• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4184
  • Last Modified:

Samba/Winbind "reading winbind reply failed" error

disclaimer: windows guy (but getting better at this nix thing)

I'm trying to set up FreeRadius (on debian 7, samba 3.6.6) to authenticate with AD

I've successfully joined the the radius machine to the domain (server 08 r2)
I can successfully wbinfo -u
I can successfully $ ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password

so all seems good however when I run

radtest -t mschap user password localhost 0 testing123

I get Access-Reject ....[snip]...MS-CHAP-Error = "\000E=691 R=1"

The debug output shows

 Exec-Program output: Reading winbind reply failed! (0xc0000001)
..
..
MS-CHAP-Response is incorrect

My reading says that this may be a permissions issue (http://freeradius.1045715.n5.nabble.com/Reading-winbind-reply-failed-0xc0000001-td5713417.html) however I have added


the freeradius process (freerad) to /etc/group/winbindd_priv

and still see the error.

I've searched and found nothing else to try...

Any ideas?


(and yes all the services have been restarted - after each attempt to configure...)
0
SidFishes
Asked:
SidFishes
  • 4
  • 3
1 Solution
 
xtermCommented:
> however I have added the freeradius process (freerad) to /etc/group/winbindd_priv

Could you please paste the line that you modified or added in /etc/group so that I can check the syntax?
0
 
xtermCommented:
I should clarify, you mentioned /etc/group/winbindd_priv, but /etc/group isn't a directory, it's a file, so what you're describing isn't actually possible.
0
 
SidFishesAuthor Commented:
"what you're describing isn't actually possible. "

Not what I meant. just referring to the winbindd_priv entry

 /etc/group > winbindd_priv

syntax is simple winbindd_priv:x:119:freerad
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
xtermCommented:
Please run this command and let me know what it finds:

  find /var/run/samba | xargs ls -l
0
 
SidFishesAuthor Commented:
Found the issue.

Despite what I read from several sources, the following is required.

in /etc/freeradius/modules > mschap

you need to edit & uncomment the line

with_ntdomain_hack = yes

This fixes a behaviour where windows sends the username in DOMAIN\user format but sends only the user back as the challenge response

This is clearly noted in the MSCHAP file comments, but I saw many posts saying it was not needed so I didn't try it (or I'd messed with so many settings on the previous install that it was broken when I tried it.)

on the fresh install, worked perfectly.
0
 
xtermCommented:
Nice job!
0
 
SidFishesAuthor Commented:
self-RTFM
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now