Another LDAP/MSCHAPv2 problem

Francois Gaudreault fgaudreault at inverse.ca
Thu Feb 9 17:20:44 CET 2012 

Hi Alan,

>> ldap] looking for check items in directory...
>>    [ldap] acctFlags ->  SMB-Account-CTRL-TEXT == "[W          ]"
>>    [ldap] userPassword ->  Password-With-Header == "..."
>>    [ldap] ntPassword ->  NT-Password == 0x34343446...242
>
>    Hmm... that looks a lot like it's ASCII.  i.e. "444..."  Maybe that's
> the problem?  You have an ASCII string that's being interpreted as the
> NT password.  Instead, it needs to be interpreted as the *printed* form
> of the password.
I had a look in the LDAP, and the ntPassword is having the correct lenght :
ntPassword: 44AFA3XXXXXXXXXXXXXXXXXXXXXXX856

>
>    One way to do this is to list "pap" last in the authorize section.  It
> goes through the various password attributes, and fixes them to be correct.

I did enable pap, but without success.

[ldap] looking for check items in directory...
   [ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W          ]"
   [ldap] userPassword -> Password-With-Header == "JDEkMWs..."
   [ldap] ntPassword -> NT-Password == 0x34343446...
[ldap] looking for reply items in directory...
[ldap] user host/dti-dahport authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] Failed to decode Password-With-Header = "JDEkMWs..."
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set.  Not setting to PAP
...
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: host/dti-dahport
[mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect

Is it possible that the issue is somewhere else?  The nt/lmPassword are 
properly handled when we do user auth, and the printout in debug is also 
in a 0xsomething format.

-- 
Francois Gaudreault, ing. jr
fgaudreault at inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

More information about the Freeradius-Users mailing list