Lenny + Freeradius + ntlm_auth +MS AD Error 778 (При подключении vpn пользователей ошибка 778)

Обсуждение настройки и работы сервисов, резервирования, сетевых настроек и вопросов безопасности ОС.

Модераторы: SLEDopit, Модераторы разделов

Аватара пользователя
hutnick
Сообщения: 20
ОС: Debian

Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение hutnick »

Есть Vpn сервер интегрированный с AD.

Проблема заключается в том что пользователям WinXP выдается сообщение "778 невозможно проверить идентичность сервера"
Работало все нормально как часики но в один прекрасный момент перестало, подымал на нескольких тестовых машинах ошибка та же.
Если кто то сталкивался помогите пожалуйста!!!
Есть еще Debian etch там даная связка работает отлично в данный момент!
Система: Debian Lenny
pptpd v1.3.4
FreeRADIUS Version 2.0.4
samba 3.2.5
mysql-server-5.0

Настройки

/etc/ppp/pptpd-options

Код: Выделить всё

plugin radius.so
plugin radattr.so
name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
proxyarp
nodefaultroute
debug
lock
nobsdcomp


/etc/pptpd.conf

Код: Выделить всё

option /etc/ppp/pptpd-options
localip 172.16.50.1

/etc/samba/smb.conf

Код: Выделить всё

[global]
dos charset = cp866
username map = /etc/samba/smbusers
server signing = yes
client signing = yes
server schannel = yes
client schannel = yes
realm = DOM.LOC
password server = pdc.dom.loc
   workgroup = DOM
   server string = %h server
   include = /etc/samba/dhcp.conf
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   invalid users = root
   smb passwd file = /etc/samba/smbpasswd
   preferred master = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template homedir = /home/samba/%U
   template shell = /bin/bash
   winbind enum groups = yes
   winbind enum users = yes
  winbind use default domain =yes
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

/etc/krb5.conf

Код: Выделить всё

[libdefaults]
        default_realm = DOM.LOC
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        dns_lookup_realm = true
        dns_lookup_kdc = true
        proxiable = true
        default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
[realms]
        EL.LOC = {
                kdc = pdc.dom.loc
                default_domain = dom.loc
                admin_server = pdc.dom.loc
}
[domain_realm]
                dom.loc=DOM.LOC
                .dom.loc=DOM.LOC
                DOM=DOM.LOC
                .DOM=DOM.LOC
[login]
        krb4_convert = true
        krb4_get_ticket = false
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log


/etc/nsswitch.conf

Код: Выделить всё

passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis


/etc/freeradius/radiusd.conf

Код: Выделить всё

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius

db_dir = $(raddbdir)

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/freeradius.pid



max_request_time = 30

cleanup_delay = 5

max_requests = 1024

listen {
    type = auth


    ipaddr = *


    port = 0


}

listen {
    ipaddr = *
    port = 0
    type = acct
}

hostname_lookups = no

allow_core_dumps = no

regular_expressions    = yes
extended_expressions    = yes

log {
    destination = files

    file = ${logdir}/radius.log

    syslog_facility = daemon

    stripped_names = no

    auth = no

    auth_badpass = no
    auth_goodpass = no
}

checkrad = ${sbindir}/checkrad

security {
    max_attributes = 200

    reject_delay = 1

    status_server = yes
}

proxy_requests  = yes
$INCLUDE proxy.conf



$INCLUDE clients.conf


snmp    = no
$INCLUDE snmp.conf


thread pool {
    start_servers = 5

    max_servers = 32

    min_spare_servers = 3
    max_spare_servers = 10

    max_requests_per_server = 0
}

modules {


    pap {
        auto_header = no
    }

    chap {
        authtype = CHAP
    }

    pam {
        pam_auth = radiusd
    }

    unix {

        radwtmp = ${logdir}/radwtmp
    }

$INCLUDE eap.conf

    mschap {

        use_mppe = no



        with_ntdomain_hack = yes


ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

    }

    ldap {
        server = "ldap.your.domain"
        basedn = "o=My Org,c=UA"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"

        ldap_connections_number = 5

        timeout = 4

        timelimit = 3

        net_timeout = 1

        tls {
            start_tls = no


        }


        dictionary_mapping = ${confdir}/ldap.attrmap


        edir_account_policy_check = no




    }






    realm IPASS {
        format = prefix
        delimiter = "/"
    }

    realm suffix {
        format = suffix
        delimiter = "@"
    }

    realm realmpercent {
        format = suffix
        delimiter = "%"
    }

    realm ntdomain {
        format = prefix
        delimiter = "\\"
    }

    checkval {
        item-name = Calling-Station-Id

        check-name = Calling-Station-Id

        data-type = string

    }



    preprocess {
        huntgroups = ${confdir}/huntgroups
        hints = ${confdir}/hints

        with_ascend_hack = no
        ascend_channels_per_line = 23

        with_ntdomain_hack = yes

        with_specialix_jetstream_hack = no

        with_cisco_vsa_hack = no
    }

    files {

        usersfile = ${confdir}/users
        acctusersfile = ${confdir}/acct_users
        preproxy_usersfile = ${confdir}/preproxy_users

        compat = no
    }

    detail {
        detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d

        detailperm = 0600

        header = "%t"


    }












    acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
    }


    $INCLUDE sql.conf




    radutmp {
        filename = ${logdir}/radutmp

        username = %{User-Name}


        case_sensitive = yes

        check_with_nas = yes

        perm = 0600

        callerid = "yes"
    }

    radutmp sradutmp {
        filename = ${logdir}/sradutmp
        perm = 0644
        callerid = "no"
    }

    attr_filter attr_filter.post-proxy {
        attrsfile = ${confdir}/attrs
    }

    attr_filter attr_filter.pre-proxy {
        attrsfile = ${confdir}/attrs.pre-proxy
    }

    attr_filter attr_filter.access_reject {
        key = %{User-Name}
        attrsfile = ${confdir}/attrs.access_reject
    }

    attr_filter attr_filter.accounting_response {
        key = %{User-Name}
        attrsfile = ${confdir}/attrs.accounting_response
    }

    counter daily {
        filename = ${db_dir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        reply-name = Session-Timeout
        allowed-servicetype = Framed-User
        cache-size = 5000
    }


    always fail {
        rcode = fail
    }
    always reject {
        rcode = reject
    }
    always noop {
        rcode = noop
    }
    always handled {
        rcode = handled
    }
    always updated {
        rcode = updated
    }
    always notfound {
        rcode = notfound
    }
    always ok {
        rcode = ok
        simulcount = 0
        mpp = no
    }

    expr {
    }

    digest {
    }

    expiration {
        reply-message = "Password Has Expired\r\n"
    }

    logintime {
        reply-message = "You are calling outside your allowed timespan\r\n"

        minimum-timeout = 60
    }
    exec {
        wait = yes
        input_pairs = request
        shell_escape = yes
        output = none
    }

    exec echo {
        wait = yes

        program = "/bin/echo %{User-Name}"

        input_pairs = request

        output_pairs = reply


        shell_escape = yes

    }


    ippool main_pool {

        range-start = 192.168.1.1
        range-stop = 192.168.3.254

        netmask = 255.255.255.0

        cache-size = 800

        session-db = ${db_dir}/db.ippool

        ip-index = ${db_dir}/db.ipindex

        override = no

        maximum-timeout = 0

    }




    policy {
           filename = ${confdir}/policy.txt
    }

}

instantiate {
    exec

    expr

    expiration
    logintime


}
authorize {
        preprocess
        chap
        sql
}

authenticate {
    Auth-Type CHAP {
        chap
    }

    Auth-Type MS-CHAP {
        mschap

    }

}

accounting {
       detail
       sql
}


session {

        sql
}

post-auth {


        sql



}

$INCLUDE policy.conf


$INCLUDE sites-enabled/


Выполнение скрипта ntlm_auth

Код: Выделить всё

ntlm_auth --username=DOM\\kukuska --domain=DOM --password=parol
NT_STATUS_OK: Success (0x0)


sudo /usr/sbin/freeradius -X

Код: Выделить всё

FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep  7 2008 at 23:35:34
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
    prefix = "/usr"
    localstatedir = "/var"
    logdir = "/var/log/freeradius"
    libdir = "/usr/lib/freeradius"
    radacctdir = "/var/log/freeradius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    allow_core_dumps = no
    pidfile = "/var/run/freeradius/freeradius.pid"
    checkrad = "/usr/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "monorad"
    shortname = "localhost"
    nastype = "other"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    zombie_period = 40
    status_check = "status-server"
    ping_check = "none"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
    wait = yes
    input_pairs = "request"
    shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
    use_mppe = no
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = yes
    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
    radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
    default_eap_type = "md5"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
    usersfile = "/etc/freeradius/users"
    acctusersfile = "/etc/freeradius/acct_users"
    preproxy_usersfile = "/etc/freeradius/preproxy_users"
    compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
    filename = "/var/log/freeradius/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    perm = 384
    callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
    attrsfile = "/etc/freeradius/attrs.access_reject"
    key = "%{User-Name}"
  }
 }
}
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
    huntgroups = "/etc/freeradius/huntgroups"
    hints = "/etc/freeradius/hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = yes
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_sql
 Module: Instantiating sql
  sql {
    driver = "rlm_sql_mysql"
    server = "localhost"
    port = ""
    login = "freerad"
    password = "freerad"
    radius_db = "radius"
    read_groups = yes
    sqltrace = no
    sqltracefile = "/var/log/freeradius/sqltrace.sql"
    readclients = no
    deletestalesessions = yes
    num_sql_socks = 5
    sql_user_name = "%{User-Name}"
    default_user_profile = ""
    nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
    authorize_check_query = "SELECT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, pba_company WHERE radcheck.Username = '%{SQL-User-Name}' AND radcheck.company_id=pba_company.id AND pba_company.deposit>=-pba_company.kredit AND pba_company.enable='Y' AND pba_company.block='N' ORDER BY radcheck.id"
    authorize_reply_query = "SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = '%{SQL-User-Name}'           ORDER BY id"
    authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.V
alue,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
    authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.V
alue,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
    accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
    accounting_update_query = "UPDATE radacct           SET FramedIPAddress = '%{Framed-IP-Address}',           AcctSessionTime = '%{Acct-Session-Time}',           AcctInputOctets = '%{Acct-Input-Octets}',           AcctOutputOctets = '%{Acct-Output-Octets}'           WHERE AcctSessionId = '%{Acct-Session-Id}'           AND UserName = '%{SQL-User-Name}'           AND NASIPAddress= '%{NAS-IP-Address}'"
    accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
    accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
    accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
    accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
    accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
    group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'"
    connect_failure_retry_delay = 60
    simul_count_query = "SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
    simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
    postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
    safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to freerad@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
    key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
    detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
}
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = *
    port = 0
}
listen {
    type = "acct"
    ipaddr = *
    port = 0
}
main {
    snmp = no
    smux_password = ""
    snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 41331, id=59, length=152
    Service-Type = Framed-User
    Framed-Protocol = PPP
    User-Name = "DOM\\kukuska"
    MS-CHAP-Challenge = 0x679e1e29ac5e2d1626443edb35c53996
    MS-CHAP2-Response = 0x3d00193443034caae98976d637a4ef4e88df00000000000000001c0235be0232792951945298bd
37d22e5cc46d446c6075f0
    Calling-Station-Id = "192.168.0.1"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 6
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
    expand: %{User-Name} -> kukuska
rlm_sql (sql): sql_set_user escaped user --> 'kukuska'
rlm_sql (sql): Reserving sql socket id: 4
    expand: SELECT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, pba_company WHERE radcheck.Username = '%{SQL-User-Name}' AND radcheck.company_id=pba_company.id AND pba_company.deposit>=-pba_company.kredit AND pba_company.enable='Y' AND pba_company.block='N' ORDER BY radcheck.id -> SELECT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, pba_company WHERE radcheck.Username = 'kukuska' AND radcheck.company_id=pba_company.id AND pba_company.deposit>=-pba_company.kredit AND pba_company.enable='Y' AND pba_company.block='N' ORDER BY radcheck.id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
rlm_sql (sql): User found in radcheck table
    expand: SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'kukuska'           ORDER BY id
    expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='kukuska'
    expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.V
alue,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.V
alue,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'kukuska' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql (sql): User found in group electro_ntlm
    expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.V
alue,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.V
alue,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'kukuska' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
  rad_check_password:  Found Auth-Type MS-CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "MSCHAP"
+- entering group MS-CHAP
  rlm_mschap: Told to do MS-CHAPv2 for kukuska with NT-Password
  rlm_mschap: No NT-Domain was found in the User-Name.
    expand: --domain=%{mschap:NT-Domain} -> --domain=
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
    expand: --username=%{Stripped-User-Name:-%{User-Name:-None}} -> --username=kukuska
 mschap2: 67
    expand: --challenge=%{mschap:Challenge:-00} -> --challenge=8978da096443650f
    expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=1c0235be0232792951945298bd37d22e5cc46d446c6075f0
Exec-Program output: NT_KEY: 31698D4B8B3F6BA57DAB16140738777F
Exec-Program-Wait: plaintext: NT_KEY: 31698D4B8B3F6BA57DAB16140738777F
Exec-Program: returned: 0
++[mschap] returns ok
+- entering group session
    expand: %{User-Name} -> kukuska
rlm_sql (sql): sql_set_user escaped user --> 'kukuska'
    expand: SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 -> SELECT COUNT(*) FROM radacct WHERE UserName='kukuska' AND AcctStopTime = 0
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
Login OK: [kukuska/<via Auth-Type = MS-CHAP>] (from client localhost port 6 cli 192.168.0.1)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
    expand: %{User-Name} -> kukuska
rlm_sql (sql): sql_set_user escaped user --> 'kukuska'
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
    expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'kukuska', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'kukuska', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
Sending Access-Accept of id 59 to 127.0.0.1 port 41331
    Framed-IP-Address := 172.16.2.13
    Framed-Compression := Van-Jacobson-TCP-IP
    Framed-Protocol := PPP
    Service-Type := Framed-User
    Framed-MTU := 1450
    MS-CHAP2-Success = 0x3d533d333745353337433841323646373535433334394146373441313733393437303537413331
39393331
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 59 with timestamp +6
Ready to process requests.
Спасибо сказали:
Вернуться к началу
r3bers
Сообщения: 2
ОС: Debian

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение r3bers »

Те же яйца, Вид Сбоку Lenny4+PPTPD+Samba+Winbind

/etc/ppp/options

Код: Выделить всё

plugin winbind.so
ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="DOM\\VPN Users"'


То же выполнение ntlm_auth:

Код: Выделить всё

ntlm_auth --username=USR --domain=DOM --password=PASS
NT_STATUS_OK: Success (0x0)


Помогает

Код: Выделить всё

service samba restart
service winbind restart


Иных способов вылечить пока не нашёл.
Спасибо сказали:
Вернуться к началу
Аватара пользователя
hutnick
Сообщения: 20
ОС: Debian

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение hutnick »

Дело в том что у меня перезапуск не помогает совсем, ошибка 778 остается. Хотя бы понять как и почему всплывает именно эта ошибка, с чем это связанно, какой пакет даунгрейдить или апгрейдить???
Спасибо сказали:
Вернуться к началу
Аватара пользователя
sash-kan
Администратор
Сообщения: 13939
Статус: oel ngati kameie
ОС: GNU

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение sash-kan »

гугление наводит на мысль, что клиент пытается провести неправильную процедуру аутентификации (или вообще неверно протокол туннелирования выбирает).
надо глядеть подробный лог попытки соединения.

p.s. не знаю, что там в windows-клиентах можно настраивать, но, если получится, лучше бы как-то зафиксировать протоколы туннелирования и аутентификации.

p.p.s. о! вспомнил. я ж в своё время настраивал «автоустановщик vpn в божественных системах» (cmak называется). насколько помнится, там очень даже конкретно можно было задать параметры типа выбора протоколов.
Писать безграмотно - значит посягать на время людей, к которым мы адресуемся, а потому совершенно недопустимо в правильно организованном обществе. © Щерба Л. В., 1957
при сбоях форума см.блог
Спасибо сказали:
Вернуться к началу
Аватара пользователя
Ленивая Бестолочь
Бывший модератор
Сообщения: 2760
ОС: Debian; gentoo

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение Ленивая Бестолочь »

iУведомление от модератора
забираю тему в "администрирование"
Солнце садилось в море, а люди с неоконченным высшим образованием выбегали оттуда, думая, что море закипит.
Спасибо сказали:
Вернуться к началу
Аватара пользователя
hutnick
Сообщения: 20
ОС: Debian

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение hutnick »

Информация к размышлению не с того не ссего сервис заработал, не стал радовать перезапустил winbind и bind9 и все сново ошибка 778. Вот лог когда все работает !!!

Код: Выделить всё

FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep  7 2008 at 23:35:34
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
including dictionary file /etc/freeradius/dictionary
main {
    prefix = "/usr"
    localstatedir = "/var"
    logdir = "/var/log/freeradius"
    libdir = "/usr/lib/freeradius"
    radacctdir = "/var/log/freeradius/radacct"
    hostname_lookups = no
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    allow_core_dumps = no
    pidfile = "/var/run/freeradius/freeradius.pid"
    checkrad = "/usr/sbin/checkrad"
    debug_level = 0
    proxy_requests = yes
 security {
    max_attributes = 200
    reject_delay = 1
    status_server = yes
 }
}
 client localhost {
    ipaddr = 127.0.0.1
    require_message_authenticator = no
    secret = "monorad"
    shortname = "localhost"
    nastype = "other"
 }
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
    retry_delay = 5
    retry_count = 3
    default_fallback = no
    dead_time = 120
    wake_all_if_all_dead = no
 }
 home_server localhost {
    ipaddr = 127.0.0.1
    port = 1812
    type = "auth"
    secret = "testing123"
    response_window = 20
    max_outstanding = 65536
    zombie_period = 40
    status_check = "status-server"
    ping_check = "none"
    ping_interval = 30
    check_interval = 30
    num_answers_to_alive = 3
    num_pings_to_alive = 3
    revive_interval = 120
    status_check_timeout = 4
 }
 home_server_pool my_auth_failover {
    type = fail-over
    home_server = localhost
 }
 realm example.com {
    auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating exec
  exec {
    wait = yes
    input_pairs = "request"
    shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating expr
 Module: Linked to module rlm_expiration
 Module: Instantiating expiration
  expiration {
    reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating logintime
  logintime {
    reply-message = "You are calling outside your allowed timespan  "
    minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating pap
  pap {
    encryption_scheme = "auto"
    auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating chap
 Module: Linked to module rlm_mschap
 Module: Instantiating mschap
  mschap {
    use_mppe = no
    require_encryption = no
    require_strong = no
    with_ntdomain_hack = yes
    ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
  }
 Module: Linked to module rlm_unix
 Module: Instantiating unix
  unix {
    radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating eap
  eap {
    default_eap_type = "md5"
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
    challenge = "Password: "
    auth_type = "PAP"
   }
rlm_eap: Ignoring EAP-Type/tls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/ttls because we do not have OpenSSL support.
rlm_eap: Ignoring EAP-Type/peap because we do not have OpenSSL support.
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
    with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating suffix
  realm suffix {
    format = "suffix"
    delimiter = "@"
    ignore_default = no
    ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating files
  files {
    usersfile = "/etc/freeradius/users"
    acctusersfile = "/etc/freeradius/acct_users"
    preproxy_usersfile = "/etc/freeradius/preproxy_users"
    compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating radutmp
  radutmp {
    filename = "/var/log/freeradius/radutmp"
    username = "%{User-Name}"
    case_sensitive = yes
    check_with_nas = yes
    perm = 384
    callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating attr_filter.access_reject
  attr_filter attr_filter.access_reject {
    attrsfile = "/etc/freeradius/attrs.access_reject"
    key = "%{User-Name}"
  }
 }
}
server {
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating preprocess
  preprocess {
    huntgroups = "/etc/freeradius/huntgroups"
    hints = "/etc/freeradius/hints"
    with_ascend_hack = no
    ascend_channels_per_line = 23
    with_ntdomain_hack = yes
    with_specialix_jetstream_hack = no
    with_cisco_vsa_hack = no
    with_alvarion_vsa_hack = no
  }
 Module: Linked to module rlm_sql
 Module: Instantiating sql
  sql {
    driver = "rlm_sql_mysql"
    server = "localhost"
    port = ""
    login = "freerad"
    password = "freerad"
    radius_db = "radius"
    read_groups = yes
    sqltrace = no
    sqltracefile = "/var/log/freeradius/sqltrace.sql"
    readclients = no
    deletestalesessions = yes
    num_sql_socks = 5
    sql_user_name = "%{User-Name}"
    default_user_profile = ""
    nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
    authorize_check_query = "SELECT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, pba_company WHERE radcheck.Username = '%{SQL-User-Name}' AND radcheck.company_id=pba_company.id AND pba_company.deposit>=-pba_company.kredit AND pba_company.enable='Y' AND pba_company.block='N' ORDER BY radcheck.id"
    authorize_reply_query = "SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = '%{SQL-User-Name}'           ORDER BY id"
    authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.V
alue,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id"
    authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.V
alue,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id"
    accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S', AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime), AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
    accounting_update_query = "UPDATE radacct           SET FramedIPAddress = '%{Framed-IP-Address}',           AcctSessionTime = '%{Acct-Session-Time}',           AcctInputOctets = '%{Acct-Input-Octets}',           AcctOutputOctets = '%{Acct-Output-Octets}'           WHERE AcctSessionId = '%{Acct-Session-Id}'           AND UserName = '%{SQL-User-Name}'           AND NASIPAddress= '%{NAS-IP-Address}'"
    accounting_update_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0')"
    accounting_start_query = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0')"
    accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S', AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
    accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}'"
    accounting_stop_query_alt = "INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
    group_membership_query = "SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'"
    connect_failure_retry_delay = 60
    simul_count_query = "SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
    simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName, NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
    postauth_query = "INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW())"
    safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
  }
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to freerad@localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
rlm_sql_mysql: Starting connect to MySQL server for #1
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
rlm_sql_mysql: Starting connect to MySQL server for #2
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
rlm_sql_mysql: Starting connect to MySQL server for #3
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
rlm_sql_mysql: Starting connect to MySQL server for #4
rlm_sql (sql): Connected new DB handle, #4
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating acct_unique
  acct_unique {
    key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating detail
  detail {
    detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
    header = "%t"
    detailperm = 384
    dirperm = 493
    locking = no
    log_packet_header = no
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 }
}
radiusd: #### Opening IP addresses and Ports ####
listen {
    type = "auth"
    ipaddr = *
    port = 0
}
listen {
    type = "acct"
    ipaddr = *
    port = 0
}
main {
    snmp = no
    smux_password = ""
    snmp_write_access = no
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 36337, id=60, length=152
    Service-Type = Framed-User
    Framed-Protocol = PPP
    User-Name = "DOM\\kukuska"
    MS-CHAP-Challenge = 0x977a754ec337e8f88e4c198325d0a213
    MS-CHAP2-Response = 0x9b009d9ce5a47c127e5a4cf0b69c420e9e800000000000000000e164baccdec44c4f28d60ef47e
661e17af6e5e76ca01c434
    Calling-Station-Id = "192.168.0.1"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 9
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
    expand: %{User-Name} -> kukuska
rlm_sql (sql): sql_set_user escaped user --> 'kukuska'
rlm_sql (sql): Reserving sql socket id: 4
    expand: SELECT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, pba_company WHERE radcheck.Username = '%{SQL-User-Name}' AND radcheck.company_id=pba_company.id AND pba_company.deposit>=-pba_company.kredit AND pba_company.enable='Y' AND pba_company.block='N' ORDER BY radcheck.id -> SELECT radcheck.id,radcheck.UserName,radcheck.Attribute,radcheck.Value,radcheck.op FROM radcheck, pba_company WHERE radcheck.Username = 'kukuska' AND radcheck.company_id=pba_company.id AND pba_company.deposit>=-pba_company.kredit AND pba_company.enable='Y' AND pba_company.block='N' ORDER BY radcheck.id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
rlm_sql (sql): User found in radcheck table
    expand: SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'kukuska'           ORDER BY id
    expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='kukuska'
    expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.V
alue,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.V
alue,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'kukuska' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
rlm_sql (sql): User found in group electro_ntlm
    expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.V
alue,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.V
alue,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'kukuska' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
  rad_check_password:  Found Auth-Type MS-CHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
auth: type "MSCHAP"
+- entering group MS-CHAP
  rlm_mschap: Told to do MS-CHAPv2 for kukuska with NT-Password
  rlm_mschap: No NT-Domain was found in the User-Name.
    expand: --domain=%{mschap:NT-Domain} -> --domain=
    expand: --username=%{mschap:User-Name} -> --username=kukuska
 mschap2: 97
    expand: --challenge=%{mschap:Challenge:-00} -> --challenge=9b14e053474cab63
    expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=e164baccdec44c4f28d60ef47e661e17af6e5e76ca01c434
Exec-Program output: NT_KEY: 5A38795924836549296FCA0D055E0F73
Exec-Program-Wait: plaintext: NT_KEY: 5A38795924836549296FCA0D055E0F73
Exec-Program: returned: 0
++[mschap] returns ok
+- entering group session
    expand: %{User-Name} -> kukuska
rlm_sql (sql): sql_set_user escaped user --> 'kukuska'
    expand: SELECT COUNT(*) FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 -> SELECT COUNT(*) FROM radacct WHERE UserName='kukuska' AND AcctStopTime = 0
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
Login OK: [kukuska/<via Auth-Type = MS-CHAP>] (from client localhost port 9 cli 192.168.0.1)
+- entering group post-auth
rlm_sql (sql): Processing sql_postauth
    expand: %{User-Name} -> kukuska
rlm_sql (sql): sql_set_user escaped user --> 'kukuska'
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
    expand: INSERT into radpostauth (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW()) -> INSERT into radpostauth (id, user, pass, reply, date) values ('', 'kukuska', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT into radpostauth (id, user, pass, reply, date) values ('', 'kukuska', 'Chap-Password', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
Sending Access-Accept of id 60 to 127.0.0.1 port 36337
    Framed-IP-Address := 172.16.2.13
    Framed-Compression := Van-Jacobson-TCP-IP
    Framed-Protocol := PPP
    Service-Type := Framed-User
    Framed-MTU := 1450
    MS-CHAP2-Success = 0x9b533d343737414142383936304242394136353930443133383730443243334433463136464439
46424531
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 54490, id=61, length=116
    Acct-Session-Id = "4B6C27E2760600"
    User-Name = "DOM\\kukuska"
    Acct-Status-Type = Start
    Service-Type = Framed-User
    Framed-Protocol = PPP
    Calling-Station-Id = "192.168.0.1"
    Acct-Authentic = RADIUS
    NAS-Port-Type = Async
    Framed-IP-Address = 172.16.2.13
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 9
    Acct-Delay-Time = 0
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 9,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4B6C27E2760600",User-Name = "kukuska"'
rlm_acct_unique: Acct-Unique-Session-ID = "f491912bbb8b37ce".
++[acct_unique] returns ok
    rlm_realm: No '@' in User-Name = "kukuska", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting
    expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20100205
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20100205
    expand: %t -> Fri Feb  5 16:14:58 2010
++[detail] returns ok
    expand: %{User-Name} -> kukuska
rlm_sql (sql): sql_set_user escaped user --> 'kukuska'
    expand: INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{Acct-Delay-Time}', '0') -> INSERT into radacct (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay) values('4B6C27E2760600', 'f491912bbb8b37ce', 'kukuska', '', '127.0.0.1', '9', 'Async', '2010-02-05 16:14:58', '0', '0', 'RADIUS', '', '', '0', '0', '', '192.168.0.1', '', 'Framed-User', 'PPP', '172.16.2.13', '0', '0')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
Sending Accounting-Response of id 61 to 127.0.0.1 port 54490
Finished request 1.
Cleaning up request 1 ID 61 with timestamp +4
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 60 with timestamp +4
Ready to process requests.
rad_recv: Accounting-Request packet from host 127.0.0.1 port 38213, id=62, length=152
    Acct-Session-Id = "4B6C27E2760600"
    User-Name = "DOM\\kukuska"
    Acct-Status-Type = Stop
    Service-Type = Framed-User
    Framed-Protocol = PPP
    Acct-Authentic = RADIUS
    Acct-Session-Time = 16
    Acct-Output-Octets = 27880
    Acct-Input-Octets = 16492
    Acct-Output-Packets = 185
    Acct-Input-Packets = 204
    Calling-Station-Id = "192.168.0.1"
    NAS-Port-Type = Async
    Acct-Terminate-Cause = User-Request
    Framed-IP-Address = 172.16.2.13
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 9
    Acct-Delay-Time = 0
+- entering group preacct
++[preprocess] returns ok
rlm_acct_unique: Hashing 'NAS-Port = 9,Client-IP-Address = 127.0.0.1,NAS-IP-Address = 127.0.0.1,Acct-Session-Id = "4B6C27E2760600",User-Name = "kukuska"'
rlm_acct_unique: Acct-Unique-Session-ID = "f491912bbb8b37ce".
++[acct_unique] returns ok
    rlm_realm: No '@' in User-Name = "kukuska", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting
    expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/detail-20100205
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/detail-20100205
    expand: %t -> Fri Feb  5 16:15:14 2010
++[detail] returns ok
    expand: %{User-Name} -> kukuska
rlm_sql (sql): sql_set_user escaped user --> 'kukuska'
    expand: UPDATE radacct SET AcctStopTime = '%S', AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets = '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}', AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay = '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND NASIPAddress = '%{NAS-IP-Address}' -> UPDATE radacct SET AcctStopTime = '2010-02-05 16:15:14', AcctSessionTime = '16', AcctInputOctets = '16492', AcctOutputOctets = '27880', AcctTerminateCause = 'User-Request', AcctStopDelay = '0', ConnectInfo_stop = '' WHERE AcctSessionId = '4B6C27E2760600' AND UserName = 'kukuska' AND NASIPAddress = '127.0.0.1'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql (sql): Released sql socket id: 0
++[sql] returns ok
Sending Accounting-Response of id 62 to 127.0.0.1 port 38213
Finished request 2.
Cleaning up request 2 ID 62 with timestamp +20
Going to the next request
Ready to process requests.
Спасибо сказали:
Вернуться к началу
Аватара пользователя
sash-kan
Администратор
Сообщения: 13939
Статус: oel ngati kameie
ОС: GNU

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение sash-kan »

это лог freeradius-а. мало интересен, поскольку не он общается с клиентом.
собственно, неинтересность этого лога заключается в следующем:
и при удачной и при неудачной попытке всё вполне успешно доходит до Sending Access-Accept. freeradius отсылает этот акцепт pptpd-емону. тот клиенту, а клиент, судя по отсутствию реакции в неудачном логе, на этом этапе «забивает». в логе freeradius-а о причине «забития», естественно, ничего увидеть невозможно.
нужен протокол общения pptpd с клиентом, а не pptpd с freeradius-ом.

p.s. а как насчёт cmak-а?
Писать безграмотно - значит посягать на время людей, к которым мы адресуемся, а потому совершенно недопустимо в правильно организованном обществе. © Щерба Л. В., 1957
при сбоях форума см.блог
Спасибо сказали:
Вернуться к началу
Аватара пользователя
hutnick
Сообщения: 20
ОС: Debian

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение hutnick »

Конечно я пробовал CMAK и указал там явно pptp, вот лог pptpd

Код: Выделить всё

Feb  8 09:43:34 merlin pptpd[15789]: CTRL: Starting call (launching pppd, opening GRE)
Feb  8 09:43:34 merlin pppd[15790]: Plugin radius.so loaded.
Feb  8 09:43:34 merlin pppd[15790]: RADIUS plugin initialized.
Feb  8 09:43:34 merlin pppd[15790]: Plugin radattr.so loaded.
Feb  8 09:43:34 merlin pppd[15790]: RADATTR plugin initialized.
Feb  8 09:43:34 merlin pppd[15790]: pppd options in effect:
Feb  8 09:43:34 merlin pppd[15790]: debug debug#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: -detach#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: dump#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: plugin radius.so#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: plugin radattr.so#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: require-mschap-v2#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: refuse-pap#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: refuse-chap#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: -chap#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: refuse-mschap#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: name pptpd#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: 115200#011#011# (from command line)
Feb  8 09:43:34 merlin pppd[15790]: lock#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: crtscts#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: local#011#011# (from command line)
Feb  8 09:43:34 merlin pppd[15790]: asyncmap 0#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: lcp-echo-failure 4#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: lcp-echo-interval 30#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: hide-password#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: ipparam 192.168.0.1#011#011# (from command line)
Feb  8 09:43:34 merlin pppd[15790]: ms-dns xxx # [don't know how to print value]#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: nodefaultroute#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: proxyarp#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: 172.16.50.1:192.168.1.1#011#011# (from command line)
Feb  8 09:43:34 merlin pppd[15790]: nobsdcomp#011#011# (from /etc/ppp/pptpd-options)
Feb  8 09:43:34 merlin pppd[15790]: noipx#011#011# (from /etc/ppp/options)
Feb  8 09:43:34 merlin pppd[15790]: pppd 2.4.4 started by root, uid 0
Feb  8 09:43:34 merlin pppd[15790]: using channel 1714
Feb  8 09:43:34 merlin pppd[15790]: Using interface ppp6
Feb  8 09:43:34 merlin pppd[15790]: Connect: ppp6 <--> /dev/pts/9
Feb  8 09:43:34 merlin pppd[15790]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x81b60732> <pcomp> <accomp>]
Feb  8 09:43:34 merlin pptpd[15789]: GRE: Bad checksum from pppd.
Feb  8 09:43:34 merlin pppd[15790]: rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0x1334152f> <pcomp> <accomp> <callback CBCP>]
Feb  8 09:43:34 merlin pppd[15790]: sent [LCP ConfRej id=0x0 <callback CBCP>]
Feb  8 09:43:34 merlin pppd[15790]: rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0x1334152f> <pcomp> <accomp>]
Feb  8 09:43:34 merlin pppd[15790]: sent [LCP ConfAck id=0x1 <mru 1400> <magic 0x1334152f> <pcomp> <accomp>]
Feb  8 09:43:37 merlin pppd[2035]: sent [LCP EchoReq id=0x63 magic=0x3410930d]
Feb  8 09:43:37 merlin pppd[2035]: rcvd [LCP EchoRep id=0x63 magic=0x13d23ba4]
Feb  8 09:43:37 merlin pppd[15790]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x81b60732> <pcomp> <accomp>]
Feb  8 09:43:37 merlin pppd[15790]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x81b60732> <pcomp> <accomp>]
Feb  8 09:43:37 merlin pppd[15790]: sent [LCP EchoReq id=0x0 magic=0x81b60732]
Feb  8 09:43:37 merlin pppd[15790]: sent [CHAP Challenge id=0xc <8808bff5c21c6bfbc2ae7c4f6601099e>, name = "pptpd"]
Feb  8 09:43:37 merlin pppd[15790]: rcvd [LCP Ident id=0x2 magic=0x1334152f "MSRASV5.20"]
Feb  8 09:43:37 merlin pppd[15790]: rcvd [LCP Ident id=0x3 magic=0x1334152f "MSRAS-0-PDC"]
Feb  8 09:43:37 merlin pppd[15790]: rcvd [LCP EchoRep id=0x0 magic=0x1334152f]
Feb  8 09:43:37 merlin pppd[15790]: rcvd [CHAP Response id=0xc <b32af617f9e28b7b85854cc64ca8563e00000000000000001c98637349882b05d9193487cc5c
79493c46c7ce34aa6ab000>, name = "DOM\\kukuska"]
Feb  8 09:43:37 merlin pppd[15790]: RADATTR plugin wrote 6 line(s) to file /var/run/radattr.ppp6.
Feb  8 09:43:37 merlin pppd[15790]: sent [CHAP Success id=0xc "S=39B5D786F0CC2A0D276CA19F3A030633492588AC"]
Feb  8 09:43:37 merlin pppd[15790]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15>]
Feb  8 09:43:37 merlin pppd[15790]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 172.16.50.1>]
Feb  8 09:43:37 merlin pppd[15790]: rcvd [LCP TermReq id=0x4 13 34 15 2f 00 3c cd 74 00 00 03 0a]
Feb  8 09:43:37 merlin pppd[15790]: LCP terminated by peer (^S4^U/^@<M-Mt^@^@^C^J)
Feb  8 09:43:37 merlin pppd[15790]: sent [LCP TermAck id=0x4]
Feb  8 09:43:37 merlin pppd[15790]: Modem hangup
Feb  8 09:43:37 merlin pppd[15790]: Connection terminated.
Feb  8 09:43:37 merlin pppd[15790]: Connect time 0.1 minutes.
Feb  8 09:43:37 merlin pppd[15790]: Sent 28 bytes, received 0 bytes.
Feb  8 09:43:37 merlin pppd[15790]: RADATTR plugin removed file /var/run/radattr.ppp6.
Feb  8 09:43:37 merlin pppd[15790]: Exit.
Спасибо сказали:
Вернуться к началу
Аватара пользователя
sash-kan
Администратор
Сообщения: 13939
Статус: oel ngati kameie
ОС: GNU

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение sash-kan »

hutnick писал(а):
08.02.2010 10:47
Feb 8 09:43:37 merlin pppd[15790]: sent [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15>]
Feb 8 09:43:37 merlin pppd[15790]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 172.16.50.1>]
Feb 8 09:43:37 merlin pppd[15790]: rcvd [LCP TermReq id=0x4 13 34 15 2f 00 3c cd 74 00 00 03 0a]
вот это уже интереснее. клиенту посылается два пакета. и от него приходит: «злые вы. уйду я от вас».
можно попробовать подкормить клиента параметрами (добавляя по одному, чтобы не переборщить, именно в такой последовательности):
nodeflate novjccomp novj noccp noip
последние два вообще только в крайнем случае.

p.s. хотя, если помедитировать над _смыслом_ сообщения об ошибке, очень может быть, что windows, как обычно, на своей волне сама себе какие-то проблемы из пальца высасывает.
Писать безграмотно - значит посягать на время людей, к которым мы адресуемся, а потому совершенно недопустимо в правильно организованном обществе. © Щерба Л. В., 1957
при сбоях форума см.блог
Спасибо сказали:
Вернуться к началу
Аватара пользователя
hutnick
Сообщения: 20
ОС: Debian

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение hutnick »

Попробовал использовать все посоветованые опции - результата не дало.
Решил поступить кардинально, удалил samba-common и winbind, пересобрал с исходников samba-common и winbind подключив source от debian etch. все сразу же заработало и работает как часики, тестирую уже на трех серверах - все нормально. Не знаю насколько это являеться верным решением даной проблемы, но лучше способа пока не вижу. Попробую в будущем эту связку на squeeze может там будет уже все OK.
Спасибо сказали:
Вернуться к началу
r3bers
Сообщения: 2
ОС: Debian

Re: Lenny + Freeradius + ntlm_auth +MS AD Error 778

Сообщение r3bers »

hutnick писал(а):
09.02.2010 11:41
Попробовал использовать все посоветованые опции - результата не дало.
Решил поступить кардинально, удалил samba-common и winbind, пересобрал с исходников samba-common и winbind подключив source от debian etch. все сразу же заработало и работает как часики, тестирую уже на трех серверах - все нормально. Не знаю насколько это являеться верным решением даной проблемы, но лучше способа пока не вижу. Попробую в будущем эту связку на squeeze может там будет уже все OK.


Способ лучше: зачем их собирать? Выкачал по ссылкам deb пакеты и разложил бинарники по своим местам.
Правда это не способ - это отступление )

У меня и lenny что-то перестал ошибаться. Уже пару дней. Может кто из ФСБ где-нибудь у операторов GRE пакеты разбирал не верно на своих СОРМ'овских приблудах )
Спасибо сказали:
Вернуться к началу

Вернуться в «Администрирование»