Problem configuring freeradius with mschap / winbind

stefan.paetow at diamond.ac.uk stefan.paetow at diamond.ac.uk
Mon Feb 3 17:26:25 CET 2014 

Your error message is: Reading winbind reply failed

Check your /var/lib/samba/winbindd_privileged directory... You may need to add radiusd to the winbind group, or change the group of the directory to radiusd.

Stefan


> -----Original Message-----
> From: Brian C. Huffman [mailto:bhuffman at etinternational.com]
> Sent: 03 February 2014 16:15
> To: freeradius-users at lists.freeradius.org
> Subject: Problem configuring freeradius with mschap / winbind
> 
> All,
> 
> I'm trying to configure freeradius to work with Samba winbind. Winbind
> seems to be working, but I'm having issues when I try to integrate
> freeradius.
> 
> I've got the following versions installed:
> [root at auth01 raddb]# more /etc/redhat-release CentOS release 6.5
> (Final)
> [root at auth01 raddb]# rpm -qa |grep winbind
> samba-winbind-clients-3.6.9-167.el6_5.x86_64
> samba-winbind-3.6.9-167.el6_5.x86_64
> [root at auth01 raddb]# rpm -qa |grep freeradius
> freeradius-2.1.12-4.el6_3.x86_64
> freeradius-utils-2.1.12-4.el6_3.x86_64
> 
> wbinfo -u works.
> 
> This works as well:
> [root at auth01 raddb]# ntlm_auth --request-nt-key --domain=ETI --
> username=bhuffman --password=<pass_removed>
> NT_STATUS_OK: Success (0x0)
> 
> I've followed this guide for configuring freeradius:
> http://deployingradius.com/documents/configuration/active_directory.htm
> l
> 
> Running the test with basic ntlm_auth also works.   But when I try to
> use mschap, it fails:
> 
> rad_recv: Access-Request packet from host 127.0.0.1 port 36958, id=54,
> length=134
>      User-Name = "bhuffman"
>      NAS-IP-Address = 192.168.12.13
>      NAS-Port = 0
>      Message-Authenticator = 0x5218e5194bf4c321ed41c29cd6d10690
>      MS-CHAP-Challenge = 0x1491f6269d04d59a
>      MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000bdf10bf06b435645c
> 7db6279bba9c4765c16c9fcd06dcd03
> # Executing section authorize from file /etc/raddb/sites-
> enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "bhuffman", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv1 with NT-Password
> [mschap]     expand: %{Stripped-User-Name} ->
> [mschap]     ... expanding second conditional
> [mschap]     expand: %{User-Name} -> bhuffman
> [mschap]     expand: %{%{User-Name}:-None} -> bhuffman
> [mschap]     expand:
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --
> username=bhuffman [mschap] No NT-Domain was found in the User-Name.
> [mschap]     expand: %{mschap:NT-Domain} ->
> [mschap]     ... expanding second conditional
> [mschap]     expand: --domain=%{%{mschap:NT-Domain}:-ETI} -> --
> domain=ETI
> [mschap]  mschap1: 14
> [mschap]     expand: %{mschap:Challenge} -> 1491f6269d04d59a
> [mschap]     expand: --challenge=%{%{mschap:Challenge}:-00} ->
> --challenge=1491f6269d04d59a
> [mschap]     expand: %{mschap:NT-Response} ->
> bdf10bf06b435645c7db6279bba9c4765c16c9fcd06dcd03
> [mschap]     expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
> --nt-response=bdf10bf06b435645c7db6279bba9c4765c16c9fcd06dcd03
> Exec-Program output: Reading winbind reply failed! (0xc0000001)
> Exec-Program-Wait: plaintext: Reading winbind reply failed!
> (0xc0000001)
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] MS-CHAP-Response is incorrect.
> ++[mschap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> bhuffman
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 54 to 127.0.0.1 port 36958
>      MS-CHAP-Error = "\000E=691 R=1"
> 
> 
> Can anyone help me to troubleshoot this?
> 
> Thanks,
> Brian
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom

More information about the Freeradius-Users mailing list