MS-CHAP2 fails - samba version?

Lovaas,Steven Steven.Lovaas at ColoState.EDU
Mon Jul 8 15:59:55 CEST 2013

Hello everyone,

I’m trying to bring up a fresh instance using 2.2.0, rather than just cloning old 1.x configs as has been done in previous upgrades. In building a new Ubuntu server, I grabbed the latest available build of samba (3.6.3); I’ve read that a version of at least version 3.5.4 is required to work with Windows Server 2008 r2 AD. Compatibility with 2008 r2 is what is driving this upgrade.

Working from the Deploying Radius site, I’ve made good progress. So far, the directions have been clear and everything has worked well. I even took the opportunity to learn mercurial along the way… thanks ☺. I also created two virtual servers, to support different policies for our main campus wireless and eduroam. That also seems to be working well, with one SSID pointing to each virtual server… slick!

Ntlm works:
/usr/bin/ntlm_auth --request-nt-key --domain=COLOSTATE --username=slovaas
NT_STATUS_OK: Success (0x0)
root at freerad13:/etc/freeradius/modules#

Winbind looks OK, though only the challenge/response version of authentication… that’s normal?:
wbinfo -a slovaas
Enter slovaas's password:
plaintext password authentication failed
Could not authenticate user slovaas with plaintext password
Enter slovaas's password:
challenge/response password authentication succeeded
root at freerad13:/etc/freeradius#

And with a forced default ntlm_auth in the users file, I can authenticate with radtest.

But here’s where I’m stuck. When I remove the default ntlm_auth line in the users file and put the ntlm_auth line in mschap, I no longer get access_accept.

The debug of the request is pasted below. But I wondered… basic authentication is working (with ntlm_auth) but mschap doesn’t get what it wants back (using ntlm_auth), which sounds like an issue that was around in earlier versions of samba. Before I go downgrading samba, though, I was wondering if anyone saw anything I missed or had any other suggestions.


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.08 07:43:48 =~=~=~=~=~=~=~=~=~=~=~=
rad_recv: Access-Request packet from host port 35685, id=59, length=133
User-Name = "slovaas"
NAS-IP-Address =
NAS-Port = 0
Message-Authenticator = 0x160e7734756ad5899a83bbc504bd937c
MS-CHAP-Challenge = 0x105268b03ae9b2ee
MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
server eid-dot11i {
# Executing section authorize from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group authorize {...}
++- entering policy filter_username_csu {...}
+++? if (User-Name != "%{tolower:%{User-Name}}")
expand: %{User-Name} -> slovaas
expand: %{tolower:%{User-Name}} -> slovaas
? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
+++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
+++? if (User-Name =~ / /)
? Evaluating (User-Name =~ / /) -> FALSE
+++? if (User-Name =~ / /) -> FALSE
+++? if (User-Name =~ /@(.+)?@/i )
? Evaluating (User-Name =~ /@(.+)?@/i) -> FALSE
+++? if (User-Name =~ /@(.+)?@/i ) -> FALSE
+++? if (User-Name =~ /\\.\\./ )
? Evaluating (User-Name =~ /\\.\\./) -> FALSE
+++? if (User-Name =~ /\\.\\./ ) -> FALSE
++- policy filter_username_csu returns notfound
++[preprocess] returns ok
[auth_log] expand: %{Packet-Src-IP-Address} ->
[auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/
[auth_log] expand: %t -> Mon Jul  8 07:45:04 2013
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "slovaas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group MS-CHAP {...}
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} -> slovaas
[mschap] expand: %{%{User-Name}:-None} -> slovaas
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=slovaas
[mschap]  mschap1: 10
[mschap] expand: %{mschap:Challenge} -> 105268b03ae9b2ee
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=105268b03ae9b2ee
[mschap] expand: %{mschap:NT-Response} -> 3487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=3487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
Exec-Program output: Reading winbind reply failed! (0xc0000001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
} # server eid-dot11i
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> slovaas
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 59 to port 35685
MS-CHAP-Error = "\000E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 59 with timestamp +96
Ready to process requests.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list