc/raddb/certs/my.crt" tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/my.crt" tls: private_key_password = "(null)" tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/freeradius//etc/raddb/huntgroups" preprocess: hints = "/usr/local/freeradius//etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = "/usr/local/freeradius//etc/raddb/users" files: acctusersfile = "/usr/local/freeradius//etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/freeradius//etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.0.1:1812 Listening on accounting 192.168.0.1:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.2:4531, id=0, length=65         User-Name = "MYDOMAIN\\login"         User-Password = "password"   Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0   modcall[authorize]: module "preprocess" returns ok for request 0   modcall[authorize]: module "chap" returns noop for request 0   modcall[authorize]: module "mschap" returns noop for request 0     rlm_realm: No '@' in User-Name = "MYDOMAIN\login", looking up realm NULL     rlm_realm: No such realm "NULL"   modcall[authorize]: module "suffix" returns noop for request 0     rlm_realm: Looking up realm "MYDOMAIN" for User-Name = "MYDOMAIN\login"     rlm_realm: Found realm "DEFAULT"     rlm_realm: Adding Stripped-User-Name = "login"     rlm_realm: Proxying request from user login to realm DEFAULT     rlm_realm: Adding Realm = "DEFAULT"     rlm_realm: Authentication realm is LOCAL.   modcall[authorize]: module "ntdomain" returns noop for request 0   rlm_eap: No EAP-Message, not doing EAP   modcall[authorize]: module "eap" returns noop for request 0     users: Matched entry DEFAULT at line 153   modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.   modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0   rad_check_password:  Found Auth-Type System auth: type "System"   Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0   modcall[authenticate]: module "unix" returns notfound for request 0 modcall: leaving group authenticate (returns notfound) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.0.2 port 4531 Waking up in 4 seconds... что может быть? если нужно что-то еще спрашивайте.

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	> Все настраивал по официальной документации. > 1)Машина в домене > 2)wbinfo работает > 3)ntlm_auth тоже из командной строки > На Радиусе пользователи авторизуются Локальный(/etc/passwd) и те что указаны в файле users.... > а вот из Домена не хотят. > Вот лог radiusd -X > Config: including file: /usr/local/freeradius//etc/raddb/proxy.conf > Config: including file: /usr/local/freeradius//etc/raddb/clients.conf > Config: including file: /usr/local/freeradius//etc/raddb/snmp.conf > Config: including file: /usr/local/freeradius//etc/raddb/eap.conf > Config: including file: /usr/local/freeradius//etc/raddb/sql.conf > main: prefix = "/usr/local/freeradius/" > main: localstatedir = "/usr/local/freeradius//var" > main: logdir = "/var/log/freeradius" > main: libdir = "/usr/local/freeradius//lib" > main: radacctdir = "/var/log/freeradius/radacct" > main: hostname_lookups = no > main: max_request_time = 30 > main: cleanup_delay = 5 > main: max_requests = 1024 > main: delete_blocked_requests = 0 > main: port = 1812 > main: allow_core_dumps = no > main: log_stripped_names = no > main: log_file = "/var/log/freeradius/radius.log" > main: log_auth = no > main: log_auth_badpass = no > main: log_auth_goodpass = no > main: pidfile = "/usr/local/freeradius//var/run/radiusd/radiusd.pid" > main: bind_address = 192.168.0.1 IP address [192.168.0.1] > main: user = "(null)" > main: group = "(null)" > main: usercollide = no > main: lower_user = "no" > main: lower_pass = "no" > main: nospace_user = "no" > main: nospace_pass = "no" > main: checkrad = "/usr/local/freeradius//sbin/checkrad" > main: proxy_requests = yes > proxy: retry_delay = 5 > proxy: retry_count = 3 > proxy: synchronous = no > proxy: default_fallback = yes > proxy: dead_time = 120 > proxy: post_proxy_authorize = no > proxy: wake_all_if_all_dead = no > security: max_attributes = 200 > security: reject_delay = 1 > security: status_server = no > main: debug_level = 0 > read_config_files: reading dictionary > read_config_files: reading naslist > Using deprecated naslist file. Support for this will go away soon. > read_config_files: reading clients > read_config_files: reading realms > radiusd: entering modules setup > Module: Library search path is /usr/local/freeradius/lib > Module: Loaded exec > exec: wait = yes > exec: program = "(null)" > exec: input_pairs = "request" > exec: output_pairs = "(null)" > exec: packet_type = "(null)" > rlm_exec: Wait=yes but no output defined. Did you mean output=none? > Module: Instantiated exec (exec) > Module: Loaded expr > Module: Instantiated expr (expr) > Module: Loaded PAP > pap: encryption_scheme = "crypt" > pap: auto_header = yes > Module: Instantiated pap (pap) > Module: Loaded CHAP > Module: Instantiated chap (chap) > Module: Loaded MS-CHAP > mschap: use_mppe = yes > mschap: require_encryption = yes > mschap: require_strong = yes > mschap: with_ntdomain_hack = yes > mschap: passwd = "(null)" > mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} > --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" > Module: Instantiated mschap (mschap) > Module: Loaded System > unix: cache = no > unix: passwd = "(null)" > unix: shadow = "(null)" > unix: group = "(null)" > unix: radwtmp = "/var/log/freeradius/radwtmp" > unix: usegroup = no > unix: cache_reload = 600 > Module: Instantiated unix (unix) > Module: Loaded eap > eap: default_eap_type = "peap" > eap: timer_expire = 60 > eap: ignore_unknown_eap_types = no > eap: cisco_accounting_username_bug = no > rlm_eap: Loaded and initialized type md5 > rlm_eap: Loaded and initialized type leap > gtc: challenge = "Password: " > gtc: auth_type = "PAP" > rlm_eap: Loaded and initialized type gtc > tls: rsa_key_exchange = no > tls: dh_key_exchange = yes > tls: rsa_key_length = 512 > tls: dh_key_length = 512 > tls: verify_depth = 0 > tls: CA_path = "(null)" > tls: pem_file_type = yes > tls: private_key_file = "/usr/local/freeradius/etc/raddb/certs/my.key" > tls: certificate_file = "/usr/local/freeradius/etc/raddb/certs/my.crt" > tls: CA_file = "/usr/local/freeradius/etc/raddb/certs/my.crt" > tls: private_key_password = "(null)" > tls: dh_file = "/usr/local/freeradius/etc/raddb/certs/dh" > tls: random_file = "/dev/urandom" > tls: fragment_size = 1024 > tls: include_length = yes > tls: check_crl = no > tls: check_cert_cn = "(null)" > tls: cipher_list = "(null)" > tls: check_cert_issuer = "(null)" > rlm_eap_tls: Loading the certificate file as a chain > rlm_eap: Loaded and initialized type tls > peap: default_eap_type = "mschapv2" > peap: copy_request_to_tunnel = no > peap: use_tunneled_reply = no > peap: proxy_tunneled_request_as_eap = yes > rlm_eap: Loaded and initialized type peap > mschapv2: with_ntdomain_hack = no > rlm_eap: Loaded and initialized type mschapv2 > Module: Instantiated eap (eap) > Module: Loaded preprocess > preprocess: huntgroups = "/usr/local/freeradius//etc/raddb/huntgroups" > preprocess: hints = "/usr/local/freeradius//etc/raddb/hints" > preprocess: with_ascend_hack = no > preprocess: ascend_channels_per_line = 23 > preprocess: with_ntdomain_hack = no > preprocess: with_specialix_jetstream_hack = no > preprocess: with_cisco_vsa_hack = no > preprocess: with_alvarion_vsa_hack = no > Module: Instantiated preprocess (preprocess) > Module: Loaded realm > realm: format = "suffix" > realm: delimiter = "@" > realm: ignore_default = no > realm: ignore_null = no > Module: Instantiated realm (suffix) > realm: format = "prefix" > realm: delimiter = "\" > realm: ignore_default = no > realm: ignore_null = no > Module: Instantiated realm (ntdomain) > Module: Loaded files > files: usersfile = "/usr/local/freeradius//etc/raddb/users" > files: acctusersfile = "/usr/local/freeradius//etc/raddb/acct_users" > files: preproxy_usersfile = "/usr/local/freeradius//etc/raddb/preproxy_users" > files: compat = "no" > Module: Instantiated files (files) > Module: Loaded Acct-Unique-Session-Id > acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, > NAS-Port" > Module: Instantiated acct_unique (acct_unique) > Module: Loaded detail > detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" > detail: detailperm = 384 > detail: dirperm = 493 > detail: locking = no > Module: Instantiated detail (detail) > Module: Loaded radutmp > radutmp: filename = "/var/log/freeradius/radutmp" > radutmp: username = "%{User-Name}" > radutmp: case_sensitive = yes > radutmp: check_with_nas = yes > radutmp: perm = 384 > radutmp: callerid = yes > Module: Instantiated radutmp (radutmp) > Listening on authentication 192.168.0.1:1812 > Listening on accounting 192.168.0.1:1813 > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.0.2:4531, id=0, length=65 > User-Name = "MYDOMAIN\\login" > User-Password = "password" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 > rlm_realm: No '@' in User-Name = "MYDOMAIN\login", looking > up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_realm: Looking up realm "MYDOMAIN" for User-Name = > "MYDOMAIN\login" > rlm_realm: Found realm "DEFAULT" > rlm_realm: Adding Stripped-User-Name = "login" > rlm_realm: Proxying request from user login to realm > DEFAULT > rlm_realm: Adding Realm = "DEFAULT" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "ntdomain" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 > users: Matched entry DEFAULT at line 153 > modcall[authorize]: module "files" returns ok for request 0 > rlm_pap: WARNING! No "known good" password found for the user. Authentication > may fail because of this. > modcall[authorize]: module "pap" returns noop for request 0 > modcall: leaving group authorize (returns ok) for request 0 > rad_check_password: Found Auth-Type System > auth: type "System" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 0 > modcall[authenticate]: module "unix" returns notfound for request 0 > modcall: leaving group authenticate (returns notfound) for request 0 > auth: Failed to validate the user. > Delaying request 0 for 1 seconds > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Waking up in 1 seconds... > --- Walking the entire request list --- > Sending Access-Reject of id 0 to 192.168.0.2 port 4531 > Waking up in 4 seconds... > что может быть? если нужно что-то еще спрашивайте.
	Введите код, изображенный на картинке: