Verwendete Software:
Memberserver Verwaltungsnetz
UCS 4.4-4
Radius App 5.0
Beschreibung
Wir verwenden ucs mit ucs@school (ist auf dem betroffenen Server aber nicht installiert). Ich habe einen Member-Server für das Verwaltuzngsnetz aufgesetzt (da klappt auch alles) und möchte diesen für Radius und DHCP nutzen. Ich habe die DHCP Konfiguration nicht manuell angepasst, sondern lediglich die App installiert
Ich bin mir nicht sicher, ob ich auf diesen Member-Server dann auch ucs@school installieren muss?
Fehlerbeschreibung
Die Dienste laufen jedoch funktioniert die Radiusauthentifizierung nicht: No valid NT-password-hash found
univention-radius-check-access --username=f.XXX
DEBUG: [user=f.XXX; mac=None] Given username: "f.XXX"
DEBUG: [user=f.XXX; mac=None] Given stationId: "None"
DEBUG: [user=f.XXX; mac=None] UCS@school RADIUS support is not installed
DEBUG: [user=f.XXX; mac=None] Checking LDAP settings for user
DEBUG: [user=f.XXX; mac=None] ALLOW 'uid=f.XXX,cn=lehrer und mitarbeiter,cn=users,ou=hebk,dc=hebk,dc=de'
[gekürzt]
INFO: [user=f.XXX; mac=None] Login attempt permitted by LDAP settings
DEBUG: [user=f.XXX; mac=None] MAC filtering is disabled by radius/mac/whitelisting.
INFO: [user=f.XXX; mac=None] User is allowed to use RADIUS
DEBUG: [user=f.XXX; mac=None] No valid NT-password-hash found. Check the "sambaNTPassword" attribute of the user.
DEBUG: [user=f.XXX; mac=None] --- Thus access is DENIED.
In den Logs /var/log/freeradius/radius.log
ist mir folgender Eintrag aufgefallen: ldap://localhost:389 failed
Info: Debugger not attached
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20445
Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
Error: rlm_ldap (ldap): Bind with (anonymous) to ldap://localhost:389 failed: Can't contact LDAP server
Error: rlm_ldap (ldap): Opening connection failed (0)
Error: /etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
Info: Debugger not attached
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20445
Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
Info: Loaded virtual server <default>
Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Info: Loaded virtual server inner-tunnel
Info: Loaded virtual server default
Info: Ready to process requests
Info: Signalled to terminate
Info: Exiting normally
Info: rlm_ldap (ldap): Closing connection (4)
Info: rlm_ldap (ldap): Closing connection (3)
Info: rlm_ldap (ldap): Closing connection (2)
Info: rlm_ldap (ldap): Closing connection (1)
Info: rlm_ldap (ldap): Closing connection (0)
Info: Debugger not attached
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20445
Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
Info: Loaded virtual server <default>
Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Info: Loaded virtual server inner-tunnel
Info: Loaded virtual server default
Info: Ready to process requests
Info: Signalled to terminate
Info: Exiting normally
Info: rlm_ldap (ldap): Closing connection (4)
Info: rlm_ldap (ldap): Closing connection (3)
Info: rlm_ldap (ldap): Closing connection (2)
Info: rlm_ldap (ldap): Closing connection (1)
Info: rlm_ldap (ldap): Closing connection (0)
Info: Debugger not attached
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20445
Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
Info: Loaded virtual server <default>
Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Info: Loaded virtual server inner-tunnel
Info: Loaded virtual server default
Info: Ready to process requests
Info: rlm_ldap (ldap): Closing connection (0): Hit idle_timeout, was idle for 9345 seconds
Info: rlm_ldap (ldap): Closing connection (1): Hit idle_timeout, was idle for 9345 seconds
Info: rlm_ldap (ldap): Closing connection (2): Hit idle_timeout, was idle for 9345 seconds
Info: rlm_ldap (ldap): Closing connection (3): Hit idle_timeout, was idle for 9345 seconds
Info: rlm_ldap (ldap): Closing connection (4): Hit idle_timeout, was idle for 9345 seconds
Info: rlm_ldap (ldap): Opening additional connection (5), 1 of 32 pending slots used
Info: rlm_ldap (ldap): Need 2 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used
ERROR: (14) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
Auth: (14) Login incorrect (mschap: Program returned code (1) and output 'Logon failure (0xc000006d)'): [f.XXX/<via Auth-Type = eap>] (from client WLAN-Controller port 0 via TLS tunnel)
Info: (15) eap_peap: The users session was previously rejected: returning reject (again.)
Info: (15) eap_peap: This means you need to read the PREVIOUS messages in the debug output
Info: (15) eap_peap: to find out the reason why the user was rejected
Info: (15) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you
Info: (15) eap_peap: what went wrong, and how to fix the problem
Auth: (15) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [f.XXX/<via Auth-Type = eap>] (from client WLAN-Controller port 93 cli 04-D6-AA-5A-F9-FE)
Info: rlm_ldap (ldap): Need 1 more connections to reach 10 spares
Info: rlm_ldap (ldap): Opening additional connection (7), 1 of 30 pending slots used
ERROR: (18) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
[gekürzt]
Auth: (99) Login incorrect (eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed): [f.XXX/<via Auth-Type = eap>] (from client WLAN-Controller port 33 cli 00-26-B6-F8-86-5F)
Info: Signalled to terminate
Info: Exiting normally
Info: rlm_ldap (ldap): Closing connection (14)
Info: rlm_ldap (ldap): Closing connection (13)
Info: Debugger not attached
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Warning: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
Info: rlm_ldap: libldap vendor: OpenLDAP, version: 20445
Info: rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 31 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (2), 1 of 30 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (3), 1 of 29 pending slots used
Info: rlm_ldap (ldap): Opening additional connection (4), 1 of 28 pending slots used
Info: Loaded virtual server <default>
Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
Info: Loaded virtual server inner-tunnel
Info: Loaded virtual server default
Info: Ready to process requests
Dabei steht in /etc/freeradius/3.0/mods-available/ldap
:
ldap {
[...]
server = "verwaltung.XXX.XXX"
# server = 'ldap.rrdns.example.org'
# server = 'ldap.rrdns.example.org'
# Port to connect on, defaults to 389, will be ignored for LDAP URIs.
# port = 389
port = "7389"
Ich bin mir nicht sicher, ob das damit zusammenhängt und ucs@school möchte ich nur installieren wenn es notwendig ist da ich den Server so klein wie möglich halten möchte.