mschap direct-to-Winbind different behaviour
Jonathan Gazeley
Jonathan.Gazeley at bristol.ac.uk
Tue Mar 8 14:14:22 CET 2016
Hi folks,
I've been investigating switching my mschap authentications from
ntlm_auth to use direct Winbind connections with libwbclient. It works
fine for user authentications against AD but does not work for machine
authentications against the same. The direct Winbind method returns an
error from AD. Can anyone explain this?
FreeRADIUS 3.1.x built from git
Samba 4.2.3 from CentOS 7
Here's my mschap config:
mschap eduroammschap {
# Either:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}}
--challenge=%{eduroammschap:Challenge}
--nt-response=%{eduroammschap:NT-Response} "
# Or:
winbind_username = "%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}}"
winbind_domain = "%{eduroammschap:NT-Domain}"
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
spare = ${thread[pool].max_spare_servers}
uses = 0
retry_delay = 30
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
}
allow_retry = no
retry_msg = "Verify username and re-enter your password"
}
Debug using ntlm_auth:
(7) Auth-Type eduroamlioneap {
(7) eduroamlioneap - Peer sent packet with EAP method MSCHAPv2 (26)
(7) eduroamlioneap - Calling submodule eap_mschapv2 to process data
(7) eap_mschapv2 - Running Auth-Type MS-CHAP from file
/etc/raddb/sites-enabled/eduroamlion-inner
(7) eap_mschapv2 - Auth-Type MS-CHAP {
(7) eduroammschap - Creating challenge hash with username:
MONITOR899307$
(7) eduroammschap - Client is using MS-CHAPv2
(7) eduroammschap - Executing: /usr/bin/ntlm_auth
--request-nt-key
--username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}}
--challenge=%{eduroammschap:Challenge}
--nt-response=%{eduroammschap:NT-Response} :
(7) eduroammschap - EXPAND
--username=%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}}
(7) eduroammschap - --> --username=MONITOR899307$
(7) eduroammschap - EXPAND --challenge=%{eduroammschap:Challenge}
(7) eduroammschap - Creating challenge hash with username:
MONITOR899307$
(7) eduroammschap - --> --challenge=d6341cfb2d2e480e
(7) eduroammschap - EXPAND
--nt-response=%{eduroammschap:NT-Response}
(7) eduroammschap - -->
--nt-response=843e30991be16db3f688bff168572cb202bf0582b0713189
(7) eduroammschap - Program returned code (0) and output
'NT_KEY: 4B6BB21FE18F7D003EFD4D39CFC5939A'
(7) eduroammschap - Adding MS-CHAPv2 MPPE keys
(7) eduroammschap (ok)
Debug using direct Winbind:
(27) Auth-Type eduroamlioneap {
(27) eduroamlioneap - Peer sent packet with EAP method MSCHAPv2 (26)
(27) eduroamlioneap - Calling submodule eap_mschapv2 to process data
(27) eap_mschapv2 - Running Auth-Type MS-CHAP from file
/etc/raddb/sites-enabled/eduroamlion-inner
(27) eap_mschapv2 - Auth-Type MS-CHAP {
(27) eduroammschap - Creating challenge hash with username:
MONITOR899307$
(27) eduroammschap - Client is using MS-CHAPv2
(27) eduroammschap - EXPAND
%{%{Stripped-User-Name}:-%{eduroammschap:User-Name}}
(27) eduroammschap - --> MONITOR899307$
(27) eduroammschap - EXPAND %{eduroammschap:NT-Domain}
(27) eduroammschap - --> UOB
(27) eduroammschap - Reserved connection (1)
(27) eduroammschap - sending authentication request
user='MONITOR899307$' domain='UOB'
(27) eduroammschap - Released connection (1)
(27) eduroammschap - ERROR: No logon workstation trust
account [0xC0000199]
(27) eduroammschap - ERROR: Password has expired. User
should retry authentication
(27) eduroammschap (reject)
Thanks,
Jonathan
--
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol
More information about the Freeradius-Users
mailing list