using realm ntdomain fails

Post by Christoph Litauer
Hi,
I want to use realm ntdomin, but had no success so far. Debug output
modcall[authorize]: module "ntdomain" returns noop for request 47
What am I doing wrong? Please help ...
Many thansk in advance!

Sorry, I forgot the attachment. Here it is.

--
Regards
Christoph
________________________________________________________________________
Christoph Litauer ***@uni-koblenz.de
Uni Koblenz, Rechenzentrum, http://www.uni-koblenz.de/~litauer
Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html

Øystein Gåsdal

2004-10-08 08:06:10 UTC

What is realm used for anyway? Is it just for proxying?
Do we even need to configure that to use ntlm authentication?

Regards,
Øystein Gåsdal

-----Original Message-----
Sent: 8. oktober 2004 09:26
Subject: Re: using realm ntdomain fails

Post by Christoph Litauer
Hi,
I want to use realm ntdomin, but had no success so far.

Debug output

Post by Christoph Litauer
modcall[authorize]: module "ntdomain" returns noop for request 47
What am I doing wrong? Please help ...
Many thansk in advance!

Sorry, I forgot the attachment. Here it is.
--
Regards
Christoph
______________________________________________________________
__________
Uni Koblenz, Rechenzentrum, http://www.uni-koblenz.de/~litauer
Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311,
Fax: -100 1311
PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Christoph Litauer

2004-10-08 08:57:39 UTC

Post by Ãystein GÃ¥sdal
What is realm used for anyway? Is it just for proxying?
Do we even need to configure that to use ntlm authentication?

Yes, I want to use ntlm_auth with the stripped username (username
without nt domain).
--
Regards
Christoph
________________________________________________________________________
Christoph Litauer ***@uni-koblenz.de
Uni Koblenz, Rechenzentrum, http://www.uni-koblenz.de/~litauer
Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2004-10-08 14:38:53 UTC

Post by Christoph Litauer
I want to use realm ntdomin, but had no success so far. Debug output
modcall[authorize]: module "ntdomain" returns noop for request 47

OK....

Post by Christoph Litauer
rlm_realm: Looking up realm "LAPLITAUER" for User-Name =
"LAPLITAUER\litauer"
rlm_realm: No such realm "LAPLITAUER"

So... did you define that realm in "proxy.conf", or in the "realms"
file? I'd bet that the answer is "no".

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Christoph Litauer

2004-10-11 12:20:25 UTC

Post by Christoph Litauer
I want to use realm ntdomin, but had no success so far. Debug output
modcall[authorize]: module "ntdomain" returns noop for request 47

OK....

Post by Christoph Litauer
rlm_realm: Looking up realm "LAPLITAUER" for User-Name =
"LAPLITAUER\litauer"
rlm_realm: No such realm "LAPLITAUER"

So... did you define that realm in "proxy.conf", or in the "realms"
file? I'd bet that the answer is "no".
Alan DeKok.

Thank you Alan, seems as if I still haven't understood who to handle
realms. So if you please could give a short tip how to handle the
following situation:

I want to authenticate my wlan users via PEAP using ntlm_auth. This
works if the windows users configure an authentication with an empty
domain. I still want users to be able to use their windows logon and
password. Unfortunatly this case prefixes the username with the domain
(e.g. LAPLITAUER\litauer). I want to discard the domain part. Is it
possible? Do I have to use realms?

Thanks in advance.
--
Regards
Christoph
________________________________________________________________________
Christoph Litauer ***@uni-koblenz.de
Uni Koblenz, Rechenzentrum, http://www.uni-koblenz.de/~litauer
Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2004-10-11 14:16:06 UTC

Post by Alan DeKok
So... did you define that realm in "proxy.conf", or in the "realms"
file? I'd bet that the answer is "no".

Thank you Alan, seems as if I still haven't understood who to handle
realms.

Please read "proxy.conf".

Post by Christoph Litauer
I want to discard the domain part. Is it possible? Do I have to use
realms?

Yes, and yes.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Christoph Litauer

2004-10-12 06:45:10 UTC

Post by Alan DeKok
So... did you define that realm in "proxy.conf", or in the "realms"
file? I'd bet that the answer is "no".

Thank you Alan, seems as if I still haven't understood who to handle
realms.

Please read "proxy.conf".

Well, reading proxy.conf I found the following section:

#
# This realm is used mainly to cancel proxying. You can have
# the "realm suffix" module configured to proxy all requests for
# a realm, and then later cancel the proxying, based on other
# configuration.
#
# For example, you want to terminate PEAP or EAP-TTLS locally,
# you can add the following to the "users" file:
#
# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
#
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}

As stated I changed my users to:

#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
DEFAULT Auth-Type = System
Fall-Through = 1

DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL

[...]

Now my debug log says:
Thread 1 handling request 20, (5 handled so far)
User-Name = "LAPLITAUER\\litauer"
Cisco-AVPair = "ssid=Uni-Koblenz-EAP"
NAS-IP-Address = 141.26.92.10
Called-Station-Id = "004096442c99"
Calling-Station-Id = "000423795461"
NAS-Identifier = "ap-a-e-n"
NAS-Port = 37
Framed-MTU = 1400
State = 0x7bc87798bb2c806d025d128404407406
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
0x027600261900170301001b540a4e2f3db14854be881c8776f8e5ed30aa22fa98b38394e53fef
Message-Authenticator = 0x6e4556cb40fe7d761ad6ebce4a6a4611
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 20
modcall[authorize]: module "preprocess" returns ok for request 20
modcall[authorize]: module "chap" returns noop for request 20
modcall[authorize]: module "mschap" returns noop for request 20
rlm_realm: No '@' in User-Name = "LAPLITAUER\litauer", looking up
realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 20
rlm_eap: EAP packet type response id 118 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 20
users: Matched DEFAULT at 151
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 20
modcall: group authorize returns updated for request 20
WARNING: You set Proxy-To-Realm = LOCAL, but it is a LOCAL realm!
Cancelling invalid proxy request.

I don't thinks that "LAPLITAUER\litauer" is a LOCAL realm, is it?
Please help ...
--
Regards
Christoph
________________________________________________________________________
Christoph Litauer ***@uni-koblenz.de
Uni Koblenz, Rechenzentrum, http://www.uni-koblenz.de/~litauer
Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2004-10-12 15:10:06 UTC

Post by Alan DeKok
Please read "proxy.conf".

...

<sigh> The whole purpose of "proxy.conf" is to define realms. There
are examples in it of doing exactly what you want. If you're only
going to read PART of "proxy.conf", then it would appear you're not
prepared to solve your problem.

Post by Christoph Litauer
DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL

Don't set Proxy-To-Realm. You don't need to.

READ "proxy.conf". ALL OF IT.

Hint: look for "bla.com".

Post by Christoph Litauer
I don't thinks that "LAPLITAUER\litauer" is a LOCAL realm, is it?

You said that you wanted the server to handle requests containing
the realm "LAPLITAUER". Since you're not proxying it, that makes it a
local realm.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Christoph Litauer

2004-10-13 11:16:32 UTC

Post by Alan DeKok
Please read "proxy.conf".

...
<sigh> The whole purpose of "proxy.conf" is to define realms. There
are examples in it of doing exactly what you want. If you're only
going to read PART of "proxy.conf", then it would appear you're not
prepared to solve your problem.

Post by Christoph Litauer
DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL

Don't set Proxy-To-Realm. You don't need to.
READ "proxy.conf". ALL OF IT.
Hint: look for "bla.com".

Post by Christoph Litauer
I don't thinks that "LAPLITAUER\litauer" is a LOCAL realm, is it?

You said that you wanted the server to handle requests containing
the realm "LAPLITAUER". Since you're not proxying it, that makes it a
local realm.

Seems as if I am a little bit dull-witted ... I still can't get it
working. And yes, I read lots of manuals, docs, comments in
configuration files, etc. Sorry for asking again.

I tried several possibilities to ignore the domain-part of the username.
(realm, hints). This stripped username is added to the user list. But
every time it should be authenticated, radius complains:

rlm_eap: Identity does not match User-Name, setting from EAP Identity.

... which is correct because e.g. litauer doesn't match ANYDOMAIN\litauer.

Now I wonder if my intended configuration is feasible at all. Alan said
"yes", so I still believe it is ...

I googled for the error message and found a discussion in this mailing
list about just my problem, but no solution was given
(http://www.mail-archive.com/freeradius-***@lists.freeradius.org/msg01274.html).

Any tips are greatly appreciated ...
--
Regards
Christoph
________________________________________________________________________
Christoph Litauer ***@uni-koblenz.de
Uni Koblenz, Rechenzentrum, http://www.uni-koblenz.de/~litauer
Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Michael Griego

2004-10-13 13:19:32 UTC

Are you using "with_ntdomain_hack" in the preprocess module?

--Mike

Post by Alan DeKok
Please read "proxy.conf".

...
<sigh> The whole purpose of "proxy.conf" is to define realms. There
are examples in it of doing exactly what you want. If you're only
going to read PART of "proxy.conf", then it would appear you're not
prepared to solve your problem.

Post by Christoph Litauer
DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL

Don't set Proxy-To-Realm. You don't need to.
READ "proxy.conf". ALL OF IT.
Hint: look for "bla.com".

Post by Christoph Litauer
I don't thinks that "LAPLITAUER\litauer" is a LOCAL realm, is it?

You said that you wanted the server to handle requests containing
the realm "LAPLITAUER". Since you're not proxying it, that makes it a
local realm.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Christoph Litauer

2004-10-13 13:35:16 UTC

Post by Michael Griego
Are you using "with_ntdomain_hack" in the preprocess module?

I tried this, too. The effect was the one I described: I can see my
username without the domain is added to the users list. But while
authenticating I get the error message:

rlm_eap: Identity does not match User-Name, setting from EAP Identity.
--
Regards
Christoph
________________________________________________________________________
Christoph Litauer ***@uni-koblenz.de
Uni Koblenz, Rechenzentrum, http://www.uni-koblenz.de/~litauer
Postfach 201602, 56016 Koblenz Fon: +49 261 287-1311, Fax: -100 1311
PGP-Key: http://www.uni-koblenz.de/~litauer/public-key.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Michael Griego

2004-10-13 13:41:07 UTC

You should *not* be using with_ntdomain_hack in the preprocess module.
If you're not, and you're still having problems, either use the
"nostrip" option in your realm configuration or don't use realms and use
the hints file to create the Stripped-User-Name attribute. This way,
the original User-Name isn't changed, but (with the hints file), you
have a stripped username that you can do your lookups with. Based on
what I think you're trying to do, not using LOCAL realms and doing the
hints file processing is really what you want.

--Mike

Post by Michael Griego
Are you using "with_ntdomain_hack" in the preprocess module?

I tried this, too. The effect was the one I described: I can see my
username without the domain is added to the users list. But while
rlm_eap: Identity does not match User-Name, setting from EAP Identity.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Alan DeKok

2004-10-13 15:27:13 UTC

Post by Christoph Litauer
I tried several possibilities to ignore the domain-part of the username.
(realm, hints). This stripped username is added to the user list. But
rlm_eap: Identity does not match User-Name, setting from EAP Identity.

Don't use "with_ntdomain_hack" in the preprocess module. The
comments there say so.

Configure the "ntdomain" version of the "realms" module. Ensure
it's being used when you send the server requests.

Use radclient to send test requests. Run the server in debugging mode.

Configure the realm in "proxy.conf", as a LOCAL realm. See
"bla.com".

Once you get the "ntdomain" module to recognize the domain, then
authentication will work.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Øystein Gåsdal

2004-10-11 13:07:25 UTC

I didn't use realms to get this working, I think realms is only if you are
going to use freeradius as a radius proxy.
If you want to authenticate users using their domain user and password, you
must get ntlm_auth working (search for it in radiusd.conf), but as Alan here
pointed out to me, it is best to make it work manually by typing something
like:
ntlm_auth --request-nt-key --username=<username> --password=<password>
--domain=<DOMAIN>

But before I got this to work I had to configure and start the samba
service, and make the freeradius server join the domain.

The samba config for me is located here: /etc/samba/smb.conf, I changed only
two things:
workgroup = <your domain name>
wins server = <ip adress to your wins server>

Start samba with (i think): service start smbd

I can't remember the command to join the domain, I'll have to get back to
you on that one.

ntlm_auth uses a another program called winbindd in the background... It can
be difficult to make it work right, but read it's log in
/var/log/samba/winbindd.log, and you'll understand.

I hope this is some of what you were looking for.

- Øystein

-----Original Message-----
Sent: 11. oktober 2004 14:20
Subject: Re: using realm ntdomain fails

Post by Christoph Litauer
I want to use realm ntdomin, but had no success so far.

Debug output