Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Samba/Winbind  "reading winbind reply failed" error

Posted on 2013-11-19
7
Medium Priority
?
3,709 Views
Last Modified: 2013-12-01
disclaimer: windows guy (but getting better at this nix thing)

I'm trying to set up FreeRadius (on debian 7, samba 3.6.6) to authenticate with AD

I've successfully joined the the radius machine to the domain (server 08 r2)
I can successfully wbinfo -u
I can successfully $ ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password

so all seems good however when I run

radtest -t mschap user password localhost 0 testing123

I get Access-Reject ....[snip]...MS-CHAP-Error = "\000E=691 R=1"

The debug output shows

 Exec-Program output: Reading winbind reply failed! (0xc0000001)
..
..
MS-CHAP-Response is incorrect

My reading says that this may be a permissions issue (http://freeradius.1045715.n5.nabble.com/Reading-winbind-reply-failed-0xc0000001-td5713417.html) however I have added


the freeradius process (freerad) to /etc/group/winbindd_priv

and still see the error.

I've searched and found nothing else to try...

Any ideas?


(and yes all the services have been restarted - after each attempt to configure...)
0
Comment
Question by:SidFishes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 19

Expert Comment

by:xterm
ID: 39660927
> however I have added the freeradius process (freerad) to /etc/group/winbindd_priv

Could you please paste the line that you modified or added in /etc/group so that I can check the syntax?
0
 
LVL 19

Expert Comment

by:xterm
ID: 39660928
I should clarify, you mentioned /etc/group/winbindd_priv, but /etc/group isn't a directory, it's a file, so what you're describing isn't actually possible.
0
 
LVL 36

Author Comment

by:SidFishes
ID: 39662590
"what you're describing isn't actually possible. "

Not what I meant. just referring to the winbindd_priv entry

 /etc/group > winbindd_priv

syntax is simple winbindd_priv:x:119:freerad
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 19

Expert Comment

by:xterm
ID: 39665995
Please run this command and let me know what it finds:

  find /var/run/samba | xargs ls -l
0
 
LVL 36

Accepted Solution

by:
SidFishes earned 0 total points
ID: 39677869
Found the issue.

Despite what I read from several sources, the following is required.

in /etc/freeradius/modules > mschap

you need to edit & uncomment the line

with_ntdomain_hack = yes

This fixes a behaviour where windows sends the username in DOMAIN\user format but sends only the user back as the challenge response

This is clearly noted in the MSCHAP file comments, but I saw many posts saying it was not needed so I didn't try it (or I'd messed with so many settings on the previous install that it was broken when I tried it.)

on the fresh install, worked perfectly.
0
 
LVL 19

Expert Comment

by:xterm
ID: 39678053
Nice job!
0
 
LVL 36

Author Closing Comment

by:SidFishes
ID: 39687891
self-RTFM
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question