[Bug 912714] New: freeradius can't use ntlm_auth
http://bugzilla.opensuse.org/show_bug.cgi?id=912714 Bug ID: 912714 Summary: freeradius can't use ntlm_auth Classification: openSUSE Product: openSUSE 13.1 Version: Final Hardware: x86-64 OS: openSUSE 13.1 Status: NEW Severity: Minor Priority: P5 - None Component: Samba Assignee: samba-maintainers@SuSE.de Reporter: fabian@ritter-vogt.de QA Contact: samba-maintainers@SuSE.de Found By: --- Blocker: --- I set up a freeradius server and configured it to use ntlm_auth for MSCHAPv2 authentication and it doesn't work ootb: "Reading winbind reply failed!". It works after I "chmod u+s `which ntlm_auth`", but of course this is not the best solution. I'd be good to be able to use freeradius and ntlm_auth together without having to fiddle with file permissions. I don't know whether it changed in 13.2, but I know for sure that this issue is present in both 12.2 and 13.1. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=912714
David Disseldorp
http://bugzilla.opensuse.org/show_bug.cgi?id=912714
Fabian Vogt
http://bugzilla.opensuse.org/show_bug.cgi?id=912714
--- Comment #3 from David Disseldorp
Thanks, executing setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged is enough for ntlm_auth to work correctly.
Glad to hear. Thanks for testing.
Could this become default as it's definitely not a security issue to grant read access to radiusd?
Winbind currently ships with the following permissions and ownership: drwxr-x--- 2 root winbind 4096 Oct 15 12:08 /var/lib/samba/winbindd_privileged/ The Squid proxy user (squid) adds itself to the winbind group on installation. I expect FreeRADIUS should do the same for the radiusd user. Squid uses the following spec file magic to perform this: %pre # we need this group for squid (ntlmauth) # read access to /var/lib/samba/winbindd_privileged if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then %{_sbindir}/groupadd -r winbind 2>/dev/null fi if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ -G winbind -g nogroup -o -u 31 -r -s /bin/false \ %{name} 2>/dev/null fi # if squid is not member of winbind, add him if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then %{_sbindir}/groupmod -A %{name} winbind 2>/dev/null fi -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=912714
David Disseldorp
participants (1)
-
bugzilla_noreply@novell.com