freeRADIUS -> AD Auth

Stefan Paetow Stefan.Paetow at ja.net
Mon Aug 18 18:15:11 CEST 2014


And the /var/lib/samba/winbindd_privileged directory is owned by winbindd with group winbindd_priv?

Stefan


From: freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net at lists.freeradius.org] On Behalf Of nfischer at hush.com
Sent: 18 August 2014 16:53
To: freeradius-users at lists.freeradius.org
Subject: freeRADIUS -> AD Auth

Hi,
after I fully crashed my freeRADIUS Server I have to ask again:

It still fails with:
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: hausmeister at OBLAN
[mschap] Told to do MS-CHAPv2 for hausmeister at OBLAN with NT-Password
[mschap]        expand: %{Stripped-User-Name} -> hausmeister
[mschap]        expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=hausmeister
[mschap] Creating challenge hash with username: hausmeister at OBLAN
[mschap]        expand: %{mschap:Challenge} -> 01b99ad5745936be
[mschap]        expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=01b99ad5745936be
[mschap]        expand: %{mschap:NT-Response} -> cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e
[mschap]        expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-

response=cfebe53922a2a18a8e0f423e8562a651148d2b18cd4fbc3e
Exec-Program output: Reading winbind reply failed! (0xc0000001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject

so Im not sure why.
I think its because hes not allowed to execute the ntlm or my mschap is cofigured wrong. (or both)

I checked the users/groups:
sambashare:x:111:haus-meister
winbindd_priv:x:112:freerad
freerad:x:113:freerad
ssl-cert:x:114:freerad

looks fine to me?

So my NTLM_Auth string in the modules/mschap is:
 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

I allso tried a lot of other stuff nothing change.
Hope you can help me again.


--
Mit freundlichem Gruß
Nicolas Fischer

email: nfischer at hush.com<mailto:nfischer at hush.com>
jabber: jagger at jabber.ccc.de<mailto:jagger at jabber.ccc.de>
tel: 01573-0420888
Skype: jagger64
TOX: Just ask me :)

PGP-Key:
http://keyserver.ubuntu.com/pks/lookup?op=vindex&fingerprint=on&search=0xCF5E6AD15A5B6132
If you sent me a PGP Crypted Mail I´ll be happy and will give you a free cookie :)

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140818/ea1eda15/attachment.html>


More information about the Freeradius-Users mailing list