Machine Accounts against AD

King, Michael MKing at bridgew.edu
Tue Oct 31 00:10:51 CET 2006


I had this working before, and I can't figure out what I'm missing to
get it working on this server.
 
Samba Version 3.0.23b
FreeRADIUS version 1.0.4
 
Users successfully authenticate with the domain, Machine accounts do not
however.
 
My ntlm_auth line is:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
 
I have:
with_ntdomain_hack = yes
in the mschap section.
 
The debug is below
 
The only thing that looks different than last time is it looks like the
host/ isn't getting stripped off.  Should it?
 
 
 
rad_recv: Access-Request packet from host 10.0.1.22:32769, id=171,
length=324
        User-Name = "host/boytel2883.campus.bridgew.edu"
        Calling-Station-Id = "00-90-96-F4-2A-BB"
        Called-Station-Id = "00-0B-85-5B-55-A0:test"
        NAS-Port = 29
        NAS-IP-Address = 10.0.1.22
        NAS-Identifier = "BUWISM2-2"
        Vendor-14179-Attr-1 = 0x00000007
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "4000"
        EAP-Message =
0x0207007419001703010069fad4edfbbed6d8fb51dcf6cb01ead274ca25439081be3955
bfd614a066335309bfcc72d0f20a0891d43fd085e948c3a635622fcd52658bdc817970b8
7e859a66ec970d7433349e6cbd2d19184182eb762ea246e13202349e8c32c8acd5e5c322
df88f7fd45aa24e13f
        State = 0xdfdc87766140b541e2ac318d7ce82e0f
        Message-Authenticator = 0x42318a374d505be3af9ffa7af0c39484
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
  modcall[authorize]: module "preprocess" returns ok for request 19
  modcall[authorize]: module "chap" returns noop for request 19
  modcall[authorize]: module "mschap" returns noop for request 19
    rlm_realm: No '@' in User-Name =
"host/boytel2883.campus.bridgew.edu", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 19
  rlm_eap: EAP packet type response id 7 length 116
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 19
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 171
  modcall[authorize]: module "files" returns ok for request 19
modcall: group authorize returns updated for request 19
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Setting User-Name to host/boytel2883.campus.bridgew.edu
  PEAP: Adding old state with f4 4b
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
  modcall[authorize]: module "preprocess" returns ok for request 19
  modcall[authorize]: module "chap" returns noop for request 19
  modcall[authorize]: module "mschap" returns noop for request 19
    rlm_realm: No '@' in User-Name =
"host/boytel2883.campus.bridgew.edu", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 19
  rlm_eap: EAP packet type response id 7 length 93
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 19
    users: Matched entry DEFAULT at line 152
  modcall[authorize]: module "files" returns ok for request 19
modcall: group authorize returns updated for request 19
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 19
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for
host/boytel2883.campus.bridgew.edu with NT-Password
radius_xlat: Running registered xlat function of module mschap for
string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
 mschap2: c4
radius_xlat: Running registered xlat function of module mschap for
string 'NT-Response'
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key
--username=host/boytel2883.campus.bridgew.edu
--challenge=896edabb073ecbba
--nt-response=ed45bb2d412865db09406089a5c4145c142b682a469717cb'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key
--username=host/boytel2883.campus.bridgew.edu
--challenge=896edabb073ecbba
--nt-response=ed45bb2d412865db09406089a5c4145c142b682a469717cb
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 19
modcall: group Auth-Type returns reject for request 19
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 19
modcall: group authenticate returns reject for request 19
auth: Failed to validate the user.
Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client
localhost port 0)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
  modcall[authenticate]: module "eap" returns handled for request 19
modcall: group authenticate returns handled for request 19
Sending Access-Challenge of id 171 to 10.0.1.22:32769
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message =
0x010800261900170301001b117712344a946d2ec4a5810ca84e7e8d679cd4db81a9d3ba
62f02c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xda9104a0e99cbf878c499197750025dd
Finished request 19
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.0.1.22:32769, id=172,
length=246
        User-Name = "host/boytel2883.campus.bridgew.edu"
        Calling-Station-Id = "00-90-96-F4-2A-BB"
        Called-Station-Id = "00-0B-85-5B-55-A0:test"
        NAS-Port = 29
        NAS-IP-Address = 10.0.1.22
        NAS-Identifier = "BUWISM2-2"
        Vendor-14179-Attr-1 = 0x00000007
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "4000"
        EAP-Message =
0x020800261900170301001b8391b7780fd0e65e7da0ff923b9c0239457f612ac17c7904
4626be
        State = 0xda9104a0e99cbf878c499197750025dd
        Message-Authenticator = 0x58d7a64496d15d4c60e90495b86ab1db
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 20
  modcall[authorize]: module "preprocess" returns ok for request 20
  modcall[authorize]: module "chap" returns noop for request 20
  modcall[authorize]: module "mschap" returns noop for request 20
    rlm_realm: No '@' in User-Name =
"host/boytel2883.campus.bridgew.edu", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 20
  rlm_eap: EAP packet type response id 8 length 38
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 20
    users: Matched entry DEFAULT at line 152
    users: Matched entry DEFAULT at line 171
  modcall[authorize]: module "files" returns ok for request 20
modcall: group authorize returns updated for request 20
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 20
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap:  Had sent TLV failure, rejecting.
 rlm_eap: Handler failed in EAP/peap
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 20
modcall: group authenticate returns invalid for request 20
auth: Failed to validate the user.
Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client
BUWiSM-2-2 port 29 cli 00-90-96-F4-2A-BB)
Delaying request 20 for 1 seconds
Finished request 20


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061030/396e4bf6/attachment.html>


More information about the Freeradius-Users mailing list