freeradius and ntlm_auth howto

Stieven.Struyf at komatsu.eu Stieven.Struyf at komatsu.eu
Thu Oct 26 16:24:06 CEST 2006 

All,
I am trying to authenticate my wifi users via our AD. I'm finding bits and 
pieces on the internet to configure things, but no completely usable 
howto.
Can someone of the users look at the ouput below and point me to the 
correct solution/howto?

I setup smb.conf,krb5.conf and freeradius. I joined the server to the 
domain and tested the connection with ntlm_auth:
[root at belx11ke ~]# /usr/bin/ntlm_auth --request-nt-key --username=sstruyf 
--domain=KMT-EU.KMTG.NET
password:
NT_STATUS_OK: Success (0x0)
[root at belx11ke ~]#

rights of the winbind pipe: 
ls -l /var/cache/samba/winbindd_privileged
total 0
srwxrwxrwx  1 root root 0 Oct 25 14:46 pipe

below is the debug output of freeradius

  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Got tunneled EAP-Message
        EAP-Message = 
0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000   
0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966
  PEAP: Setting User-Name to KMT-EU.KMTG.NET\sstruyf
  PEAP: Adding old state with a4 c3
  PEAP: Sending tunneled request
        EAP-Message = 
0x020900521a0209004d3137d2b9533b5dbce9ca720a00d56208c30000   
0000000000008a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972004b4d542d45552e4b4d54472e4e45545c73737472757966
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "KMT-EU.KMTG.NET\\sstruyf"
        State = 0xa4c337a92357e8d90a5f8c64b37d2df1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
    rlm_realm: No '@' in User-Name = "KMT-EU.KMTG.NET\sstruyf", looking up 
realm   NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "kmt-eu.kmtg.net" returns noop for request 7
    rlm_realm: Looking up realm "KMT-EU.KMTG.NET" for User-Name = 
"KMT-EU.KMTG.NET\sstruyf"
    rlm_realm: Found realm "KMT-EU.KMTG.NET"
    rlm_realm: Adding Stripped-User-Name = "sstruyf"
    rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET
    rlm_realm: Adding Realm = "KMT-EU.KMTG.NET"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "ntdomain" returns noop for request 7
  rlm_eap: EAP packet type response id 9 length 82
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
    users: Matched sstruyf at 98
  modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 7
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: NT Domain delimeter found, should we have enabled 
with_ntdomain_hack?
  rlm_mschap: Told to do MS-CHAPv2 for KMT-EU.KMTG.NET\sstruyf with 
NT-Password
radius_xlat: Running registered xlat function of module mschap for string 
'Challenge'
 mschap2: 95
  rlm_mschap: NT Domain delimeter found, should we have enabled 
with_ntdomain_hack?
radius_xlat: Running registered xlat function of module mschap for string 
'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --username=sstruyf 
--challeng e=7b634e5c9dd73ddc 
--nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf 
--challenge=7b634e5c9dd73ddc 
--nt-response=8a0b7468748de41ff9fc510e9cc7afb6e1f9faaf0d9a9972
Exec-Program output: winbind client not authorized to use 
winbindd_pam_auth_crap.  Ensure permissions on 
/var/cache/samba/winbindd_privileged are set correctly.   (0xc0000022)
Exec-Program-Wait: plaintext: winbind client not authorized to use 
winbindd_pam_auth_crap.  Ensure permissions on 
/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 7
modcall: group Auth-Type returns reject for request 7
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 7
modcall: group authenticate returns reject for request 7
auth: Failed to validate the user.
Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/<no User-Password attribute>] 
(from client localhost port 0)
  Processing the post-auth section of radiusd.conf
modcall: entering group Post-Auth-Type for request 7

Stieven Struyf
M.I.S. Division - System Operations 
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
Stieven.Struyf at komatsu.eu
Tel. +32 (0)2 2552551
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061026/f91d4766/attachment.html>

More information about the Freeradius-Users mailing list