On Mi 19 Jan 2022 15:53:09 CET, Wolfgang Schweer wrote:
[ Mike Gabriel, 2022-01-19 ]I am currently setting up a FreeRADIUS on TJENER (bullseye) and find that the Debian Edu documentation (esp. the Debian Edu 11 release announcement) states that PEAP-MSCHAPv2 is supported by the FreeRADIUS setup script. @Wolfgang: do you have a PEAP-MSCHAPv2 setup running?atm no (missing resources). at the time I added the script, things worked justfine, using the edu cert on my phone as well.For testing purposes, I have set ntlm_auth = yes in smb.conf.that isn't the way to go, use the provided config: https://salsa.debian.org/debian-edu/debian-edu-config/-/blob/master/etc/samba/smb-debian-edu.confWhen using ntlm_auth to authenticate against smbd on TJENER I always get NT_STATUS_NO_SUCH_USER: ``` $ ntlm_auth --username=gabmik --domain=SGM Password: NT_STATUS_NO_SUCH_USER: The specified account does not exist. (0xc0000064)as of bullseye, PDC with 'domain' is gone, fake domain is tjener use 'smbclient -L tjener' (as user gabmik).I understand that Samba user information for the standalone server is now stored locally on TJENER (and password changes are managed via hook calls to smbpasswd). Any idea how to track this down further?'man pdbedit' is your friend, eg pdbedit -L -v -u gabmik Wolfgang
I solved the above by basically adding --domain=TJENER to the ntlm_auth command in
/etc/freeradius/3.0/mods-enabled/mschapThe problem was that --domain=SGM addressed a domain controller on site which I did not take into account. However, without --domain=<...> ntlm_auth would still fail.
So, maybe --domain=TJENER should be added to the freeRADIUS setup script? Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpTgg_JrnAE8.pgp
Description: Digitale PGP-Signatur