Machine Accounts against AD
Michael Griego
mgriego at utdallas.edu
Tue Oct 31 00:49:54 CET 2006
I'm not sure 1.0.4 had that fix in the rlm_mschap module. If you
need to use 1.0.4 for some reason, you may have to backport the patch
from a later version of the module.
--Mike
On Oct 30, 2006, at 5:10 PM, King, Michael wrote:
> I had this working before, and I can't figure out what I'm missing
> to get it working on this server.
>
> Samba Version 3.0.23b
> FreeRADIUS version 1.0.4
>
> Users successfully authenticate with the domain, Machine accounts
> do not however.
>
> My ntlm_auth line is:
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%
> {mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%
> {mschap:NT-Response}"
>
> I have:
> with_ntdomain_hack = yes
> in the mschap section.
>
> The debug is below
>
> The only thing that looks different than last time is it looks like
> the host/ isn't getting stripped off. Should it?
>
>
>
> rad_recv: Access-Request packet from host 10.0.1.22:32769, id=171,
> length=324
> User-Name = "host/boytel2883.campus.bridgew.edu"
> Calling-Station-Id = "00-90-96-F4-2A-BB"
> Called-Station-Id = "00-0B-85-5B-55-A0:test"
> NAS-Port = 29
> NAS-IP-Address = 10.0.1.22
> NAS-Identifier = "BUWISM2-2"
> Vendor-14179-Attr-1 = 0x00000007
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "4000"
> EAP-Message =
> 0x0207007419001703010069fad4edfbbed6d8fb51dcf6cb01ead274ca25439081be39
> 55bfd614a066335309bfcc72d0f20a0891d43fd085e948c3a635622fcd52658bdc8179
> 70b87e859a66ec970d7433349e6cbd2d19184182eb762ea246e13202349e8c32c8acd5
> e5c322df88f7fd45aa24e13f
> State = 0xdfdc87766140b541e2ac318d7ce82e0f
> Message-Authenticator = 0x42318a374d505be3af9ffa7af0c39484
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 19
> modcall[authorize]: module "preprocess" returns ok for request 19
> modcall[authorize]: module "chap" returns noop for request 19
> modcall[authorize]: module "mschap" returns noop for request 19
> rlm_realm: No '@' in User-Name = "host/
> boytel2883.campus.bridgew.edu", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 19
> rlm_eap: EAP packet type response id 7 length 116
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 19
> users: Matched entry DEFAULT at line 152
> users: Matched entry DEFAULT at line 171
> modcall[authorize]: module "files" returns ok for request 19
> modcall: group authorize returns updated for request 19
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 19
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> eaptls_verify returned 7
> rlm_eap_tls: Done initial handshake
> eaptls_process returned 7
> rlm_eap_peap: EAPTLS_OK
> rlm_eap_peap: Session established. Decoding tunneled attributes.
> rlm_eap_peap: EAP type mschapv2
> rlm_eap_peap: Tunneled data is valid.
> PEAP: Setting User-Name to host/boytel2883.campus.bridgew.edu
> PEAP: Adding old state with f4 4b
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 19
> modcall[authorize]: module "preprocess" returns ok for request 19
> modcall[authorize]: module "chap" returns noop for request 19
> modcall[authorize]: module "mschap" returns noop for request 19
> rlm_realm: No '@' in User-Name = "host/
> boytel2883.campus.bridgew.edu", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 19
> rlm_eap: EAP packet type response id 7 length 93
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 19
> users: Matched entry DEFAULT at line 152
> modcall[authorize]: module "files" returns ok for request 19
> modcall: group authorize returns updated for request 19
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 19
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/mschapv2
> rlm_eap: processing type mschapv2
> Processing the authenticate section of radiusd.conf
> modcall: entering group Auth-Type for request 19
> rlm_mschap: No User-Password configured. Cannot create LM-Password.
> rlm_mschap: No User-Password configured. Cannot create NT-Password.
> rlm_mschap: Told to do MS-CHAPv2 for host/
> boytel2883.campus.bridgew.edu with NT-Password
> radius_xlat: Running registered xlat function of module mschap for
> string 'User-Name'
> radius_xlat: Running registered xlat function of module mschap for
> string 'Challenge'
> mschap2: c4
> radius_xlat: Running registered xlat function of module mschap for
> string 'NT-Response'
> radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=host/
> boytel2883.campus.bridgew.edu --challenge=896edabb073ecbba --nt-
> response=ed45bb2d412865db09406089a5c4145c142b682a469717cb'
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=host/
> boytel2883.campus.bridgew.edu --challenge=896edabb073ecbba --nt-
> response=ed45bb2d412865db09406089a5c4145c142b682a469717cb
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
> rlm_mschap: External script failed.
> rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
> modcall[authenticate]: module "mschap" returns reject for request 19
> modcall: group Auth-Type returns reject for request 19
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns reject for request 19
> modcall: group authenticate returns reject for request 19
> auth: Failed to validate the user.
> Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client
> localhost port 0)
> PEAP: Tunneled authentication was rejected.
> rlm_eap_peap: FAILURE
> modcall[authenticate]: module "eap" returns handled for request 19
> modcall: group authenticate returns handled for request 19
> Sending Access-Challenge of id 171 to 10.0.1.22:32769
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> EAP-Message =
> 0x010800261900170301001b117712344a946d2ec4a5810ca84e7e8d679cd4db81a9d3
> ba62f02c
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xda9104a0e99cbf878c499197750025dd
> Finished request 19
> Going to the next request
> Waking up in 3 seconds...
> rad_recv: Access-Request packet from host 10.0.1.22:32769, id=172,
> length=246
> User-Name = "host/boytel2883.campus.bridgew.edu"
> Calling-Station-Id = "00-90-96-F4-2A-BB"
> Called-Station-Id = "00-0B-85-5B-55-A0:test"
> NAS-Port = 29
> NAS-IP-Address = 10.0.1.22
> NAS-Identifier = "BUWISM2-2"
> Vendor-14179-Attr-1 = 0x00000007
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "4000"
> EAP-Message =
> 0x020800261900170301001b8391b7780fd0e65e7da0ff923b9c0239457f612ac17c79
> 044626be
> State = 0xda9104a0e99cbf878c499197750025dd
> Message-Authenticator = 0x58d7a64496d15d4c60e90495b86ab1db
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 20
> modcall[authorize]: module "preprocess" returns ok for request 20
> modcall[authorize]: module "chap" returns noop for request 20
> modcall[authorize]: module "mschap" returns noop for request 20
> rlm_realm: No '@' in User-Name = "host/
> boytel2883.campus.bridgew.edu", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 20
> rlm_eap: EAP packet type response id 8 length 38
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 20
> users: Matched entry DEFAULT at line 152
> users: Matched entry DEFAULT at line 171
> modcall[authorize]: module "files" returns ok for request 20
> modcall: group authorize returns updated for request 20
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 20
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/peap
> rlm_eap: processing type peap
> rlm_eap_peap: Authenticate
> rlm_eap_tls: processing TLS
> eaptls_verify returned 7
> rlm_eap_tls: Done initial handshake
> eaptls_process returned 7
> rlm_eap_peap: EAPTLS_OK
> rlm_eap_peap: Session established. Decoding tunneled attributes.
> rlm_eap_peap: Received EAP-TLV response.
> rlm_eap_peap: Tunneled data is valid.
> rlm_eap_peap: Had sent TLV failure, rejecting.
> rlm_eap: Handler failed in EAP/peap
> rlm_eap: Failed in EAP select
> modcall[authenticate]: module "eap" returns invalid for request 20
> modcall: group authenticate returns invalid for request 20
> auth: Failed to validate the user.
> Login incorrect: [host/boytel2883.campus.bridgew.edu] (from client
> BUWiSM-2-2 port 29 cli 00-90-96-F4-2A-BB)
> Delaying request 20 for 1 seconds
> Finished request 20
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
> users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6184 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061030/e466ebb4/attachment.bin>
More information about the Freeradius-Users
mailing list