ntlm_auth and MSCHAP issues

[L.P.H. van Belle]

If you followed it exactly it should work. 

Which samba version is used?
Did you set this on the ad-dc and member (the proxy). :   ntlm auth = mschapv2-and-ntlmv2-only 
Run also: adduser proxy winbindd_priv
And also if you have apparmor enabled, you need to adjust that also a bit. 
Syslog tells what.


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users 
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
ius.org] Namens Adam McPartlan
> Verzonden: woensdag 19 februari 2020 17:57
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: ntlm_auth and MSCHAP issues
> 
> Howdy,
> 
> I am experiencing problems with an existing working install of
> FreeRADIUS to get it to use AD to part authenticate users.
> 
> Following the instructions found here:
> http://deployingradius.com/documents/configuration/active_dire
> ctory.html
> 
> 
> I can sucessfully get FreeRADUS to authenticate using ntlm_auth.
> 
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [ntlm_auth] expand: --username=%{mschap:User-Name} -> --
> username=mcpartlana
> [ntlm_auth] expand: --password=%{User-Password} -> --
> password=redactedpassword
> Exec output: NT_STATUS_OK: Success (0x0)
> Exec plaintext: NT_STATUS_OK: Success (0x0)
> 
> However, making the switch to MSCHAP as per the instructions i get the
> following outcome:
> 
> radtest -t mschap mcpartlana redactedpassword localhost 0
> redactedsecret
> 
> Sending Access-Request of id 8 to 127.0.0.1 port 1812
> User-Name = "mcpartlana"
> NAS-IP-Address = 192.168.172.45
> NAS-Port = 0
> Message-Authenticator = 0x00000000000000000000000000000000
> MS-CHAP-Challenge = 0x58b0f84e08b68e46
> MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000003c312cfc
> 3724df41c
> 5adb769615849f47a081cbb22c73c45
> rad_recv: Access-Request packet from host 127.0.0.1 port 48263, id=8,
> length=136
> User-Name = "mcpartlana"
> NAS-IP-Address = 192.168.172.45
> NAS-Port = 0
> Message-Authenticator = 0x0651b559ed7f1e615e14b10e56fed797
> MS-CHAP-Challenge = 0x58b0f84e08b68e46
> MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000003c312cfc
> 3724df41c
> 5adb769615849f47a081cbb22c73c45
> 
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [ntlm_auth] expand: --username=%{mschap:User-Name} -> --
> username=mcpartlana
> [ntlm_auth] expand: --password=%{User-Password} -> --password=
> Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
> Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
> [ntlm_auth] Exec: program returned: 1
> ++[ntlm_auth] = reject
> 
> 
> Sending Access-Reject of id 8 to 127.0.0.1 port 48263
> Waking up in 4.9 seconds.
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=8,
> length=20
> 
> 
> 
> To me this looks like the password is not being sent to the 
> AD server -
> hence the "WRONG_PASSWORD" message - It could just be hidden which is
> ok. I can only pressume I have messed something up in my 
> configuration.
> 
> Many thanks
> 
> Adam
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> CONFIDENTIALITY WARNING: This email has been sent from NYnet 
> Ltd, a UK limited company controlled by North Yorkshire 
> County Council. The information in this email (and any 
> document(s) attached to it) is confidential or legally 
> privileged, and is intended solely for the use of the person 
> named above. If you are not the intended recipient, please be 
> aware that any disclosure, copying, distribution or use of 
> the contents of this E-mail is strictly prohibited. An 
> individual with the title of director does not necessarily 
> mean they are a statutory director. A full list of statutory 
> directors is available for inspection at our registered office.
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>