OK, the issue is fixed in SAMBA 3.5.6. It's a horrible, dirty fix, but to get 3.5.6 into 10.04 quickly:
0) Back up smb.conf 1) # aptitude purge samba winbind samba-common 2) add these 2 lines to /etc/apt/sources.lst deb http://gb.archive.ubuntu.com/ubuntu/ natty main restricted deb-src http://gb.archive.ubuntu.com/ubuntu/ natty main restricted 3) # aptitude update 4) # aptitude install samba winbind 5) replace smb.conf 6) reboot / restart smbd / nmbd / winbind 7) remove the two lines from /etc/apt/sources.lst After this, you will need to keep an eye on the ubuntu repository for security updates - as the packages have been pulled from a different repository they will not be updated automatically. If an update is required, add the two lines again and do: # aptitude update # aptitude install samba winbind When natty hits stable (some time in april?) I'll make a back port request for samba, so 3.5.6 might get included in the back ports repository. Adam Bishop On 01/02/2011 15:16, "Heikki Vatiainen" <h...@open.com.au> wrote: >On 02/01/2011 03:49 PM, Adam Bishop wrote: >> Encountering an odd issue with MSCHAPv2/PEAP >> >> I have 2 Radiator instances one based on Debian 5, one on Ubuntu >>10.04LTS. They share a config file (barring secrets), and the Debian >>one works fine. There is a difference in patch level If I remember >>correctly, the Debian install is a few patches out of date. >> >> The Ubuntu one accepts PAP, TTLS/PAP and TTLS/MSCHAPv2, but >>PEAP/MSCHAPv2 fails. The system is authenticated against active >>directory - ntlmauth --request-nt-key works. >> >> The only thing that stands out in the proxied trace is the MD5 failure >>- libdigestmd5-perl is installed (as far as I know) and seems to be >>used: >> >> root@orps3:/var/log/radiator# lsof -p 1488 | grep -i md5 >> radiusd 1488 root mem REG 251,3 18640 525298 >>/usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so >> >> The direct trace is just weird NTLM_AUTH seems to give the OK, thenŠ >>Nothing. >> >> Any suggestions anyone has are appreciated. > >You should list the EAP types separated by commas, not one per line. If >you have them one per line, I think the last one is the only type >Radiator is told to use. > >About MD5 failure, the client does like the suggested EAP type >(MD5-Challenge) and sends a NAK, so that's why there is the failure. > >You may want to remove both instances MD5-Challenge EAPType unless you >know you need it. For PEAP, EAPType MSCHAP-V2 is usually enough. > > >The "then ... Nothing." behaviour after ntlm_auth looks like what was >seen earlier, and the reason was ntlm_auth returning incorrect values, >which make the MSCHAPv2 server authentication fail for the client. In >other words, the client think server failed to authenticate itself and >the client stop the authentication process. > >Please see ntlm_auth thread from last September: >http://www.open.com.au/pipermail/radiator/2010-September/thread.html#16658 > >-- >Heikki Vatiainen <h...@open.com.au> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
