Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time

Hello,

I am trying to use winbind and having the below error, can someone help?

Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at
compiled time
Error: /etc/raddb/mods-enabled/mschap[10]: Instantiation failed for module
"mschap"

My mschap config:

MSCHAP configuration
mschap {
    with_ntdomain_hack = yes
    use_mppe = yes
    require_encryption = no
    require_strong = no
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
    }

    passchange {
    }

    winbind_username = "%{mschap:User-Name}"
    winbind_domain = "%{mschap:NT-Domain}"
}

Centos Version 7.9
FreeRADIUS Version 3.0.13
Winbind Version 4.10.16

Regards,

Pizu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Apr 6, 2021, at 7:55 AM, Pizu <[hidden email]> wrote:
>
> I am trying to use winbind and having the below error, can someone help?
>
> Error: /etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at
> compiled time

  The server hasn't been built with winbind support.  Which means that you can't use it.

> Centos Version 7.9
> FreeRADIUS Version 3.0.13

  That's very old.  Use the updated builds at http://packages.networkradius.com

  I don't recall if they are built with winbind.  But it's easy enough to check.  Download them and try to use them.  If you get the same error, it's not supported.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi Alan,

Thanks for your reply.

If I don't manage, Which version do you suggest I should go?

Am going to test 802.1x with Cisco Switches.

Config am planning to use:

FreeRADIUS configuration

MSCHAP configuration
mschap {
    with_ntdomain_hack = yes
    use_mppe = yes
    require_encryption = no
    require_strong = no
    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
    }

    passchange {
    }

    winbind_username = "%{mschap:User-Name}"
    winbind_domain = "%{mschap:NT-Domain}"
}


LDAP configuration
ldap {
    server = 'corporatedomain.internal'
    port = 389
    identity = [hidden email]
    password = AD_PASSWORD
    base_dn = AD_BASE_DN
    sasl {
    }

    update {
        control:Password-With-Header    += 'userPassword'
        control:NT-Password     := 'ntPassword'
        reply:Reply-Message     := 'radiusReplyMessage'
        reply:Tunnel-Type       := 'radiusTunnelType'
        reply:Tunnel-Medium-Type    := 'radiusTunnelMediumType'
        reply:Tunnel-Private-Group-ID   := 'radiusTunnelPrivategroupId'

        #  Where only a list is specified as the RADIUS attribute,
        #  the value of the LDAP attribute is parsed as a valuepair
        #  in the same format as the 'valuepair_attribute' (above).
        control:            += 'radiusControlAttribute'
        request:            += 'radiusRequestAttribute'
        reply:              += 'radiusReplyAttribute'
    }

    edir = no

    user {
        base_dn = "${..base_dn}"
        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
        sasl {
        }
    }

    group {
        base_dn = "${..base_dn}"
        name_attribute = "CN"
        filter = '(objectClass=posixGroup)'
        membership_attribute = 'memberOf'
    }

    profile {
    }

    client {
        base_dn = "${..base_dn}"
        filter = '(objectClass=radiusClient)'
        template {
        }

        attribute {
            ipaddr              = 'radiusClientIdentifier'
            secret              = 'radiusClientSecret'
        }
    }

    accounting {
        reference = "%{tolower:type.%{Acct-Status-Type}}"

        type {
            start {
                update {
                    description := "Online at %S"
                }
            }

            interim-update {
                update {
                    description := "Last seen at %S"
                }
            }

            stop {
                update {
                    description := "Offline at %S"
                }
            }
        }
    }

    post-auth {
        update {
            description := "Authenticated at %S"
        }
    }

    options {
        chase_referrals = yes
        rebind = yes
        res_timeout = 10
        srv_timelimit = 3
        net_timeout = 1
        idle = 60
        probes = 3
        interval = 3
        ldap_debug = 0x0028
    }

    tls {
    }

    pool {
        start = ${thread[pool].start_servers}
        min = ${thread[pool].min_spare_servers}
        max = ${thread[pool].max_servers}
        spare = ${thread[pool].max_spare_servers}
        uses = 0
        retry_delay = 30
        lifetime = 0
        idle_timeout = 60
    }
}


Unlang logic, sites-enabled/default
default
authorize {
    filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
                ok = return
#               updated = return
        }

    files
    -sql
        expiration
        logintime
        pap
}

authenticate {
        Auth-Type PAP {
                pap
        }

        Auth-Type CHAP {
                chap
        }

        Auth-Type MS-CHAP {
                mschap
        }

        mschap
        digest
        ldap
        eap
}

post-auth {
    if ((LDAP-Group == "RSSO - GroupA") || (LDAP-Group == "RSSO - GroupB"))
{
        update reply {
            Tunnel-Type := "VLAN"
            Tunnel-Medium-Type := "6"
            Tunnel-Private-Group-Id := "963"
        }
    }
    elsif (LDAP-Group == "RSSO - GroupH") {
        update reply {
            Tunnel-Type := "VLAN"
            Tunnel-Medium-Type := "6"
            Tunnel-Private-Group-Id := "964"
        }
    }
    else {
        update reply {
            Tunnel-Type := "VLAN"
            Tunnel-Medium-Type := "6"
            Tunnel-Private-Group-Id := "200"
        }
    }
}

Regards,

Pizu


On Tue, 6 Apr 2021 at 14:17, Alan DeKok <[hidden email]> wrote:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

The el7 packages have winbind support.
The el8 still might not:
http://freeradius.1045715.n5.nabble.com/CentOS-8-packages-missing-winbind-support-td5757447.html

J.

On Tue, Apr 6, 2021 at 2:16 PM Alan DeKok <[hidden email]> wrote:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Apr 6, 2021, at 8:34 AM, Pizu <[hidden email]> wrote:
> If I don't manage, Which version do you suggest I should go?

  Always use the latest version.

  If the packages don't have winbind enabled, then you will need to build it yourself from source.

> Am going to test 802.1x with Cisco Switches.
>
> Config am planning to use:

  We don't really review peoples configurations.  There's just too much going on.  If it works, it works.  If it doesn't work, ask questions.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thanks all for your help.

I'll go for the latest freeradius 3.0.21 just to be safe.

Regards,

Pizu


On Tue, 6 Apr 2021 at 14:37, Alan DeKok <[hidden email]> wrote:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Read :
http://deployingradius.com/documents/configuration/active_directory.html

and

https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory 

( mostly same info. )

Make sure you have the needed settings in samba/winbind.


Greetz,

Louis



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Hi All,

Thanks for your help, I managed to make it work :)

Regards,

Pizu


On Tue, 6 Apr 2021 at 15:34, L.P.H. van Belle via Freeradius-Users <
[hidden email]> wrote:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html