Re: [Packetfence-users] Configuring radius with active directory

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Interestingly testparm reported that it couldn't find smb.conf, so I don't know whether I saved it incorrectly when I reconfigured it as below, as I definitely had one there beforehand (I can still see it renamed to smb.conf.old).

After recreating smb.conf with the content inside the admin guide 'net ads join -U %username' reported that my workgroup declaration was indeed wrong and it even told me what it should be - gotta love helpful error messages!  After correcting this I ran the join command again and got:

[root@pfence01 samba]# net ads join -U %username
Enter username's password:
Using short domain name -- DOMAIN
Joined 'PFENCE01' to realm 'internal.domain.co.uk'
[2011/12/07 14:30:55.671886,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password PFE...@IN... failed: Preauthentication failed

So it looks like it joined the domain, but then failed at pre-authentication.

From: Francois Gaudreault [mailto:fga...@in...]
Sent: 07 December 2011 13:10
To: pac...@li...
Subject: Re: [Packetfence-users] Configuring radius with active directory

Yes the workgroup has an impact.  If you do a testparm, what it tells you?

On 11-12-07 4:02 AM, Morris, Andi wrote:
I see, well in our case I have the two set the same, should this affect anything?  Samba is not telling me that the workgroup is wrong.

Cheers,
Andi

From: Francois Gaudreault [mailto:fga...@in...]
Sent: 06 December 2011 16:57
To: pac...@li...<mailto:pac...@li...>
Subject: Re: [Packetfence-users] Configuring radius with active directory

The realm is not the same as the workgoup.  The realm refers to the one configured in krb5.conf, and the workgroup is the netbios name of the domain.  Samba should tell you if the workgroup is wrong in the error message.

On 11-12-06 11:40 AM, Morris, Andi wrote:
No difference after editing the smb.conf as suggested.

Out of interest, should the realm and the workgroup be the same?

From: Francois Gaudreault [mailto:fga...@in...]
Sent: 06 December 2011 16:14
To: pac...@li...<mailto:pac...@li...>
Subject: Re: [Packetfence-users] Configuring radius with active directory

Ok two things:
1. Do a kinit first.  (ie. kinit myuser), that should work.  Is it?
2. Use only the smb.conf from the guide, remove every other configs from the smb.conf.  Basically, copy and paste the configuration from the guide, and change your workgroup, ip and realm attributes.

Let me know if it works better.

On 11-12-06 10:50 AM, Morris, Andi wrote:
Ok cheers, here they are with domain names and IP addresses edited.

Krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log<FILE:///\\%5C%5C%5C%5Cvar%5Clog%5Ckrb5libs.log>
kdc = FILE:/var/log/krb5kdc.log<FILE:///\\%5C%5C%5C%5Cvar%5Clog%5Ckrb5kdc.log>
admin_server = FILE:/var/log/kadmind.log<FILE:///\\%5C%5C%5C%5Cvar%5Clog%5Ckadmind.log>

[libdefaults]
default_realm = MYDOMAIN.CO.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
  MYDOMAIN.CO.UK = {
  kdc = activedirectoryservername:88
  admin_server = activedirectoryservername:749
  default_domain = mydomain.co.uk
}

[domain_realm]
mydomain.co.uk = MYDOMAIN.CO.UK
mydomain.co.uk = MYDOMAIN.CO.UK

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

Smb.conf (leaving out any commented lines, I added the global config as per the admin guide, the others are there by default):

[global]
workgroup = MYDOMAIN.CO.UK
        server string = pfence01
        interfaces = 1.2.3.4/24    (Packetfence management IP address)
        security = ADS
        passdb backend = tdbsam
        realm = MYDOMAIN.CO.UK
        encrypt passwords = yes
        winbind use default domain = yes
        client NTLMv2 auth = yes
        preferred master = no
        load printers = no
        cups options = raw
        idmap uid = 10000-45000
        idmap gid = 10000-45000
        log level = 1 winbind:5 auth:3

        log file = /var/log/samba/log.%m

        max log size = 50

        security = user
        passdb backend = tdbsam

        load printers = yes
        cups options = raw
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

From: Francois Gaudreault [mailto:fga...@in...]
Sent: 06 December 2011 15:33
To: pac...@li...<mailto:pac...@li...>
Subject: Re: [Packetfence-users] Configuring radius with active directory

Hi,

Can you post your krb5.conf and your smb.conf?  Otherwise we are blind...

On 11-12-06 6:52 AM, Morris, Andi wrote:
I'm trying to setup radius to authenticate clients with my active directory database so that I can utilise the 802.1x on the switches.  However I've got to the section where I need to add my server to the domain after configuring samba and it is failing.  I don't know whether it's related or not, but since doing this I can also no longer use the web interface for the server.

The failure message I get when trying to add the server to the domain is:
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

Can anyone shed some light on this please?

Cheers,
Andi
________________________________

>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

------------------------------------------------------------------------------

Cloud Services Checklist: Pricing and Packaging Optimization

This white paper is intended to serve as a reference, checklist and point of

discussion for anyone considering optimizing the pricing and packaging model

of a cloud services business. Read Now!

http://www.accelacomm.com/jaw/sfnl/114/51491232/

_______________________________________________

Packetfence-users mailing list

Pac...@li...<mailto:Pac...@li...>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Francois Gaudreault, ing. jr

fga...@in...<mailto:fga...@in...>  ::  +1.514.447.4918 (x130) ::  www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)

------------------------------------------------------------------------------

Cloud Services Checklist: Pricing and Packaging Optimization

This white paper is intended to serve as a reference, checklist and point of

discussion for anyone considering optimizing the pricing and packaging model

of a cloud services business. Read Now!

http://www.accelacomm.com/jaw/sfnl/114/51491232/

_______________________________________________

Packetfence-users mailing list

Pac...@li...<mailto:Pac...@li...>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Francois Gaudreault, ing. jr

fga...@in...<mailto:fga...@in...>  ::  +1.514.447.4918 (x130) ::  www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)

------------------------------------------------------------------------------

Cloud Services Checklist: Pricing and Packaging Optimization

This white paper is intended to serve as a reference, checklist and point of

discussion for anyone considering optimizing the pricing and packaging model

of a cloud services business. Read Now!

http://www.accelacomm.com/jaw/sfnl/114/51491232/

_______________________________________________

Packetfence-users mailing list

Pac...@li...<mailto:Pac...@li...>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Francois Gaudreault, ing. jr

fga...@in...<mailto:fga...@in...>  ::  +1.514.447.4918 (x130) ::  www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)

------------------------------------------------------------------------------

Cloud Services Checklist: Pricing and Packaging Optimization

This white paper is intended to serve as a reference, checklist and point of

discussion for anyone considering optimizing the pricing and packaging model

of a cloud services business. Read Now!

http://www.accelacomm.com/jaw/sfnl/114/51491232/

_______________________________________________

Packetfence-users mailing list

Pac...@li...<mailto:Pac...@li...>

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--

Francois Gaudreault, ing. jr

fga...@in...<mailto:fga...@in...>  ::  +1.514.447.4918 (x130) ::  www.inverse.ca<http://www.inverse.ca>

Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)