FR + ADS 2003 + ntlm_auth

Jacob Jarick mem.namefix at gmail.com
Tue Apr 24 09:10:11 CEST 2007 

radiusd -X -f: http://pastebin.ca/455497

Alan, I have been trying todo my groundwork / homework is all, ie
research before asking.
Its simply a case of taking whatever support is available and not
always being aware who the devs are. When nothing you have tried works
try something you havent. Its rare to be told, dont google, ask.

Anyway, I appoligize for getting testy, I should have said if there is
a doc I should be reading paste the link, rather than have me google,
find the incorrect one then be told the howto/document is incorrect.

Now regarding your document Alan,

Page 12 of 20

"Make sure that fhe following lines are uncommented and that the value
is the same as indicated here

authtype = MS-CHAP"

Is this the line in question

"
        #  An example configuration for using /etc/smbpasswd.
        #
        #passwd etc_smbpasswd {
        #       filename = /etc/smbpasswd
        #       format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
 >     #       authtype = MS-CHAP
        #       hashsize = 100
        #       ignorenislike = no
        #       allowmultiplekeys = no
        #}
"

I have checked through the tutorial again, all my config files were in
order but ntlm_auth was failing for some reason, a reboot later and
all was well again.

Here is the output of my testing ntlm_auth, so you know I have the
samba side working.

"
[root at localhost ~]# net join -U Administrator
Administrator's password:
Using short domain name -- TFXSCHOOL
Joined 'LOCALHOST' to realm 'TFXSCHOOL.INTERNAL'
[root at localhost ~]# wbinfo -a jacob%pass
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user jacob%pass with plaintext password
challenge/response password authentication succeeded
[root at localhost ~]# ntlm_auth --request-nt-key --domain=tfxschool
--username=jacob
password:
NT_STATUS_OK: Success (0x0)
[root at localhost ~]#
"

So thats samba checking passwords fine.

I ask because it is not under the "# Microsoft CHAP authentication"
section at all.

I went through the whole log this time (sorry bad habbit of scrolling
up for the last error then working on that 1 1st)

"
modcall: entering group MS-CHAP for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for jacob with NT-Password
"

^ Does that mean it did not get sent the password, or simply that it
didnt find User-Password so its using the found NT-Password ?.

And just below that (mem feels silly) I see:
"
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=jacob
--domain=TFXSCHOOL --challenge=a1a6b069c8d565ac
--nt-response=abd3d6a8f9fdef0cf50b4ea12325cbaa9fbeccfd716c07ec
Exec-Program output: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program-Wait: plaintext: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
"

Looking at resolving that issue right now.



On 4/24/07, Alan DeKok <aland at deployingradius.com> wrote:
> Jacob Jarick wrote:
> > Sorry to offend,
> > But I have been seeing alot of "Docs warn u of this etc" but seeing as
> > there are so many conflicting documents seeing the generic reply when
> > I have read / googled high and low is quite frustrating.
>
>   The authors of the program you're using have told you what works and
> what doesn't.  You have a hard time believing them, because of some
> random web page that isn't associated with the project.
>
>   Is that really what you're saying?
>
>   If your boss tells you to come in to work at 9am, do you show up at
> noon, claiming confusion, because the 10 year old newspaper boy down the
> street said you could show up at noon?
>
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list