Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: julio on July 01, 2015, 07:01:55 pm
-
open a terminal window and "copy & paste" the following commands:
changes:
09.14.15 - winbind package added to dependency
change UID attribute to sAMAccountName in ldap.mas, credits to jbahillo, thx!
10.23.15 - fixed LDAP group filter
11.05.15 - added double quotes to group in user.mas
fixed patch versions
11.14.15 - startup script changes, fixed ntlm_auth permissions
re-set the permissions on existing certificates
06.11.16 - extended "LogHelper.pm" parsing function,
with mac address format: "aabbccddeeff"
06.12.16 - extended "LogHelper.pm" parsing function,
change mac address format to uppercase format
03.04.17 - Adapted to 5.0,
changed service handling to systemd
09.07.17 - Adapted zentyal 5.0 version to use Samba 4.5 NTLMv1 authentication instead of default NTLMv2
09.04.18 - Adapted to 5.1
05.09.18 - Fixed typo in 5.1
zentyal 4.0:
sudo apt-get install -y zbuildtools build-essential fakeroot dpkg-dev
cd /tmp
wget 'http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz' -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius_3.5.1 zentyal-radius_4.0
wget 'https://drive.google.com/uc?export=download&id=0B4_d-7xL0AS_VER4RkJRU1FQNEk' -O zentyal-radius-4.0.patch
patch -t -p1 -i zentyal-radius-4.0.patch
cd zentyal-radius-4.0
dpkg-buildpackage -rfakeroot -b -tc
cd ..
sudo apt-get install -y ./zentyal-radius_4.0_all.deb
sudo service zentyal webadmin restart
zentyal 4.2:
sudo apt-get install -y zbuildtools build-essential fakeroot dpkg-dev
cd /tmp
wget 'http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz' -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius_3.5.1 zentyal-radius_4.2
wget 'https://drive.google.com/uc?export=download&id=0B4_d-7xL0AS_MWRMOS10Y2c1S2s' -O zentyal-radius-4.2.patch
patch -t -p1 -i zentyal-radius-4.2.patch
cd zentyal-radius-4.2
dpkg-buildpackage -rfakeroot -b -tc
cd ..
sudo apt-get install -y ./zentyal-radius_4.2_all.deb
sudo service zentyal webadmin restart
zentyal 5.0:
sudo apt install -y zbuildtools build-essential fakeroot dpkg-dev
cd /tmp
wget 'http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz' -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius_3.5.1 zentyal-radius_5.0
wget 'https://drive.google.com/uc?export=download&id=0B4_d-7xL0AS_djZpaXNIUHFNOWs' -O zentyal-radius-5.0.patch
patch -t -p1 -i zentyal-radius-5.0.patch
cd zentyal-radius-5.0
dpkg-buildpackage -rfakeroot -b -tc
cd ..
sudo apt install -y ./zentyal-radius_5.0_all.deb
sudo zs webadmin restart
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/smb.conf.mas
sudo sed -i '/\[global\]/a lanman auth = yes\nntlm auth = yes' /etc/zentyal/stubs/samba/smb.conf.mas
sudo zs samba restart
zentyal 5.1:
sudo apt install -y zbuildtools build-essential fakeroot dpkg-dev
cd /tmp
wget 'http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz' -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius_3.5.1 zentyal-radius_5.1
wget 'https://drive.google.com/uc?export=download&id=1K99PAIAHl1j4bnBxcTMyXgKpJEpTQflB' -O zentyal-radius-5.1.patch
patch -t -p1 -i zentyal-radius-5.1.patch
cd zentyal-radius-5.1
dpkg-buildpackage -rfakeroot -b -tc
cd ..
sudo apt install -y ./zentyal-radius_5.1_all.deb
sudo zs webadmin restart
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/smb.conf.mas
sudo sed -i '/\[global\]/a lanman auth = yes\nntlm auth = yes' /etc/zentyal/stubs/samba/smb.conf.mas
sudo zs samba restart
-
Thanks for sharing :)
-
Dear Sir.
Kindly please help me on https://forum.zentyal.org/index.php/topic,26466.0.html
Sincerely
-bino-
-
julio, thanks for going through the trouble of making and sharing this.
I've followed your instructions and successfully built the RADIUS module. Authentication works perfectly from radtest (with mschap) and from a Mikrotik router (for L2TP authentication).
There's just one detail that is not working as expected: No matter what group I choose at Zentyal's web interface, the RADIUS server will authenticate ANY valid user, regardless of the user being part of the specified group or not. As long as it's a valid domain account, it'll reply with an "Accept-Accept".
I've checked that the group is correcly being set inside /etc/freeradius/users:
DEFAULT LDAP-Group == <group name>
and also tried to manually edit it, using the full DN, but it makes no difference:
DEFAULT LDAP-Group == "CN=group,OU=foo,DC=bar,DC=com"
I don't have any experience with Freeradius, so I'm a bit lost about what can be causing this.
Running Zentyal 4.1 x86 (old server), if it makes any difference.
Any help is very much appreciated.
-
julio, thanks for going through the trouble of making and sharing this.
I've followed your instructions and successfully built the RADIUS module. Authentication works perfectly from radtest (with mschap) and from a Mikrotik router (for L2TP authentication).
There's just one detail that is not working as expected: No matter what group I choose at Zentyal's web interface, the RADIUS server will authenticate ANY valid user, regardless of the user being part of the specified group or not. As long as it's a valid domain account, it'll reply with an "Accept-Accept".
I've checked that the group is correcly being set inside /etc/freeradius/users:
DEFAULT LDAP-Group == <group name>
and also tried to manually edit it, using the full DN, but it makes no difference:
DEFAULT LDAP-Group == "CN=group,OU=foo,DC=bar,DC=com"
I don't have any experience with Freeradius, so I'm a bit lost about what can be causing this.
Running Zentyal 4.1 x86 (old server), if it makes any difference.
Any help is very much appreciated.
Bug is fixed, please try one more time...
-
Also so many thanks from my side. Today some problems started with the login of my Admin Account. All time long it was fine but now got LogIn Incorrect. Now it is working again :)
BTW: Does it work with 4.2 as well?
-
Bug is fixed, please try one more time...
Thank you very much.
I was able to compile the module and the group filter indeed is working as expected.
There are only two things I noticed that need fixing/improving (but can be "worked-around"):
- The diff files in your instructions are referencing the folder "zentyal-radius-4.0" instead of "zentyal-radius-4.1", causing errors when patching. Editing the files and replacing all the occurrences with the "4.1" path solves the problem.
- After installed, if the selected group has spaces in its name, the Freeradius service is unable to start, logging errors when trying to parse "/etc/freeradius/users". Editing the file and enclosing the group's name in double quotes solves the problem, but gets undone since Zentyal rewrites the config files. A workaround (which I had to use) is to rename the group, removing all blank spaces, and then let Zentyal save its configurations again.
Again, thanks!
-
Bug is fixed, please try one more time...
Thank you very much.
I was able to compile the module and the group filter indeed is working as expected.
There are only two things I noticed that need fixing/improving (but can be "worked-around"):
- The diff files in your instructions are referencing the folder "zentyal-radius-4.0" instead of "zentyal-radius-4.1", causing errors when patching. Editing the files and replacing all the occurrences with the "4.1" path solves the problem.
- After installed, if the selected group has spaces in its name, the Freeradius service is unable to start, logging errors when trying to parse "/etc/freeradius/users". Editing the file and enclosing the group's name in double quotes solves the problem, but gets undone since Zentyal rewrites the config files. A workaround (which I had to use) is to rename the group, removing all blank spaces, and then let Zentyal save its configurations again.
Again, thanks!
i've changed/fixed, please test it...
-
Please help me to resole this .
root@zentyal4:/home/amagi/Downloads# sudo dpkg -i zentyal-radius_4.1_all.deb
Selecting previously unselected package zentyal-radius.
(Reading database ... 59970 files and directories currently installed.)
Preparing to unpack zentyal-radius_4.1_all.deb ...
Unpacking zentyal-radius (4.1) ...
dpkg: dependency problems prevent configuration of zentyal-radius:
zentyal-radius depends on winbind; however:
Package winbind is not installed.
zentyal-radius depends on freeradius; however:
Package freeradius is not installed.
zentyal-radius depends on freeradius-ldap; however:
Package freeradius-ldap is not installed.
dpkg: error processing package zentyal-radius (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
zentyal-radius
root@zentyal4:/home/amagi/Downloads# dpkg -i zentyal-radius_4.1_all.deb
(Reading database ... 59998 files and directories currently installed.)
Preparing to unpack zentyal-radius_4.1_all.deb ...
Unpacking zentyal-radius (4.1) over (4.1) ...
dpkg: dependency problems prevent configuration of zentyal-radius:
zentyal-radius depends on winbind; however:
Package winbind is not installed.
zentyal-radius depends on freeradius; however:
Package freeradius is not installed.
zentyal-radius depends on freeradius-ldap; however:
Package freeradius-ldap is not installed.
dpkg: error processing package zentyal-radius (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
zentyal-radius
root@zentyal4:/home/amagi/Downloads#
-
please run the following command:
sudo apt-get install -f -y
-
Then should i run this command?
sudo dpkg -i zentyal-radius_4.1_all.deb
-
not, only the:
sudo apt-get install -f -y
(plese check the instructions)
-
i've changed/fixed, please test it...
Tested for 4.1 x86. Working flawlessly!
Thank you.
-
hi, i have problems to install the radius module with 4.2
dirk@superserver:~/Downloads$ sudo dpkg -i zentyal-radius_4.2_all.deb
(Lese Datenbank ... 621495 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von zentyal-radius_4.2_all.deb ...
Entpacken von zentyal-radius (4.2) über (4.2) ...
dpkg: Abhängigkeitsprobleme verhindern Konfiguration von zentyal-radius:
zentyal-radius hängt ab von freeradius-ldap; aber:
Paket freeradius-ldap ist noch nicht konfiguriert.
dpkg: Fehler beim Bearbeiten des Paketes zentyal-radius (--install):
Abhängigkeitsprobleme - verbleibt unkonfiguriert
Fehler traten auf beim Bearbeiten von:
zentyal-radius
dirk@superserver:~/Downloads$
dirk@superserver:~/Downloads$ sudo apt-get install -f -y
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Das folgende Paket wurde automatisch installiert und wird nicht mehr benötigt:
linux-image-extra-3.13.0-66-generic
Verwenden Sie »apt-get autoremove«, um es zu entfernen.
0 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
2 nicht vollständig installiert oder entfernt.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
freeradius-ldap (2.1.12+dfsg-1.2ubuntu8.1) wird eingerichtet ...
reload: Unknown instance:
invoke-rc.d: initscript freeradius, action "force-reload" failed.
dpkg: Fehler beim Bearbeiten des Paketes freeradius-ldap (--configure):
Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück
dpkg: Abhängigkeitsprobleme verhindern Konfiguration von zentyal-radius:
zentyal-radius hängt ab von freeradius-ldap; aber:
Paket freeradius-ldap ist noch nicht konfiguriert.
dpkg: Fehler beim Bearbeiten des Paketes zentyal-radius (--configure):
Abhängigkeitsprobleme - verbleibt unkonfiguriert
Es wurde kein Apport-Bericht verfasst, da die Fehlermeldung darauf hindeutet, dass dies lediglich ein Folgefehler eines vorherigen Problems ist.
E: Sub-process /usr/bin/dpkg returned an error code (1)
dirk@superserver:~/Downloads$ sudo dpkg --configure -a
freeradius-ldap (2.1.12+dfsg-1.2ubuntu8.1) wird eingerichtet ...
reload: Unknown instance:
invoke-rc.d: initscript freeradius, action "force-reload" failed.
dpkg: Fehler beim Bearbeiten des Paketes freeradius-ldap (--configure):
Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück
dpkg: Abhängigkeitsprobleme verhindern Konfiguration von zentyal-radius:
zentyal-radius hängt ab von freeradius-ldap; aber:
Paket freeradius-ldap ist noch nicht konfiguriert.
dpkg: Fehler beim Bearbeiten des Paketes zentyal-radius (--configure):
Abhängigkeitsprobleme - verbleibt unkonfiguriert
Fehler traten auf beim Bearbeiten von:
freeradius-ldap
zentyal-radius
Is there some fix?
I found that:
zentyal-install-module /home/dirk/Downloads/zentyal-radius-4.2/debian/zentyal-radius/
cp: der Aufruf von stat für »schemas/*.ldif“ ist nicht möglich: Datei oder Verzeichnis nicht gefunden
-
Julio, please help me :-\ i need radius for my wlan access and it does not work as it should at the moment. I assume it is just a small bug in the installation :)
It worked like a charm with 4.1 and today i upgraded to 4.2.1 after i saw that i can install the radius module.
-
Hi Dersch,
open the "/var/lib/dpkg/info/freeradius-ldap.postinst" file and modify the line:
invoke-rc.d freeradius force-reload to /etc/init.d/freeradius force-reload
After the modification run: sudo apt-get install -f
-
Hey julio, thanks for your help. Now i could install and configure it. But it is still not working, the module is stopped. If i reload the module i get the message "successful reloaded" but it is still stopped.
Here is what happend after your hint:
dirk@superserver:~$ sudo nano /var/lib/dpkg/info/freeradius-ldap.postinst
dirk@superserver:~$ sudo apt-get install -f
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
0 aktualisiert, 0 neu installiert, 0 zu entfernen und 0 nicht aktualisiert.
2 nicht vollständig installiert oder entfernt.
Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt.
freeradius-ldap (2.1.12+dfsg-1.2ubuntu8.1) wird eingerichtet ...
* Reloading FreeRADIUS daemon freeradius
* /var/run/freeradius/freeradius.pid not found... [ OK ]
zentyal-radius (4.2) wird eingerichtet ...
Trigger für zentyal-core (4.2.1) werden verarbeitet ...
* Restarting Zentyal module: webadmin [ OK ]
* Restarting Zentyal module: logs [ OK ]
Freeradius is running:
sudo service freeradius start
freeradius start/running, process 5237
But stopped immeditaley
sudo service freeradius status
freeradius stop/waiting
And i activated the module, of course.
I also started the install process again but it had no effect.
The freeradius log at /var/log/freeradius is full of errors:
Fri Nov 13 23:07:19 2015 : Error: Failed to load virtual server <default>
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Fri Nov 13 23:07:19 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: Failed to initialize type tls
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Fri Nov 13 23:07:19 2015 : Error: Failed to load virtual server <default>
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Fri Nov 13 23:07:19 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: Failed to initialize type tls
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Fri Nov 13 23:07:19 2015 : Error: Failed to load virtual server <default>
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Fri Nov 13 23:07:19 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: Failed to initialize type tls
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Fri Nov 13 23:07:19 2015 : Error: Failed to load virtual server <default>
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Fri Nov 13 23:07:19 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: Failed to initialize type tls
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Fri Nov 13 23:07:19 2015 : Error: Failed to load virtual server <default>
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Fri Nov 13 23:07:19 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Fri Nov 13 23:07:19 2015 : Error: rlm_eap: Failed to initialize type tls
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Fri Nov 13 23:07:19 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Fri Nov 13 23:07:19 2015 : Error: Failed to load virtual server <default>
-
No i could fix the issue with the certificate. At CA Authority i checked RADIUS once and saved. The error stopped.
Then i got another error in the Log File:
Sat Nov 14 00:16:59 2015 : Error: Errors reading /etc/freeradius/users
Sat Nov 14 00:16:59 2015 : Error: /etc/freeradius/modules/files[7]: Instantiation failed for module "files"
Sat Nov 14 00:16:59 2015 : Error: /etc/freeradius/sites-enabled/default[152]: Failed to load module "files".
Sat Nov 14 00:16:59 2015 : Error: /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
Sat Nov 14 00:16:59 2015 : Error: Failed to load virtual server <default>
Sat Nov 14 00:16:59 2015 : Error: /etc/freeradius/users[3]: Parse error (check) for entry DEFAULT: Expected end of line or comma
I changed in Zentyal the group allowed to authenticate once and saved to write the file new. Then freeradius could start:
Sat Nov 14 00:20:31 2015 : Info: Loaded virtual server <default>
Sat Nov 14 00:20:31 2015 : Info: Loaded virtual server inner-tunnel
Sat Nov 14 00:20:31 2015 : Info: ... adding new socket proxy address * port 40920
Sat Nov 14 00:20:31 2015 : Info: Ready to process requests.
But it is still impossible to login:
Sat Nov 14 00:21:44 2015 : Error: [ldap] ldap_search() failed: Operations error
Sat Nov 14 00:21:44 2015 : Auth: Invalid user: [Administrator] (from client 192.168.10.40/32 port 0 cli E8-50-8B-83-95-42)
Also Zentyal Webinterface does not recognize the running service.
Manual start is also impossible:
service zentyal radius restart
* Restarting Zentyal module: radius [fail]
It is very strange right now. With 4.1 everything worked so well without any issue. Please help me to fix that. There must be some error within the installation tipps.
best regards
Dirk
-
my opinion completely remove/reinstall much easier:
sudo apt-get purge --auto-remove zentyal-radius freeradius
cd ~/Downloads
sudo dpkg -i zentyal-radius_4.2_all.deb
sudo apt-get install -f -y
-
Thats not changing anything. Now freeradius does not start because of the first error
Sat Nov 14 09:39:23 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Sat Nov 14 09:39:23 2015 : Error: rlm_eap: Failed to initialize type tls
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Sat Nov 14 09:39:23 2015 : Error: Failed to load virtual server <default>
Sat Nov 14 09:39:23 2015 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Sat Nov 14 09:39:23 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Sat Nov 14 09:39:23 2015 : Error: rlm_eap: Failed to initialize type tls
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Sat Nov 14 09:39:23 2015 : Error: Failed to load virtual server <default>
Sat Nov 14 09:39:23 2015 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Sat Nov 14 09:39:23 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Sat Nov 14 09:39:23 2015 : Error: rlm_eap: Failed to initialize type tls
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Sat Nov 14 09:39:23 2015 : Error: Failed to load virtual server <default>
Sat Nov 14 09:39:23 2015 : Error: rlm_eap: SSL error error:0200100D:system library:fopen:Permission denied
Sat Nov 14 09:39:23 2015 : Error: rlm_eap_tls: Error reading certificate file /etc/freeradius/certs/freeradius.pem
Sat Nov 14 09:39:23 2015 : Error: rlm_eap: Failed to initialize type tls
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/eap.conf[17]: Instantiation failed for module "eap"
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/sites-enabled/default[287]: Failed to load module "eap".
Sat Nov 14 09:39:23 2015 : Error: /etc/freeradius/sites-enabled/default[234]: Errors parsing authenticate section.
Sat Nov 14 09:39:23 2015 : Error: Failed to load virtual server <default>
dirk@superserver:~/Downloads$
-
please remove/recompile/reinstall one more time:
sudo rm -rf ~/Downloads/*radius*
sudo apt-get purge --auto-remove zentyal-radius freeradius freeradius-common libfreeradius2
sudo rm -rf /etc/freeradius
recompile/reinstall the zentyal-radius module
-
IT WORKS!!! Thank you so much! I don't know what i should do with Zentyal without you ;)
-
I am glad I was able to help. :)
-
Hi Julio
Awesome work in getting RADIUS back into Zentyal, this was one of the main reasons i was looking at possible alternatives as my firewall requires it to authenticate VPN users (can't use AD).
It all seems to work brilliantly, the only issue i have found is that if i set it to authenticate Domain Users, it fails everytime. The user i am testing with is a Domain Admin and it works if i select that or All Users, but never under Domain Users. I have added another user who is not a Domain Admin in case this was the issue and the result is the same.
Also, do you know if it is possible to use MSCHAP? I cant seem to figure that one out either.
Thanks again for your work on this.
-
Hi Julio
Awesome work in getting RADIUS back into Zentyal, this was one of the main reasons i was looking at possible alternatives as my firewall requires it to authenticate VPN users (can't use AD).
It all seems to work brilliantly, the only issue i have found is that if i set it to authenticate Domain Users, it fails everytime. The user i am testing with is a Domain Admin and it works if i select that or All Users, but never under Domain Users. I have added another user who is not a Domain Admin in case this was the issue and the result is the same.
Also, do you know if it is possible to use MSCHAP? I cant seem to figure that one out either.
Thanks again for your work on this.
Please use with your own group, nested groups 'Domain Admins, Domain Users, Domain Guests' not working yet!
MSCHAPV2:
http://www.nmt.edu/information-services-division/3845-windows-7-peap-ms-chapv2 (http://www.nmt.edu/information-services-division/3845-windows-7-peap-ms-chapv2)
-
Hello Julio and all,
Thanks' for bringing Radius into Zentyal 4.2!
I was able to install successfully and it seems to work in general, but not in my specific setup.
I want to use Radius to grant WiFi access to registered users and tried with two different AP's so far. One is an older Siemens DSL router and the other is a buffalo router with DD-WRT on board.
Both seem to be using MSCHAP authentication, but they always fail with "Login incorrect". Looking into the radius.log file, all I can see is:
Fri Jun 3 19:01:02 2016 : Auth: Login incorrect (mschap: External script says ): [#username#] (from client ##.##.###.#/32 port 0 via TLS tunnel)
Fri Jun 3 19:01:03 2016 : Auth: Login incorrect: [#username#] (from client ##.##.###.#/32 port 1 cli ##-##-##-##-##-##)
and that's basically it. No more hints.
I also tried using radtest tool and it works successfully, unless I choose MSCHAP as type. So my understanding is that the auth against the AD works in general and there must be an issue with the MSCHAP module.
The module does exist in the modules folder and besides the domain hack being active, the ntlm_auth looks like this:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
I'm not a big pro on Radius setup, so I hope someone can help me to get this going. We're using the installation for a refugee project.
update:
radtest output for mschap auth: MS-CHAP-Error = "\000E=691 R=1"
update2: checked ntlm_auth and it does work, but only when using sudo. Is this correct? I read some comments about freerad user to be member of the winbindd_priv group, but this is already the case. (winbindd_priv:x:118:freerad)
-
Hello Julio and all,
Thanks' for bringing Radius into Zentyal 4.2!
I was able to install successfully and it seems to work in general, but not in my specific setup.
I want to use Radius to grant WiFi access to registered users and tried with two different AP's so far. One is an older Siemens DSL router and the other is a buffalo router with DD-WRT on board.
Both seem to be using MSCHAP authentication, but they always fail with "Login incorrect". Looking into the radius.log file, all I can see is:
Fri Jun 3 19:01:02 2016 : Auth: Login incorrect (mschap: External script says ): [#username#] (from client ##.##.###.#/32 port 0 via TLS tunnel)
Fri Jun 3 19:01:03 2016 : Auth: Login incorrect: [#username#] (from client ##.##.###.#/32 port 1 cli ##-##-##-##-##-##)
and that's basically it. No more hints.
I also tried using radtest tool and it works successfully, unless I choose MSCHAP as type. So my understanding is that the auth against the AD works in general and there must be an issue with the MSCHAP module.
The module does exist in the modules folder and besides the domain hack being active, the ntlm_auth looks like this:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
I'm not a big pro on Radius setup, so I hope someone can help me to get this going. We're using the installation for a refugee project.
update:
radtest output for mschap auth: MS-CHAP-Error = "\000E=691 R=1"
update2: checked ntlm_auth and it does work, but only when using sudo. Is this correct? I read some comments about freerad user to be member of the winbindd_priv group, but this is already the case. (winbindd_priv:x:118:freerad)
please make own group for radius users ex.: radusers
add radius users to this group and
set this group in "RADIUS - General configuration" -> "Group allowed to authenticate"
-
Hey,
Thanks' for the prompt response and help.
Actually, the minute you posted, I found the solution as per one of your earlier advices.
https://forum.zentyal.org/index.php/topic,26466.msg97883.html#msg97883 (https://forum.zentyal.org/index.php/topic,26466.msg97883.html#msg97883)
First I tried
sudo chown root:root /etc/samba/openchange.conf
sudo chmod 644 /etc/samba/openchange.conf
which worked. so finally I did
echo -e "#"'!'"/bin/bash\nchown root:root /etc/samba/openchange.conf\nchmod 644 /etc/samba/openchange.conf\nexit 0" | sudo tee /etc/zentyal/hooks/openchange.postsetconf
sudo chmod +x /etc/zentyal/hooks/openchange.postsetconf
Seems this did the trick.
-
Again i'm facing problems with RADIUS but this time it seems to be the connection with LDAP. I already removed and recomplied the zentyal radius module but without success. Overall the RADIUS Module seems to work and short after a reboot everything is fine. Only after a couple of minutes up to one hour it is starting with the following errors...
Wed Jun 8 20:29:23 2016 : Auth: Login OK: [Administrator] (from client 192.168.10.40/32 port 0 via TLS tunnel)
Wed Jun 8 20:29:23 2016 : Auth: Login OK: [Administrator] (from client 192.168.10.40/32 port 0 cli E8-50-8B-83-95-42)
Wed Jun 8 21:08:59 2016 : Error: [ldap] ldap_search() failed: LDAP connection lost.
Wed Jun 8 21:08:59 2016 : Info: [ldap] Attempting reconnect
Wed Jun 8 21:09:02 2016 : Error: Discarding duplicate request from client 192.168.10.42/32 port 48323 - ID: 24 due to unfinished request 33
Wed Jun 8 21:09:04 2016 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Wed Jun 8 21:09:04 2016 : Auth: Invalid user: [Administrator] (from client 192.168.10.42/32 port 0 cli E8-50-8B-83-95-42)
Wed Jun 8 21:09:20 2016 : Error: Discarding duplicate request from client 192.168.10.42/32 port 48323 - ID: 26 due to unfinished request 35
Wed Jun 8 21:09:22 2016 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Wed Jun 8 21:09:22 2016 : Auth: Invalid user: [Administrator] (from client 192.168.10.42/32 port 0 cli E8-50-8B-83-95-42)
Wed Jun 8 21:29:43 2016 : Error: [ldap] ldap_search() failed: LDAP connection lost.
Wed Jun 8 21:29:43 2016 : Info: [ldap] Attempting reconnect
Wed Jun 8 21:29:46 2016 : Error: Discarding duplicate request from client 192.168.10.42/32 port 35385 - ID: 8 due to unfinished request 36
Wed Jun 8 21:29:48 2016 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Wed Jun 8 21:29:48 2016 : Auth: Invalid user: [Daniela] (from client 192.168.10.42/32 port 0 cli AC-5F-3E-33-AF-45)
Wed Jun 8 21:30:01 2016 : Error: Discarding duplicate request from client 192.168.10.42/32 port 35385 - ID: 10 due to unfinished request 38
Wed Jun 8 21:30:03 2016 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Wed Jun 8 21:30:03 2016 : Auth: Invalid user: [Daniela] (from client 192.168.10.42/32 port 0 cli AC-5F-3E-33-AF-45)
-
Again i'm facing problems with RADIUS but this time it seems to be the connection with LDAP. I already removed and recomplied the zentyal radius module but without success. Overall the RADIUS Module seems to work and short after a reboot everything is fine. Only after a couple of minutes up to one hour it is starting with the following errors...
Wed Jun 8 20:29:23 2016 : Auth: Login OK: [Administrator] (from client 192.168.10.40/32 port 0 via TLS tunnel)
Wed Jun 8 20:29:23 2016 : Auth: Login OK: [Administrator] (from client 192.168.10.40/32 port 0 cli E8-50-8B-83-95-42)
Wed Jun 8 21:08:59 2016 : Error: [ldap] ldap_search() failed: LDAP connection lost.
Wed Jun 8 21:08:59 2016 : Info: [ldap] Attempting reconnect
Wed Jun 8 21:09:02 2016 : Error: Discarding duplicate request from client 192.168.10.42/32 port 48323 - ID: 24 due to unfinished request 33
Wed Jun 8 21:09:04 2016 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Wed Jun 8 21:09:04 2016 : Auth: Invalid user: [Administrator] (from client 192.168.10.42/32 port 0 cli E8-50-8B-83-95-42)
Wed Jun 8 21:09:20 2016 : Error: Discarding duplicate request from client 192.168.10.42/32 port 48323 - ID: 26 due to unfinished request 35
Wed Jun 8 21:09:22 2016 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Wed Jun 8 21:09:22 2016 : Auth: Invalid user: [Administrator] (from client 192.168.10.42/32 port 0 cli E8-50-8B-83-95-42)
Wed Jun 8 21:29:43 2016 : Error: [ldap] ldap_search() failed: LDAP connection lost.
Wed Jun 8 21:29:43 2016 : Info: [ldap] Attempting reconnect
Wed Jun 8 21:29:46 2016 : Error: Discarding duplicate request from client 192.168.10.42/32 port 35385 - ID: 8 due to unfinished request 36
Wed Jun 8 21:29:48 2016 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Wed Jun 8 21:29:48 2016 : Auth: Invalid user: [Daniela] (from client 192.168.10.42/32 port 0 cli AC-5F-3E-33-AF-45)
Wed Jun 8 21:30:01 2016 : Error: Discarding duplicate request from client 192.168.10.42/32 port 35385 - ID: 10 due to unfinished request 38
Wed Jun 8 21:30:03 2016 : Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout.
Wed Jun 8 21:30:03 2016 : Auth: Invalid user: [Daniela] (from client 192.168.10.42/32 port 0 cli AC-5F-3E-33-AF-45)
after restarting the radius service working again?
sudo service zentyal radius restart
-
Hi Julio,
no unfortunately not.
-
please check the Samba - LDAP service...
ex.: ldapsearch
-
Dear Julio,
Hope you can also help with this little issue. Now that I've got the radius module working, I noticed that - depending on the AP - MAC address information will be shown or not in the log file presentation (via zentyal log viewer).
I have an older Siemens AP here, which result in the following log entry:
Sat Jun 11 15:37:44 2016 : Auth: Login OK: [username] (from client xxx.xxx.x.xxx/32 port 5 cli 2002af9a30af)
Means, the MAC address is 20:02:AF:9A:30:AF, but it's not shown, the mac column remains empty.
My guess is that the parser is not able to convert and/or identify the mac entry in the log file.
Is there any hack possible to fix this?
-
Dear Julio,
Hope you can also help with this little issue. Now that I've got the radius module working, I noticed that - depending on the AP - MAC address information will be shown or not in the log file presentation (via zentyal log viewer).
I have an older Siemens AP here, which result in the following log entry:
Sat Jun 11 15:37:44 2016 : Auth: Login OK: [username] (from client xxx.xxx.x.xxx/32 port 5 cli 2002af9a30af)
Means, the MAC address is 20:02:AF:9A:30:AF, but it's not shown, the mac column remains empty.
My guess is that the parser is not able to convert and/or identify the mac entry in the log file.
Is there any hack possible to fix this?
modified, please check...
https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226 (https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226)
-
modified, please check...
https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226 (https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226)
Thanks' Julio,
Installed it and now have to test. Since it is a remote site, it will take a few days before I'll see the effect. I assume the change will only take effect on new log entries, right?
In any case, I'm very thankful for your prompt help! Really great!!!
p.s. maybe a little remark: I think there's a little mistake in the instruction.
wget wget http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz -O zentyal-radius_3.5.1.tar.gz
double wget...
-
modified, please check...
https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226 (https://forum.zentyal.org/index.php/topic,25541.msg96226.html#msg96226)
Thanks' Julio,
Installed it and now have to test. Since it is a remote site, it will take a few days before I'll see the effect. I assume the change will only take effect on new log entries, right?
In any case, I'm very thankful for your prompt help! Really great!!!
p.s. maybe a little remark: I think there's a little mistake in the instruction.
wget wget http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz -O zentyal-radius_3.5.1.tar.gz
double wget...
thank you your suggestion about "wget wget" mistake!
i've changed the mac format to uppercase format,
please install one more time and you can test it force with following command:
LC_TIME_ORIG=$LC_TIME && LC_TIME=en_US.UTF-8 && echo "$(date '+%a %b %e %H:%M:%S %Y') : Auth: Login OK: [testuser] (from client 127.0.0.1/32 port 5 cli 2002af9a30af)" | sudo tee -a /var/log/freeradius/radius.log && LC_TIME=$LC_TIME_ORIG
-
thank you your suggestion about "wget wget" mistake!
i've changed the mac format to uppercase format,
please install one more time and you can test it force with following command:
LC_TIME_ORIG=$LC_TIME && LC_TIME=en_US.UTF-8 && echo "$(date '+%a %b %e %H:%M:%S %Y') : Auth: Login OK: [testuser] (from client 127.0.0.1/32 port 5 cli 2002af9a30af)" | sudo tee -a /var/log/freeradius/radius.log && LC_TIME=$LC_TIME_ORIG
tried the echo but it seems my locale for date is set to De, so Week day is prompted as "So" and not "Sun". At the end, the echoed log entry is not shown in zentyal log module... :-)
p.s. modified the echo command and set the date/time manually. However, it seems to not appear inside the zentyal log display? update: got it! works!
-
"tried the echo but it seems my locale for date is set to De, so Week day is prompted as "So" and not "Sun"."
me too DE.. thats why: LC_TIME_ORIG=$LC_TIME && LC_TIME=en_US.UTF-8
"en_US.UTF-8" locale installed?
locale -a
me works (see screenshot attached)
try restart the logs and the radius service before echo...
sudo service zentyal logs restart
sudo service zentyal radius restart
-
locale is installed. restarted modules but still it will generate "So" instead of "Sun" :o
Anyway, I'm confident it will work well now ::) Thanks again!!!
update: just notice
locale -a
C
C.UTF-8
de_DE.utf8
en_US.utf8
POSIX
so, probably I need to modify the locale setting accordingly?
-
locale is installed. restarted modules but still it will generate "So" instead of "Sun" :o
Anyway, I'm confident it will work well now ::) Thanks again!!!
update: just notice
locale -a
C
C.UTF-8
de_DE.utf8
en_US.utf8
POSIX
so, probably I need to modify the locale setting accordingly?
no, you don't need...
-
Julio,
Hope to get one more hint from you ;-)
Worked all fine for the time being, but for some reason I had to re-install (not only, but also) the radius package and now I seem to be getting no access to the LDAP. (Radius only rejects)
In the freeradius log, I can only find two lines, i.e.
Mon Oct 3 20:29:46 2016 : Error: [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf
Mon Oct 3 20:29:46 2016 : Error: [ldap] (re)connection attempt failed
I checked the ldap module at freeradius and the credentials are filled in. I also checked the user in the tree, removed it, reconfigured so the user was back in. Still no good.
I tried a full purge on freeradius, zentyal-radius and the related packages, and reinstalled from the scratch. Nothing helped.
Anything else where I could look into?
-
for more details start freeradius manually:
sudo service zentyal radius stop
sudo freeradius -XXX
-
Here it goes, Julio.
Only masked the secrets "###secret###
It wouldn't let me post the whole text (20000 chars limit), so here's a link to the file:
https://dl.dropboxusercontent.com/u/1666516/freeradius%20debug.txt (https://dl.dropboxusercontent.com/u/1666516/freeradius%20debug.txt)
update: this is only the debug output before the actual auth trial
-
So,here comes the output from an actual try via radtest:
Mon Oct 3 21:16:24 2016 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 39583, id=246, length=80
User-Name = "###username###"
User-Password = "###password###"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0xae07c03a0fa5825814f6e4066277a23b
Mon Oct 3 21:29:05 2016 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Mon Oct 3 21:29:05 2016 : Info: +- entering group authorize {...}
Mon Oct 3 21:29:05 2016 : Info: ++[preprocess] returns ok
Mon Oct 3 21:29:05 2016 : Info: ++[chap] returns noop
Mon Oct 3 21:29:05 2016 : Info: ++[mschap] returns noop
Mon Oct 3 21:29:05 2016 : Info: [eap] No EAP-Message, not doing EAP
Mon Oct 3 21:29:05 2016 : Info: ++[eap] returns noop
Mon Oct 3 21:29:05 2016 : Info: [files] users: Matched entry DEFAULT at line 1
Mon Oct 3 21:29:05 2016 : Info: ++[files] returns ok
Mon Oct 3 21:29:05 2016 : Info: [ldap] performing user authorization for ###username###
Mon Oct 3 21:29:05 2016 : Info: [ldap] expand: %{Stripped-User-Name} ->
Mon Oct 3 21:29:05 2016 : Info: [ldap] ... expanding second conditional
Mon Oct 3 21:29:05 2016 : Info: [ldap] expand: %{User-Name} -> ###username###
Mon Oct 3 21:29:05 2016 : Info: [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=###username###)
Mon Oct 3 21:29:05 2016 : Info: [ldap] expand: DC=fritz,DC=box -> DC=fritz,DC=box
Mon Oct 3 21:29:05 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0
Mon Oct 3 21:29:05 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0
Mon Oct 3 21:29:05 2016 : Debug: [ldap] attempting LDAP reconnection
Mon Oct 3 21:29:05 2016 : Debug: [ldap] (re)connect to ldap://127.0.0.1, authentication 0
Mon Oct 3 21:29:05 2016 : Debug: [ldap] bind as CN=zentyal-radius-zentyal,CN=Users,DC=fritz,DC=box/###password### to ldap://127.0.0.1
Mon Oct 3 21:29:05 2016 : Debug: [ldap] waiting for bind result ...
Mon Oct 3 21:29:05 2016 : Error: [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf
Mon Oct 3 21:29:05 2016 : Error: [ldap] (re)connection attempt failed
Mon Oct 3 21:29:05 2016 : Info: [ldap] search failed
Mon Oct 3 21:29:05 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0
Mon Oct 3 21:29:05 2016 : Info: ++[ldap] returns fail
Mon Oct 3 21:29:05 2016 : Auth: Invalid user: [###username###] (from client 127.0.0.1/32 port 1812)
Mon Oct 3 21:29:05 2016 : Info: Using Post-Auth-Type Reject
Mon Oct 3 21:29:05 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Mon Oct 3 21:29:05 2016 : Info: +- entering group REJECT {...}
Mon Oct 3 21:29:05 2016 : Info: [attr_filter.access_reject] expand: %{User-Name} -> ###username###
Mon Oct 3 21:29:05 2016 : Debug: attr_filter: Matched entry DEFAULT at line 11
Mon Oct 3 21:29:05 2016 : Info: ++[attr_filter.access_reject] returns updated
Mon Oct 3 21:29:05 2016 : Info: Delaying reject of request 0 for 1 seconds
Mon Oct 3 21:29:05 2016 : Debug: Going to the next request
Mon Oct 3 21:29:05 2016 : Debug: Waking up in 0.9 seconds.
Mon Oct 3 21:29:06 2016 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 246 to 127.0.0.1 port 39583
Mon Oct 3 21:29:06 2016 : Debug: Waking up in 4.9 seconds.
Mon Oct 3 21:29:11 2016 : Info: Cleaning up request 0 ID 246 with timestamp +761
Mon Oct 3 21:29:11 2016 : Info: Ready to process requests.
User Info is also accessible:
User info (Level-0):
====================
Name: zentyal-radius-zentyal
SID: S-1-5-21-1293354772-482189516-68840057-1231
Uid: 910689487
Gid: 910688769
Gecos: <null>
Shell: /bin/sh
Home dir: /home/local/FRITZ/zentyal-radius-zentyal
Logon restriction: NO
-
please post the results of:
ls -la /var/lib/zentyal/conf/
-
ls -la /var/lib/zentyal/conf/
total 144
drwxr-xr-x 9 ebox adm 4096 Okt 3 20:51 .
drwxr-xr-x 10 ebox ebox 4096 Okt 4 01:16 ..
drwx------ 2 ebox adm 4096 Okt 2 22:14 backups
drwxr-xr-x 2 ebox ebox 4096 Feb 18 2016 dhcp
-rw-r--r-- 1 ebox adm 371 Okt 21 2015 eboxlog.conf
-rw-r--r-- 1 ebox adm 33 Feb 3 2016 ebox.passwd
-rw------- 1 ebox ebox 0 Feb 18 2016 ebox.sid
-rw------- 1 ebox ebox 32 Okt 2 20:53 fetchmail.passwd
-rw------- 1 ebox ebox 32 Okt 2 20:32 fetchmail.passwd~
-rw-r--r-- 1 ebox ebox 11 Okt 3 20:51 locale
drwxrwxrwx 2 ebox ebox 4096 Feb 18 2016 logs
-rw-r--r-- 1 ebox ebox 3857 Okt 3 20:51 nginx.conf
drwxr-xr-x 2 root root 4096 Mär 1 2016 openchange
-rw-r--r-- 1 root root 9527 Feb 3 2016 openssl.cnf
-rw------- 1 ebox root 25726 Okt 3 20:47 redis.conf
-rw------- 1 ebox ebox 8 Feb 18 2016 redis.passwd
drwxr-xr-x 2 ebox ebox 4096 Feb 18 2016 remoteservices
-rw-rw-rw- 1 ebox ebox 146 Okt 3 20:50 samba-antivirus.conf
-r-------- 1 ebox ebox 193 Okt 3 20:50 samba.keytab
-r-------- 1 root root 8 Mär 3 2016 sa-mysql.passwd
-rw------- 1 ebox ebox 8 Feb 19 2016 sogo_db.passwd
drwx------ 2 root root 4096 Okt 3 20:49 ssl
drwxr-xr-x 2 ebox adm 4096 Feb 3 2016 ssl-ca
-rw-r--r-- 1 root root 353 Apr 25 12:08 zavsd-log.conf
-rw------- 1 ebox ebox 20 Okt 2 20:53 zentyal-mailfilter-zentyal.passwd
-rw------- 1 ebox ebox 20 Okt 2 20:53 zentyal-mail-zentyal.passwd
-r-------- 1 root root 8 Feb 18 2016 zentyal-mysql.passwd
-rw------- 1 ebox ebox 20 Okt 2 20:53 zentyal-openchange-zentyal.passwd
-rw------- 1 ebox ebox 20 Okt 2 20:53 zentyal-radius-zentyal.passwd
-
try restore the zentyal-radius-zentyal user password:
sudo samba-tool user setpassword zentyal-radius-zentyal --newpassword=$(cat /var/lib/zentyal/conf/zentyal-radius-zentyal.passwd)
sudo service zentyal radius restart
-
You're my man, Julio! It worked!
Thank's so much, you've made more than 40 refugees happy. They can now use their WiFi AP again.
So easy after all, but when you're sitting in the middle of a forest, it's hard to see a single tree ;-)
-
Hello
I ran into some trouble to make it work with Zenyal 5.0, but I finally did it. So I am sharing my steps with you guys.
mkdir ~/radius
cd ~/radius
rm -rf zentyal-radius-4.2
wget http://archive.zentyal.org/zentyal/pool/main/z/zentyal-radius/zentyal-radius_3.5.1.tar.gz -O zentyal-radius_3.5.1.tar.gz
tar -xf zentyal-radius_3.5.1.tar.gz
mv zentyal-radius-3.5.1 zentyal-radius-5.0
wget 'https://drive.google.com/uc?export=download&id=0B4LpBN3axE3nUHZROVJGY3hPeVk' -O zentyal-radius-5.0.patch
patch -t -p1 -i zentyal-radius-5.0.patch
cd zentyal-radius-5.0
dpkg-buildpackage -rfakeroot -b -tc
cd ..
apt install ./zentyal-radius_5.0_all.deb -y
sudo apt-get install -f -y
Dont forget to manually add firewall rules for the radius service (on port UDP 1812) !
julio, feel free to edit this into your first post if you want.
-
Hello everyone
I have been trying to install the radius module all week but I have not been lucky, the installation of my virtual machine is new, when renewing the server I had to format and deal with a new installation, previously I followed these instructions and I did not have problems but On this occasion I have not been able to install, since the first command tells me that the package build-essential is lost and will not allow me to continue.
any ideas ? Thanks for any help.
-
Hello everyone
I have been trying to install the radius module all week but I have not been lucky, the installation of my virtual machine is new, when renewing the server I had to format and deal with a new installation, previously I followed these instructions and I did not have problems but On this occasion I have not been able to install, since the first command tells me that the package build-essential is lost and will not allow me to continue.
any ideas ? Thanks for any help.
Try with the original instructions, step by step...
https://forum.zentyal.org/index.php/topic,25541.0.html (https://forum.zentyal.org/index.php/topic,25541.0.html)
-
sorry, when i said this instructions i meant the originally list, but also yesterday i tried the last one, and is sending me the same error !!
-
sorry, when i said this instructions i meant the originally list, but also yesterday i tried the last one, and is sending me the same error !!
please post the error messages or give me more detail about the error!
-
Here is a picture of the error message
-
Please enable the main repository in the /etc/apt/sources.list file.
It looks like:
deb http://de.archive.ubuntu.com/ubuntu trusty main restricted universe multiverse
#deb-src http://de.archive.ubuntu.com/ubuntu trusty main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-updates main restricted universe multiverse
#deb-src http://de.archive.ubuntu.com/ubuntu trusty-updates main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-security main restricted universe multiverse
#deb-src http://de.archive.ubuntu.com/ubuntu trusty-security main restricted universe multiverse
deb http://de.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
#deb-src http://de.archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu trusty main
After that:
sudo apt-get update
sudo apt-get install zbuildtools build-essential fakeroot dpkg-dev -y
-
Thanks, I'll try what you say, but just to be sure;
Are you asking me to run these commands on the console before the original instruction list?....
.
.
.
.
sorry but no, it doesnt work !!
-
Open the /etc/apt/sources.list with text editor and enable the main repo... Like my previous post!
-
thank so much Julio, it works really nice, now I´m gonna set it up everything to put the wifi client´s to work, if something goes wrong i will let you know
thank´s again and regards.
-
Thanks Julio,
The only issue I had was failed dependencies when trying to install the .deb file. sudo apt-get install -f fixed it.
-
Thanks Julio,
The only issue I had was failed dependencies when trying to install the .deb file. sudo apt-get install -f fixed it.
Modified, thank you for your feedback!
-
For everybody else having issues with the new version of samba:
Add this
lanman auth = yes
ntlm auth = yes
in the [global] section
to /usr/share/zentyal/stubs/samba/smb.conf.mas
and reload samba settings.
Note: This will reenable NTLMv1 authentication which is disabled by default in newer samba versions. Unfortunately freeradius only supports NTLMv1 (and not the newer NTLMv2)
https://www.samba.org/samba/history/samba-4.5.0.html
@Julio: maybe you want to change to sudo dpkg --force-depends -i zentyal-radius_5.0_all.deb as this occurs:
dependency problems - leaving unconfigured
-
For everybody else having issues with the new version of samba:
Add this
lanman auth = yes
ntlm auth = yes
in the [global] section
to /usr/share/zentyal/stubs/samba/smb.conf.mas
and reload samba settings.
Note: This will reenable NTLMv1 authentication which is disabled by default in newer samba versions. Unfortunately freeradius only supports NTLMv1 (and not the newer NTLMv2)
https://www.samba.org/samba/history/samba-4.5.0.html
@Julio: maybe you want to change to sudo dpkg --force-depends -i zentyal-radius_5.0_all.deb as this occurs:
dependency problems - leaving unconfigured
"sudo apt-get install -f" because dependency problems, but the
"sudo dpkg --force-depends -i ..." is more elegant, thanks!
-
Hello,
after I did install on Zentyal 5.0.8 and when i'm trying to enable Free radius module i have the following error:
Failed to enable: root command /usr/share//zentyal-radius/enable-module failed. Error output: + test '!' -e /etc/freeradius/certs/freeradius.pem + test '!' -e /etc/ssl/certs/ssl-cert-snakeoil.pem + test '!' -e /etc/ssl/private/ssl-cert-snakeoil.key + cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key /usr/share//zentyal-radius/enable-module: line 12: /etc/freeradius/certs/freeradius.pem: No such file or directory + chown root:freerad /etc/freeradius/certs/freeradius.pem chown: invalid group: â?root:freeradâ?? + chmod 440 /etc/freeradius/certs/freeradius.pem chmod: cannot access '/etc/freeradius/certs/freeradius.pem': No such file or directory + usermod -a -G winbindd_priv freerad usermod: user 'freerad' does not exist + chown root:winbindd_priv /var/lib/samba/winbindd_privileged/ + chmod 755 /var/log/freeradius chmod: cannot access '/var/log/freeradius': No such file or directory Command output: . Exit value: 1 at /usr/share/perl5/EBox/ServiceModule/CGI/ConfigureModuleController.pm line 65
How to fix this ?
Best regards.
-
Hello to all
I can not run the radius server
I followed both page 1 and page 4 guidelines
I can start the shell radius but if it starts from the zentyal console i am mistaken.
I installed zentyal 5.08 and configured as primary domain controller
i test it whit a new install bat don't have resolv
If they can serve the attached ldap settings
DN base
DC = mms, DC = local
Default Users DN
CN = Users, DC = mms, DC = local
Default Groups DN
CN = Users, DC = mms, DC = local
And log
2017/05/31 12:49:49 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: radius
2017/05/31 12:49:50 DEBUG> Validate.pm:658 EBox::Validate::checkDomainName - Valore non valido per Nome comune (CN): Host Zentyal. at Valore non valido per Nome comune (CN): Host Zentyal. at /usr/share/perl5/EBox/Validate.pm line 658
2017/05/31 12:49:50 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: Valore non valido per Nome comune (CN): Host Zentyal.
2017/05/31 12:49:50 ERROR> Service.pm:964 EBox::Module::Service::restartService - Valore non valido per Nome comune (CN): Host Zentyal. at Valore non valido per Nome comune (CN): Host Zentyal. at /usr/share/perl5/EBox/Module/Service.pm line 964
2017/05/31 12:49:50 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of RADIUS from dashboard failed: Valore non valido per Nome comune (CN): Host Zentyal.
-
Hello,
after I did install on Zentyal 5.0.8 and when i'm trying to enable Free radius module i have the following error:
Failed to enable: root command /usr/share//zentyal-radius/enable-module failed. Error output: + test '!' -e /etc/freeradius/certs/freeradius.pem + test '!' -e /etc/ssl/certs/ssl-cert-snakeoil.pem + test '!' -e /etc/ssl/private/ssl-cert-snakeoil.key + cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key /usr/share//zentyal-radius/enable-module: line 12: /etc/freeradius/certs/freeradius.pem: No such file or directory + chown root:freerad /etc/freeradius/certs/freeradius.pem chown: invalid group: â?root:freeradâ?? + chmod 440 /etc/freeradius/certs/freeradius.pem chmod: cannot access '/etc/freeradius/certs/freeradius.pem': No such file or directory + usermod -a -G winbindd_priv freerad usermod: user 'freerad' does not exist + chown root:winbindd_priv /var/lib/samba/winbindd_privileged/ + chmod 755 /var/log/freeradius chmod: cannot access '/var/log/freeradius': No such file or directory Command output: . Exit value: 1 at /usr/share/perl5/EBox/ServiceModule/CGI/ConfigureModuleController.pm line 65
How to fix this ?
Best regards.
please try install the missing dependencies with:
sudo apt install -f -y
-
Hello to all
I can not run the radius server
I followed both page 1 and page 4 guidelines
I can start the shell radius but if it starts from the zentyal console i am mistaken.
I installed zentyal 5.08 and configured as primary domain controller
i test it whit a new install bat don't have resolv
If they can serve the attached ldap settings
DN base
DC = mms, DC = local
Default Users DN
CN = Users, DC = mms, DC = local
Default Groups DN
CN = Users, DC = mms, DC = local
And log
2017/05/31 12:49:49 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: radius
2017/05/31 12:49:50 DEBUG> Validate.pm:658 EBox::Validate::checkDomainName - Valore non valido per Nome comune (CN): Host Zentyal. at Valore non valido per Nome comune (CN): Host Zentyal. at /usr/share/perl5/EBox/Validate.pm line 658
2017/05/31 12:49:50 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: Valore non valido per Nome comune (CN): Host Zentyal.
2017/05/31 12:49:50 ERROR> Service.pm:964 EBox::Module::Service::restartService - Valore non valido per Nome comune (CN): Host Zentyal. at Valore non valido per Nome comune (CN): Host Zentyal. at /usr/share/perl5/EBox/Module/Service.pm line 964
2017/05/31 12:49:50 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of RADIUS from dashboard failed: Valore non valido per Nome comune (CN): Host Zentyal.
please try with purge all freeradius packets and install again:
sudo apt purge freeradius freeradius-common freeradius-ldap freeradius-utils libfreeradius2 libltdl7 zentyal-radius
sudo rm -rf /etc/freeradius
-
Hello,
after I did install on Zentyal 5.0.8 and when i'm trying to enable Free radius module i have the following error:
Failed to enable: root command /usr/share//zentyal-radius/enable-module failed. Error output: + test '!' -e /etc/freeradius/certs/freeradius.pem + test '!' -e /etc/ssl/certs/ssl-cert-snakeoil.pem + test '!' -e /etc/ssl/private/ssl-cert-snakeoil.key + cat /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key /usr/share//zentyal-radius/enable-module: line 12: /etc/freeradius/certs/freeradius.pem: No such file or directory + chown root:freerad /etc/freeradius/certs/freeradius.pem chown: invalid group: â?root:freeradâ?? + chmod 440 /etc/freeradius/certs/freeradius.pem chmod: cannot access '/etc/freeradius/certs/freeradius.pem': No such file or directory + usermod -a -G winbindd_priv freerad usermod: user 'freerad' does not exist + chown root:winbindd_priv /var/lib/samba/winbindd_privileged/ + chmod 755 /var/log/freeradius chmod: cannot access '/var/log/freeradius': No such file or directory Command output: . Exit value: 1 at /usr/share/perl5/EBox/ServiceModule/CGI/ConfigureModuleController.pm line 65
How to fix this ?
Best regards.
please try install the missing dependencies with:
sudo apt install -f -y
Great, everything is working fine ;D
Thank you for help.
Best regards
-
not work
"Qualche modulo ha riportato errori durante il salvataggio. Maggiori informazioni nel log /var/log/zentyal/
Valore non valido per Nome comune (CN): Host Zentyal."
-
not work
"Qualche modulo ha riportato errori durante il salvataggio. Maggiori informazioni nel log /var/log/zentyal/
Valore non valido per Nome comune (CN): Host Zentyal."
what is your server hostname?
because, according to RFC underscores are forbidden in "hostnames"!
-
my hostname is srv01 , my domain is mms.local
What is the radius file I need to modify to integrate my host?
:o
-
my hostname is srv01 , my domain is mms.local
What is the radius file I need to modify to integrate my host?
:o
maybe web interface language problem?
same error:
https://tracker.zentyal.org/issues/4738 (https://tracker.zentyal.org/issues/4738)
please change the web interface language from italian to english
-
I'm having a problem trying to get RADIUS in 5.0 to work with my APs (Ubiquiti UniFi). Any ideas?
-
please try with:
802.1x EAP & PEAP & MSCHAPV2
-
Are these settings to change in RADIUS?
-
no not in radius, on the clients, instead of WPA2-Enterprise...
-
I tried that & I get the same error. On Windows it says 'Can't connect to this network". On my Android it says 'Authentication Problem'.
-
Hi Julio,
After having successfully installed a new 5.0 system with the radius module (as per your new instruction), I'm still struggling to get it up and running.
Wifi clients are rejected.
Please see log:
rad_recv: Access-Request packet from host 192.168.1.2 port 3072, id=0, length=165
Sat Sep 23 17:09:53 2017 : Info: Cleaning up request 8 ID 0 with timestamp +20
User-Name = "user"
NAS-IP-Address = 192.168.1.2
Called-Station-Id = "0016e37246ff"
Calling-Station-Id = "90fd6153bfc4"
NAS-Identifier = "0016e37246ff"
NAS-Port = 40
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0208002e190017030300230bf5df21adc20eeb36f8c66f036cd7e3b97e8f593fa2b13b9763b32e9db63655c5f04b
Message-Authenticator = 0x69f2de24306d9ee3142149f1f95e5448
Sat Sep 23 17:09:53 2017 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group authorize {
Sat Sep 23 17:09:53 2017 : Info: ++[preprocess] = ok
Sat Sep 23 17:09:53 2017 : Info: ++[chap] = noop
Sat Sep 23 17:09:53 2017 : Info: ++[mschap] = noop
Sat Sep 23 17:09:53 2017 : Info: [eap] EAP packet type response id 8 length 46
Sat Sep 23 17:09:53 2017 : Info: [eap] Continuing tunnel setup.
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = ok
Sat Sep 23 17:09:53 2017 : Info: +} # group authorize = ok
Sat Sep 23 17:09:53 2017 : Info: Found Auth-Type = EAP
Sat Sep 23 17:09:53 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group authenticate {
Sat Sep 23 17:09:53 2017 : Info: [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Sat Sep 23 17:09:53 2017 : Info: [eap] Failed in handler
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = invalid
Sat Sep 23 17:09:53 2017 : Info: +} # group authenticate = invalid
Sat Sep 23 17:09:53 2017 : Info: Failed to authenticate the user.
Sat Sep 23 17:09:53 2017 : Auth: Login incorrect: [user] (from client 192.168.1.2/32 port 40 cli 90fd6153bfc4)
Sat Sep 23 17:09:53 2017 : Info: Using Post-Auth-Type Reject
Sat Sep 23 17:09:53 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group REJECT {
Sat Sep 23 17:09:53 2017 : Info: [attr_filter.access_reject] expand: %{User-Name} -> user
Sat Sep 23 17:09:53 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11
Sat Sep 23 17:09:53 2017 : Info: ++[attr_filter.access_reject] = updated
Sat Sep 23 17:09:53 2017 : Info: +} # group REJECT = updated
Sat Sep 23 17:09:53 2017 : Info: Delaying reject of request 9 for 1 seconds
Sat Sep 23 17:09:53 2017 : Debug: Going to the next request
Sat Sep 23 17:09:53 2017 : Debug: Waking up in 0.9 seconds.
Sat Sep 23 17:09:54 2017 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 0 to 192.168.1.2 port 3072
Sat Sep 23 17:09:54 2017 : Debug: Waking up in 4.9 seconds.
I have reset the passwords (which did the trick last time https://forum.zentyal.org/index.php/topic,25541.msg103865.html#msg103865 (https://forum.zentyal.org/index.php/topic,25541.msg103865.html#msg103865)), but luck.
Tried different settings in the Radius module, all users, domains users, etc., nothing worked.
I saw these lines in the log:
Sat Sep 23 17:09:53 2017 : Info: [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Sat Sep 23 17:09:53 2017 : Info: [eap] Failed in handler
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = invalid
Sat Sep 23 17:09:53 2017 : Info: +} # group authenticate = invalid
Sat Sep 23 17:09:53 2017 : Info: Failed to authenticate the user.
Anything to do with it?
-
Hi Julio,
After having successfully installed a new 5.0 system with the radius module (as per your new instruction), I'm still struggling to get it up and running.
Wifi clients are rejected.
Please see log:
rad_recv: Access-Request packet from host 192.168.1.2 port 3072, id=0, length=165
Sat Sep 23 17:09:53 2017 : Info: Cleaning up request 8 ID 0 with timestamp +20
User-Name = "user"
NAS-IP-Address = 192.168.1.2
Called-Station-Id = "0016e37246ff"
Calling-Station-Id = "90fd6153bfc4"
NAS-Identifier = "0016e37246ff"
NAS-Port = 40
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0208002e190017030300230bf5df21adc20eeb36f8c66f036cd7e3b97e8f593fa2b13b9763b32e9db63655c5f04b
Message-Authenticator = 0x69f2de24306d9ee3142149f1f95e5448
Sat Sep 23 17:09:53 2017 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group authorize {
Sat Sep 23 17:09:53 2017 : Info: ++[preprocess] = ok
Sat Sep 23 17:09:53 2017 : Info: ++[chap] = noop
Sat Sep 23 17:09:53 2017 : Info: ++[mschap] = noop
Sat Sep 23 17:09:53 2017 : Info: [eap] EAP packet type response id 8 length 46
Sat Sep 23 17:09:53 2017 : Info: [eap] Continuing tunnel setup.
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = ok
Sat Sep 23 17:09:53 2017 : Info: +} # group authorize = ok
Sat Sep 23 17:09:53 2017 : Info: Found Auth-Type = EAP
Sat Sep 23 17:09:53 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group authenticate {
Sat Sep 23 17:09:53 2017 : Info: [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Sat Sep 23 17:09:53 2017 : Info: [eap] Failed in handler
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = invalid
Sat Sep 23 17:09:53 2017 : Info: +} # group authenticate = invalid
Sat Sep 23 17:09:53 2017 : Info: Failed to authenticate the user.
Sat Sep 23 17:09:53 2017 : Auth: Login incorrect: [user] (from client 192.168.1.2/32 port 40 cli 90fd6153bfc4)
Sat Sep 23 17:09:53 2017 : Info: Using Post-Auth-Type Reject
Sat Sep 23 17:09:53 2017 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Sat Sep 23 17:09:53 2017 : Info: +group REJECT {
Sat Sep 23 17:09:53 2017 : Info: [attr_filter.access_reject] expand: %{User-Name} -> user
Sat Sep 23 17:09:53 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11
Sat Sep 23 17:09:53 2017 : Info: ++[attr_filter.access_reject] = updated
Sat Sep 23 17:09:53 2017 : Info: +} # group REJECT = updated
Sat Sep 23 17:09:53 2017 : Info: Delaying reject of request 9 for 1 seconds
Sat Sep 23 17:09:53 2017 : Debug: Going to the next request
Sat Sep 23 17:09:53 2017 : Debug: Waking up in 0.9 seconds.
Sat Sep 23 17:09:54 2017 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 0 to 192.168.1.2 port 3072
Sat Sep 23 17:09:54 2017 : Debug: Waking up in 4.9 seconds.
I have reset the passwords (which did the trick last time https://forum.zentyal.org/index.php/topic,25541.msg103865.html#msg103865 (https://forum.zentyal.org/index.php/topic,25541.msg103865.html#msg103865)), but luck.
Tried different settings in the Radius module, all users, domains users, etc., nothing worked.
I saw these lines in the log:
Sat Sep 23 17:09:53 2017 : Info: [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Sat Sep 23 17:09:53 2017 : Info: [eap] Failed in handler
Sat Sep 23 17:09:53 2017 : Info: ++[eap] = invalid
Sat Sep 23 17:09:53 2017 : Info: +} # group authenticate = invalid
Sat Sep 23 17:09:53 2017 : Info: Failed to authenticate the user.
Anything to do with it?
please try with this (suggestions from realflow):
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/smb.conf.mas
sudo sed -i '/\[global\]/a lanman auth = yes\nntlm auth = yes' /etc/zentyal/stubs/samba/smb.conf.mas
sudo zs samba restart
-
please try with this (suggestions from realflow):
sudo mkdir -p /etc/zentyal/stubs/samba
sudo cp /usr/share/zentyal/stubs/samba/smb.conf.mas /etc/zentyal/stubs/samba/smb.conf.mas
sudo sed -i '/\[global\]/a lanman auth = yes\nntlm auth = yes' /etc/zentyal/stubs/samba/smb.conf.mas
sudo zs samba restart
Works!!!
Great Job, Thanks!
-
I try to use the RADIUS server to authenticate with Mikrotik devices to Login.
I have added the devices to the Radius clients, and added a usergroup "radusers" as told in another guide.
Although, now I get the message on the radius server: "Login incorrect"
I have checked the passwords multiple times and still I'm getting this error.
Does anybody have a clue where to look?
-
I try to use the RADIUS server to authenticate with Mikrotik devices to Login.
I have added the devices to the Radius clients, and added a usergroup "radusers" as told in another guide.
Although, now I get the message on the radius server: "Login incorrect"
I have checked the passwords multiple times and still I'm getting this error.
Does anybody have a clue where to look?
please post the freeradius verbose logging output during the connection:
sudo zs radius stop
sudo freeradius -XXX
-
I try to use the RADIUS server to authenticate with Mikrotik devices to Login.
I have added the devices to the Radius clients, and added a usergroup "radusers" as told in another guide.
Although, now I get the message on the radius server: "Login incorrect"
I have checked the passwords multiple times and still I'm getting this error.
Does anybody have a clue where to look?
please post the freeradius verbose logging output during the connection:
sudo zs radius stop
sudo freeradius -XXX
Please see in attachment the full log
-
please try one more time with this:
sudo zs radius stop
sudo killall freeradius
sudo freeradius -XXX
-
please try one more time with this:
sudo zs radius stop
sudo killall freeradius
sudo freeradius -XXX
There you go :-)
-
please try one more time with this:
sudo zs radius stop
sudo killall freeradius
sudo freeradius -XXX
There you go :-)
sorry but there is no client connection info,
please run the commands and try connecting with your client (Mikrotik device).
-
please try one more time with this:
sudo zs radius stop
sudo killall freeradius
sudo freeradius -XXX
There you go :-)
sorry but there is no client connection info,
please run the commands and try connecting with your client (Mikrotik device).
Oh ok, now there's client info included, tried 2 times
If it can be any help, this is what I found:
HI
I had the same problem before, my problem solved by moving some lines in /usr/local/etc/raddb/sites-enabled/default
i'm using SQL so i load SQL module and pap,chap
I've changed the lines from
chap
sql
pap
to:
sql
pap
chap
so freeradius first loads the sql and then loads the chap, so it could locate password in SQL.
But I cant find that file...
-
please create new client under Radius - General configuration:
IP Address: 127.0.0.1/32
Shared Secret: your supersecret password
test the connection on the server with (modify the username and passwords):
radtest -t mschap your_raduser raduser_password 127.0.0.1:1812 0 shared_secret_password
-
please create new client under Radius - General configuration:
IP Address: 127.0.0.1/32
Shared Secret: your supersecret password
test the connection on the server with (modify the username and passwords):
radtest -t mschap your_raduser raduser_password 127.0.0.1:1812 0 shared_secret_password
Login OK from local
But still not ok from Mikrotik device
-
bad news:
Mikrotik using for login, CHAP auth. with clear text password,
this combination of auth. under zentyal LDAP not supported (PEAP-MSCHAPv2+MD5).
-
bad news:
Mikrotik using for login, CHAP auth. with clear text password,
this combination of auth. under zentyal LDAP not supported (PEAP-MSCHAPv2+MD5).
And is there a possibility to disable LDAP so this will work?
-
no, because the zentyal-radius conception LDAP based...
-
hello, do you have any guidelines to configure MySQL + freeradius mode EAP TTLS + PAP and the hostapd for a TL-WDN4800 adapter?
-
hello, do you have any guidelines to configure MySQL + freeradius mode EAP TTLS + PAP and the hostapd for a TL-WDN4800 adapter?
no i do not have...
-
i've zentyal 4.2, configured in april 2017
all ok since a couple of weeks ago
now radius doesn't work any more, maybe i need some fix for recent zentyal updates ?
EDIT: tried to reinstall module, i cant any more....
1st, i think there is an error, you wrote:
sudo apt-get install -y ./zentyal-radius_4.0_all.deb
but the package is 4.2
and then this is the error (final part, it's very long):
E: Release "zentyal-radius_4.2_all.deb" per "python-sievelib" not found.
E: Release "zentyal-radius_4.2_all.deb" per "python-spyne" not found.
E: Release "zentyal-radius_4.2_all.deb" per "python2.7-rpclib" not found.
E: Release "zentyal-radius_4.2_all.deb" per "python2.7-spyne" not found.
E: Release "zentyal-radius_4.2_all.deb" per "sogo-activesync" not found.
E: Release "zentyal-radius_4.2_all.deb" per "z-push" not found.
E: Release "zentyal-radius_4.2_all.deb" per "sogo-dev" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zenbuntu-core" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zenbuntu-desktop" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-software" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-all" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-openchange" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-mail" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-antivirus" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-mailfilter" not found.
E: Release "zentyal-radius_4.2_all.deb" per "dovecot-openchange-plugin" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zoctools-dbg" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zoctools" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zsupporttools" not found.
-
i've zentyal 4.2, configured in april 2017
all ok since a couple of weeks ago
now radius doesn't work any more, maybe i need some fix for recent zentyal updates ?
EDIT: tried to reinstall module, i cant any more....
1st, i think there is an error, you wrote:
sudo apt-get install -y ./zentyal-radius_4.0_all.deb
but the package is 4.2
and then this is the error (final part, it's very long):
E: Release "zentyal-radius_4.2_all.deb" per "python-sievelib" not found.
E: Release "zentyal-radius_4.2_all.deb" per "python-spyne" not found.
E: Release "zentyal-radius_4.2_all.deb" per "python2.7-rpclib" not found.
E: Release "zentyal-radius_4.2_all.deb" per "python2.7-spyne" not found.
E: Release "zentyal-radius_4.2_all.deb" per "sogo-activesync" not found.
E: Release "zentyal-radius_4.2_all.deb" per "z-push" not found.
E: Release "zentyal-radius_4.2_all.deb" per "sogo-dev" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zenbuntu-core" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zenbuntu-desktop" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-software" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-all" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-openchange" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-mail" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-antivirus" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zentyal-mailfilter" not found.
E: Release "zentyal-radius_4.2_all.deb" per "dovecot-openchange-plugin" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zoctools-dbg" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zoctools" not found.
E: Release "zentyal-radius_4.2_all.deb" per "zsupporttools" not found.
yes it is 4.2, modified...
-
ok i renamed but i've those errors when trying to install
it seems some packages/dependencies are missing
-
try with:
cd /tmp
sudo dpkg -i zentyal-radius_4.2_all.deb
sudo apt-get install -f -y
sudo service zentyal webadmin restart
-
I've removed all and tried to reinstall all, and i've problem with package freeradius-ldap: (in italian, sorry)
(Lettura del database... 67416 file e directory attualmente installati.)
Preparing to unpack freeradius-ldap_2.1.12+dfsg-1.2ubuntu8.2_amd64.deb ...
Unpacking freeradius-ldap (2.1.12+dfsg-1.2ubuntu8.2) over (2.1.12+dfsg-1.2ubuntu8.2) ...
Configurazione di freeradius-ldap (2.1.12+dfsg-1.2ubuntu8.2)...
reload: Unknown instance:
invoke-rc.d: initscript freeradius, action "force-reload" failed.
dpkg: error processing package freeradius-ldap (--install):
il sottoprocesso installato script di post-installation ha restituito lo stato di errore 1
Si sono verificati degli errori nell'elaborazione:
freeradius-ldap
EDIT: fixed, as wrote here https://askubuntu.com/questions/507040/invoke-rc-d-initscript-freeradius-action-force-reload-failed-while-config I edited /var/lib/dpkg/info/freeradius-ldap.postinst and it works! thanks
-
Hi, can you add 5.1 patch, please? The old 5.0 patch isn't usabe due to 5.0 zentyal-core dependency.
EDIT: Guess it was as easy as editing the patch file by changing all the 5.0 mentions to 5.1 and changing the dependency from <<5.1 to <<5.2. All the bash commands need to change accordingly of course.
It installs correctly. Let's hope it works too.
EDIT 2: Well, it does.
Here's the file for those lazy ones. Use it to your liking: https://drive.google.com/file/d/1zXYnpABblfWwnWv5r8ip6LBuR87p5dxv
and don't forget to change this part of the original guide:
wget 'https://drive.google.com/file/d/1zXYnpABblfWwnWv5r8ip6LBuR87p5dxv' -O zentyal-radius-5.1.patch
patch -t -p1 -i zentyal-radius-5.1.patch
cd zentyal-radius-5.1
.
.
sudo apt install -y ./zentyal-radius_5.1_all.deb
-
Hi, can you add 5.1 patch, please? The old 5.0 patch isn't usabe due to 5.0 zentyal-core dependency.
EDIT: Guess it was as easy as editing the patch file by changing all the 5.0 mentions to 5.1 and changing the dependency from <<5.1 to <<5.2. All the bash commands need to change accordingly of course.
It installs correctly. Let's hope it works too.
EDIT 2: Well, it does.
Here's the file for those lazy ones. Use it to your liking: https://drive.google.com/file/d/1zXYnpABblfWwnWv5r8ip6LBuR87p5dxv
and don't forget to change this part of the original guide:
wget 'https://drive.google.com/file/d/1zXYnpABblfWwnWv5r8ip6LBuR87p5dxv' -O zentyal-radius-5.1.patch
patch -t -p1 -i zentyal-radius-5.1.patch
cd zentyal-radius-5.1
.
.
sudo apt install -y ./zentyal-radius_5.1_all.deb
added to instructions...
-
Can anyone help me?
Error: TLS Alert read:fatal:unknown CA
Error: TLS_accept: failed in unknown state
Error: rlm_eap: SSL error error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Auth: Login incorrect (TLS Alert read:fatal:unknown CA):
-
interesting post I have znetyal 5.1 installed, I followed the steps and everything went well,
which I notice something curious when I compile zentyal-radius-5.1 I created a .deb
with the name of zentyal-radius_5.0_all.deb and not 5.1 as it says in the steps to follow, would
sudo apt install -y ./zentyal-radius_5.0_all.deb.
I only make the clarification so that it is known and it does not hinder the installation,
as I said so and everything works wonders. Thank you very much Julio
when you have problems with the dependencies when installing
sudo apt install -y ./zentyal-radius_X.X_all.deb
simply sudo dpkg --configure -a
install the dependencies and solve
-
interesting post I have znetyal 5.1 installed, I followed the steps and everything went well,
which I notice something curious when I compile zentyal-radius-5.1 I created a .deb
with the name of zentyal-radius_5.0_all.deb and not 5.1 as it says in the steps to follow, would
sudo apt install -y ./zentyal-radius_5.0_all.deb.
I only make the clarification so that it is known and it does not hinder the installation,
as I said so and everything works wonders. Thank you very much Julio
when you have problems with the dependencies when installing
sudo apt install -y ./zentyal-radius_X.X_all.deb
simply sudo dpkg --configure -a
install the dependencies and solve
thanks for the hint, corrected...
-
zentyal 4.2
sometimes freeradius stops, in logs i found: "Info: Signalled to terminate"
so I've found in /etc/logrotate.d/freeradius the command
invoke-rc.d freeradius reload >/dev/null 2>&1 || true
I change reload with restart, I'll check next days if it works
-
We've just released Zentyal 6.0 with zentyal-radius included in the official repository, integrating FreeRADIUS 3.0 on Ubuntu 18.04.
Many thanks to julio for all the patches on the previous versions!!
-
We've just released Zentyal 6.0 with zentyal-radius included in the official repository, integrating FreeRADIUS 3.0 on Ubuntu 18.04.
Many thanks to julio for all the patches on the previous versions!!
I'm glad I was able to help. :)
-
There is a ticket about it:
- https://github.com/zentyal/zentyal/issues/1839
-
Hello
In zentyal 5.1 I can not pass this code, I get an error when creating the patch.
but the patch was generated with zentyal 5.0 it works.
It will be that I can use 5.0 to install
wget 'https://drive.google.com/uc?export=download&id=1K99PAIAHl1j4bnBxcTMyXgKpJEpTQflB' -O zentyal-radius-5.1.patch
patch -t -p1 -i zentyal-radius-5.1.patch
I appreciate your valuable response
the error appears
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
-
Hello. I'm using radius on zential 6 installed over ubuntu 18.04. I use it with ubiquiti APs to manage users access to wifi network. I set my zentyal as secondary domain. So now i can connect with domain credentials from any devices (Iphone, Android, Linux) except windows 10 machines. On windows 10 I see "Can't connect to this network". I read that after November update there is an issue in connecting to a WPA-2 Enterprise network. But there said that on freeradius 3.0.9 and higher this issue is fixed. My zentyal installed 3.0.16 freeradius, so everything should be Ok, but it isn't. I can connect only if I add network manually, setting security type as WPA-Enterprise AES, EAP method PEAP and Authentication method - security password EAP-MSCHAP v2. After that I can connect to my network and enter my credentials on win10 machines. Is there any way to reach smooth connection without this shamanism, because it's difficult for users?