Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Pizu
Hello,

I am trying to use winbind and having the below error, can someone help?

Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at
compiled time
Error: /etc/raddb/mods-enabled/mschap[10]: Instantiation failed for module
"mschap"

My mschap config:

MSCHAP configuration
mschap {
    with_ntdomain_hack = yes
    use_mppe = yes
    require_encryption = no
    require_strong = no
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
    }

    passchange {
    }

    winbind_username = "%{mschap:User-Name}"
    winbind_domain = "%{mschap:NT-Domain}"
}

Centos Version 7.9
FreeRADIUS Version 3.0.13
Winbind Version 4.10.16

Regards,

Pizu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Alan DeKok-2
On Apr 6, 2021, at 7:55 AM, Pizu <[hidden email]> wrote:
>
> I am trying to use winbind and having the below error, can someone help?
>
> Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at
> compiled time

  The server hasn't been built with winbind support.  Which means that you can't use it.

> Centos Version 7.9
> FreeRADIUS Version 3.0.13

  That's very old.  Use the updated builds at http://packages.networkradius.com

  I don't recall if they are built with winbind.  But it's easy enough to check.  Download them and try to use them.  If you get the same error, it's not supported.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Pizu
Hi Alan,

Thanks for your reply.

If I don't manage, Which version do you suggest I should go?

Am going to test 802.1x with Cisco Switches.

Config am planning to use:

FreeRADIUS configuration

MSCHAP configuration
mschap {
    with_ntdomain_hack = yes
    use_mppe = yes
    require_encryption = no
    require_strong = no
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
    }

    passchange {
    }

    winbind_username = "%{mschap:User-Name}"
    winbind_domain = "%{mschap:NT-Domain}"
}


LDAP configuration
ldap {
    server = 'corporatedomain.internal'
    port = 389
    identity = [hidden email]
    password = AD_PASSWORD
    base_dn = AD_BASE_DN
    sasl {
    }

    update {
        control:Password-With-Header    += 'userPassword'
        control:NT-Password     := 'ntPassword'
        reply:Reply-Message     := 'radiusReplyMessage'
        reply:Tunnel-Type       := 'radiusTunnelType'
        reply:Tunnel-Medium-Type    := 'radiusTunnelMediumType'
        reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'

        #  Where only a list is specified as the RADIUS attribute,
        #  the value of the LDAP attribute is parsed as a valuepair
        #  in the same format as the 'valuepair_attribute' (above).
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:              += 'radiusReplyAttribute'
    }

    edir = no

    user {
        base_dn = "${..base_dn}"
        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
        sasl {
        }
    }

    group {
        base_dn = "${..base_dn}"
        name_attribute = "CN"
        filter = '(objectClass=posixGroup)'
        membership_attribute = 'memberOf'
    }

    profile {
    }

    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=radiusClient)'
        template {
        }

        attribute {
            ipaddr              = 'radiusClientIdentifier'
            secret              = 'radiusClientSecret'
        }
    }

    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"

        type {
            start {
                update {
                    description := "Online at %S"
                }
            }

            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }

            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }

    post-auth {
        update {
            description := "Authenticated at %S"
        }
    }

    options {
        chase_referrals = yes
        rebind = yes
        res_timeout = 10
        srv_timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }

    tls {
    }

    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 0
        idle_timeout = 60
    }
}


Unlang logic, sites-enabled/default
default
authorize {
    filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
#               updated = return
        }

    files
    -sql
        expiration
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }

        mschap
        digest
        ldap
        eap
}

post-auth {
    if ((LDAP-Group == "RSSO - GroupA") || (LDAP-Group == "RSSO - GroupB"))
{
        update reply {
            Tunnel-Type := "VLAN"
            Tunnel-Medium-Type := "6"
            Tunnel-Private-Group-Id := "963"
        }
    }
    elsif (LDAP-Group == "RSSO - GroupH") {
        update reply {
            Tunnel-Type := "VLAN"
            Tunnel-Medium-Type := "6"
            Tunnel-Private-Group-Id := "964"
        }
    }
    else {
        update reply {
            Tunnel-Type := "VLAN"
            Tunnel-Medium-Type := "6"
            Tunnel-Private-Group-Id := "200"
        }
    }
}

Regards,

Pizu


On Tue, 6 Apr 2021 at 14:17, Alan DeKok <[hidden email]> wrote:

> On Apr 6, 2021, at 7:55 AM, Pizu <[hidden email]> wrote:
> >
> > I am trying to use winbind and having the below error, can someone help?
> >
> > Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at
> > compiled time
>
>   The server hasn't been built with winbind support.  Which means that you
> can't use it.
>
> > Centos Version 7.9
> > FreeRADIUS Version 3.0.13
>
>   That's very old.  Use the updated builds at
> http://packages.networkradius.com
>
>   I don't recall if they are built with winbind.  But it's easy enough to
> check.  Download them and try to use them.  If you get the same error, it's
> not supported.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Josef Vybíhal
In reply to this post by Alan DeKok-2
The el7 packages have winbind support.
The el8 still might not:
http://freeradius.1045715.n5.nabble.com/CentOS-8-packages-missing-winbind-support-td5757447.html

J.

On Tue, Apr 6, 2021 at 2:16 PM Alan DeKok <[hidden email]> wrote:

> On Apr 6, 2021, at 7:55 AM, Pizu <[hidden email]> wrote:
> >
> > I am trying to use winbind and having the below error, can someone help?
> >
> > Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at
> > compiled time
>
>   The server hasn't been built with winbind support.  Which means that you
> can't use it.
>
> > Centos Version 7.9
> > FreeRADIUS Version 3.0.13
>
>   That's very old.  Use the updated builds at
> http://packages.networkradius.com
>
>   I don't recall if they are built with winbind.  But it's easy enough to
> check.  Download them and try to use them.  If you get the same error, it's
> not supported.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Alan DeKok-2
In reply to this post by Pizu
On Apr 6, 2021, at 8:34 AM, Pizu <[hidden email]> wrote:
> If I don't manage, Which version do you suggest I should go?

  Always use the latest version.

  If the packages don't have winbind enabled, then you will need to build it yourself from source.

> Am going to test 802.1x with Cisco Switches.
>
> Config am planning to use:

  We don't really review peoples configurations.  There's just too much going on.  If it works, it works.  If it doesn't work, ask questions.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Pizu
Thanks all for your help.

I'll go for the latest freeradius 3.0.21 just to be safe.

Regards,

Pizu


On Tue, 6 Apr 2021 at 14:37, Alan DeKok <[hidden email]> wrote:

> On Apr 6, 2021, at 8:34 AM, Pizu <[hidden email]> wrote:
> > If I don't manage, Which version do you suggest I should go?
>
>   Always use the latest version.
>
>   If the packages don't have winbind enabled, then you will need to build
> it yourself from source.
>
> > Am going to test 802.1x with Cisco Switches.
> >
> > Config am planning to use:
>
>   We don't really review peoples configurations.  There's just too much
> going on.  If it works, it works.  If it doesn't work, ask questions.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Users mailing list
Read :
http://deployingradius.com/documents/configuration/active_directory.html

and

https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory 

( mostly same info. )

Make sure you have the needed settings in samba/winbind.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users [mailto:freeradius-users-
> bounces+belle=[hidden email]] Namens Pizu
> Verzonden: dinsdag 6 april 2021 15:08
> Aan: FreeRadius users mailing list
> Onderwerp: Re: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth
> not enabled at compiled time
>
> Thanks all for your help.
>
> I'll go for the latest freeradius 3.0.21 just to be safe.
>
> Regards,
>
> Pizu
>
>
> On Tue, 6 Apr 2021 at 14:37, Alan DeKok <[hidden email]> wrote:
>
> > On Apr 6, 2021, at 8:34 AM, Pizu <[hidden email]> wrote:
> > > If I don't manage, Which version do you suggest I should go?
> >
> >   Always use the latest version.
> >
> >   If the packages don't have winbind enabled, then you will need to
> build
> > it yourself from source.
> >
> > > Am going to test 802.1x with Cisco Switches.
> > >
> > > Config am planning to use:
> >
> >   We don't really review peoples configurations.  There's just too much
> > going on.  If it works, it works.  If it doesn't work, ask questions.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Pizu
Hi All,

Thanks for your help, I managed to make it work :)

Regards,

Pizu


On Tue, 6 Apr 2021 at 15:34, L.P.H. van Belle via Freeradius-Users <
[hidden email]> wrote:

> Read :
> http://deployingradius.com/documents/configuration/active_directory.html
>
> and
>
>
> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>
> ( mostly same info. )
>
> Make sure you have the needed settings in samba/winbind.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Freeradius-Users [mailto:freeradius-users-
> > bounces+belle=[hidden email]] Namens Pizu
> > Verzonden: dinsdag 6 april 2021 15:08
> > Aan: FreeRadius users mailing list
> > Onderwerp: Re: Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth
> > not enabled at compiled time
> >
> > Thanks all for your help.
> >
> > I'll go for the latest freeradius 3.0.21 just to be safe.
> >
> > Regards,
> >
> > Pizu
> >
> >
> > On Tue, 6 Apr 2021 at 14:37, Alan DeKok <[hidden email]>
> wrote:
> >
> > > On Apr 6, 2021, at 8:34 AM, Pizu <[hidden email]> wrote:
> > > > If I don't manage, Which version do you suggest I should go?
> > >
> > >   Always use the latest version.
> > >
> > >   If the packages don't have winbind enabled, then you will need to
> > build
> > > it yourself from source.
> > >
> > > > Am going to test 802.1x with Cisco Switches.
> > > >
> > > > Config am planning to use:
> > >
> > >   We don't really review peoples configurations.  There's just too much
> > > going on.  If it works, it works.  If it doesn't work, ask questions.
> > >
> > >   Alan DeKok.
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html