infamous AD integration

lejeczek peljasz at yahoo.co.uk
Wed Jun 15 17:42:21 CEST 2016 

hi users,

I know there are howtos and as a novice I've been reading 
whatever I could find but I still fail to have my radius 
3.0.4 talk to AD 2014.

I'm hoping some expert would share a pointer to a nice & 
working tutorial on how to setup active directory.

I've gotten it up to winbind bit working fine, seems 
samba+winbind are doing ok, and before I dump my configs I'd 
like to say I followed these:

https://www.unixmen.com/freeradius-active-directory-integration-with-ntlm-mschap/

http://deployingradius.com/documents/configuration/active_directory.html

... and a few more.

What I'm hoping to have might be a bit nonstandard(?) - it 
might be that I don't need that, that I don't need full 
domain name.

before I dump the configs here, I test radius:

$ radtest -t mschap pe243 at my.domain.local my.Pass $(hostname 
-f) 1812 radius.Pass

and I see:

(2)   } # filter_username filter_username = notfound
(2)   [preprocess] = ok
(2)   [chap] = noop
(2)  mschap : Found MS-CHAP attributes.  Setting 'Auth-Type  
= mschap'
(2)   [mschap] = ok
(2)   [digest] = noop
(2)  suffix : Checking for suffix after "@"
(2)  suffix : Looking up realm "my.domain.local" for 
User-Name = "pe243 at my.domain.local"
(2)  suffix : No such realm "my.domain.local"
(2)   [suffix] = noop
(2)  eap : No EAP-Message, not doing EAP
(2)   [eap] = noop
(2)   [unix] = notfound
(2)   [files] = noop
(2)   [expiration] = noop
(2)   [logintime] = noop
(2)  WARNING: pap : No "known good" password found for the 
user.  Not setting Auth-Type
(2)  WARNING: pap : Authentication will fail unless a "known 
good" password is available
(2)   [pap] = noop
(2)  } #  authorize = ok
(2) Found Auth-Type = MSCHAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)  Auth-Type MS-CHAP {
(2)  mschap : Client is using MS-CHAPv1 with NT-Password
Executing: /usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}:
(2)  mschap : EXPAND 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(2)  mschap :    --> --username=pe243 at my.domain.local
(2)  mschap : mschap1: 53
(2)  mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
(2)  mschap :    --> --challenge=53a9b819d2f4c974
(2)  mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(2)  mschap :    --> 
--nt-response=eaaf1863833782d3cfc44549b99ba2a0831afaf3b25b13a6
Program returned code (1) and output 'Reading winbind reply 
failed! (0xc0000001)'
(2)  mschap : External script failed
(2)  ERROR: mschap : External script says: Reading winbind 
reply failed! (0xc0000001)
(2)  ERROR: mschap : MS-CHAP-Response is incorrect
(2)   [mschap] = reject
(2)  } # Auth-Type MS-CHAP = reject
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject


I use @domain for I hope to have to separate users catalogs 
where usernames might/will duplicate. But I test user 
without @part and it fails the same way.

many thanks,

L

More information about the Freeradius-Users mailing list