Trying to use FR to query AD as an authentication oracle and set up per the docs at <a href="http://deployingradius.com/documents/configuration/active_directory.html">http://deployingradius.com/documents/configuration/active_directory.html</a> and several others pertaining to setting up Kerberos and winbind.<br>
<br>smb/krb/winbind all run.  The usual testing commands all produce the proper output.  wbinfo, kbinit, kblist, net join, etc.<br><br>FreeRADIUS Version 2.1.7,<br>CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP<br>Samba Version 3.3.8-0.52.el5_5.2<br>
KRB5<br><br>I have been able to authenticate and authorize accounts using PAP via a Juniper device and a Dell PC 3448.  Am now trying to expand beyond PAP and use ntlm_auth and eventually MSCHAP.<br><br>Upon issuing the command:<br>
<br>ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=eric.rossiter --password=Cyt3w0rk5<br><br>I receive : NT_STATUS_OK: Success (0x0)  but I do not see any reference to an NT_KEY:<br><br>I believe that's why the radtest command is failing:<br>
<br> radtest sambatest somepass localhost 0 somesecret <br>Sending Access-Request of id 225 to 127.0.0.1 port 1812<br>        User-Name = "sambatest"<br>        User-Password = "somepass"<br>        NAS-IP-Address = 64.126.127.208<br>
        NAS-Port = 0<br>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20<br><br>Been reading and researching and testing for 3 weeks, but I'm stuck now.<br><br>radius -X output:<br><br>rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, length=61<br>
        User-Name = "sambatest"<br>        User-Password = "somepass"<br>        NAS-IP-Address = 64.126.127.208<br>        NAS-Port = 0<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218">127.0.0.1/auth-detail-20110218</a><br>[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218">127.0.0.1/auth-detail-20110218</a><br>
[auth_log]      expand: %t -> Fri Feb 18 17:19:10 2011<br>++[auth_log] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "sambatest", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>[files] users: Matched entry DEFAULT at line 17<br>++[files] returns ok<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = ntlm_auth<br>
+- entering group authenticate {...}<br>[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=sambatest<br>[ntlm_auth]     expand: --password=%{User-Password} -> --password=somepass<br>username must be specified! <b># don't understand this...  username is two lines up</b>  If I shut down winbind, a winbind error preceeds "username must be specified! " don't understand  # why samba is puking a help screen?<br>
<br>Usage: [OPTION...]<br>  --helper-protocol=helper protocol to use     operate as a stdio-based helper<br>  --username=STRING                            username<br>  --domain=STRING                              domain name<br>
  --workstation=STRING                         workstation<br>  --challenge=STRING                           challenge (HEX encoded)<br>  --lm-response=STRING                         LM Response to the challenge<br>                                               (HEX encoded)<br>
  --nt-response=STRING                         NT or NTLMv2 Response to the<br>                                               challenge (HEX encoded)<br>  --password=STRING                            User's plaintext password<br>
  --request-lm-key                             Retrieve LM session key<br>  --request-nt-key                             Retrieve User (NT) session key<br>  --use-cached-creds                           Use cached credentials if no<br>
                                               password is given<br>  --diagnostics                                Perform diagnostics on the<br>                                               authentictaion chain<br>  --require-membership-of=STRING               Require that a user be a member<br>
                                               of this group (either name or<br>                                               SID) for authentication to<br>                                               succeed<br><br>Help options:<br>
  -?, --help                                   Show this help message<br>  --usage                                      Display brief usage message<br><br>Common samba config:<br>  --configfile=CONFIGFILE                      Use alternate configuration file<br>
<br>Common samba options:<br>  -V, --version                                Print version<br>Exec-Program output: <br>Exec-Program: returned: 1<br>++[ntlm_auth] returns reject<br>Failed to authenticate the user.<br>Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject]     expand: %{User-Name} -> sambatest<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 2 for 2 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 2<br>Sending Access-Reject of id 4 to 127.0.0.1 port 39195<br>
Waking up in 4.9 seconds.<br>Cleaning up request 2 ID 4 with timestamp +349<br>Ready to process requests.<br>wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, id=225, length=61<br>        User-Name = "sambatest"<br>
        User-Password = "somepass"<br>        NAS-IP-Address = 64.126.127.208<br>        NAS-Port = 0<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218">127.0.0.1/auth-detail-20110218</a><br>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218">127.0.0.1/auth-detail-20110218</a><br>[auth_log]      expand: %t -> Fri Feb 18 17:32:09 2011<br>
++[auth_log] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "sambatest", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>[files] users: Matched entry DEFAULT at line 17<br>++[files] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = ntlm_auth<br>+- entering group authenticate {...}<br>[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=sambatest<br>
[ntlm_auth]     expand: --password=%{User-Password} -> --password=Thursday77<br>username must be specified!<br><br>Usage: [OPTION...]<br>  --helper-protocol=helper protocol to use     operate as a stdio-based helper<br>
  --username=STRING                            username<br>  --domain=STRING                              domain name<br>  --workstation=STRING                         workstation<br>  --challenge=STRING                           challenge (HEX encoded)<br>
  --lm-response=STRING                         LM Response to the challenge<br>                                               (HEX encoded)<br>  --nt-response=STRING                         NT or NTLMv2 Response to the<br>
                                               challenge (HEX encoded)<br>  --password=STRING                            User's plaintext password<br>  --request-lm-key                             Retrieve LM session key<br>
  --request-nt-key                             Retrieve User (NT) session key<br>  --use-cached-creds                           Use cached credentials if no<br>                                               password is given<br>
  --diagnostics                                Perform diagnostics on the<br>                                               authentictaion chain<br>  --require-membership-of=STRING               Require that a user be a member<br>
                                               of this group (either name or<br>                                               SID) for authentication to<br>                                               succeed<br><br>Help options:<br>
  -?, --help                                   Show this help message<br>  --usage                                      Display brief usage message<br><br>Common samba config:<br>  --configfile=CONFIGFILE                      Use alternate configuration file<br>
<br>Common samba options:<br>  -V, --version                                Print version<br>Exec-Program output: <br>Exec-Program: returned: 1<br>++[ntlm_auth] returns reject<br>Failed to authenticate the user.<br>Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject]     expand: %{User-Name} -> sambatest<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 3 for 2 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 3<br>Sending Access-Reject of id 225 to 127.0.0.1 port 57210<br>
Waking up in 4.9 seconds.<br>Cleaning up request 3 ID 225 with timestamp +1128<br>Ready to process requests.<br><br>/etc/krb.conf:<br><br>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br>
 admin_server = FILE:/var/log/kadmind.log<br><br>[libdefaults]<br> default_realm = ADMIN.CYTEWORKS.LOCAL<br># dns_lookup_realm = false    # all of these entries have been used for testing and are commented out now<br># dns_lookup_kdc = true<br>
# ticket_lifetime = 24h<br># forwardable = yes<br># default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br># default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br># preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br>
<br><br>[realms]<br>ADMIN.CYTEWORKS.LOCAL = {<br>  kdc = cyteworks.admin.cyteworks.local<br>  admin_server = cyteworks.admin.cyteworks.local<br>  default_domain = ADMIN.CYTEWORKS.LOCAL<br> }<br><br>[domain_realm]<br> .cyteworks.local = ADMIN.CYTEWORKS.LOCAL<br>
 cyteworks.local = ADMIN.CYTEWORKS.LOCAL<br><br>[kdc]<br>profile = /var/kerberos/krb5kdc/kdc.conf<br><br>[appdefaults]<br> pam = {<br>   debug = false<br>   ticket_lifetime = 36000<br>   renew_lifetime = 36000<br>   forwardable = true<br>
   krb4_convert = false<br> }<br><br>/etc/samba/smb.conf<br><br>#======================= Global Settings =====================================<br><br>[global]<br><br>        idmap uid = 200000 - 300000<br>        idmap gid = 200000 - 300000<br>
        workgroup = ADMIN<br>;       netbios name = cyteworks<br><br>        realm = ADMIN.CYTEWORKS.LOCAL<br>        server string = Samba Server Version %v<br>        security = ads<br>        local master = no<br>        domain master = no <br>
        preferred master = no<br><br>        winbind separator = +<br>        winbind uid = 10000-20000<br>        winbind gid = 10000-20000<br>        winbind enum users = yes<br>        winbind enum groups = yes<br>        winbind use default domain = yes<br>
<br>;       interfaces = lo eth0 <a href="http://192.168.12.2/24">192.168.12.2/24</a> <a href="http://192.168.13.2/24">192.168.13.2/24</a> <br>        hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. 10.12.4 10.88.8<br>
<br># --------------------------- Logging Options -----------------------------<br>#<br># Log File let you specify where to put logs and how to split them up.<br>#<br># Max Log Size let you specify the max size log files should reach<br>
<br>        # logs split per machine<br>        log file = /var/log/samba/log.%m<br>        # max 50KB per log file, then rotate<br>        max log size = 50<br><br># ----------------------- Domain Members Options ------------------------<br>
<br>;       password server = *<br><br><br>        security = ads<br>;       passdb backend = tdbsam<br>        realm = ADMIN.CYTEWORKS.LOCAL<br><br>;       password server = 10.12.1.40<br><br><br>Everything else is commented out in smb.conf.  Don't need any printers, no shares, etc.<br>
<br>/etc/raddb/radius.conf:<br><br># -*- text -*-<br>##<br>#<br><br>prefix = /usr<br>exec_prefix = /usr<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = /usr/sbin<br>logdir = ${localstatedir}/log/radius<br>raddbdir = ${sysconfdir}/raddb<br>
radacctdir = ${logdir}/radacct<br><br>name = radiusd<br><br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/${name}<br><br>db_dir = ${raddbdir}<br><br>libdir = /usr/lib/freeradius<br><br>pidfile = ${run_dir}/${name}.pid<br>
<br>user = radiusd<br>group = radiusd<br><br>max_request_time = 30<br><br>cleanup_delay = 5<br><br>max_requests = 1024<br><br>listen {<br>        type = auth<br><br>        ipaddr = *<br><br>        port = 0<br><br>        clients = per_socket_clients<br>
}<br><br>listen {<br>        ipaddr = *<br>        port = 0<br>        type = acct<br>        clients = per_socket_clients<br>}<br><br>hostname_lookups = no<br><br>allow_core_dumps = no<br><br>regular_expressions     = yes<br>
extended_expressions    = yes<br><br>log {<br>        destination = files<br><br>        file = ${logdir}/radius.log<br><br>        syslog_facility = daemon<br><br>        stripped_names = yes<br><br>        auth = yes<br>
<br>        auth_badpass = yes<br>        auth_goodpass = yes<br><br>}<br><br>checkrad = ${sbindir}/checkrad<br><br>security {<br>        max_attributes = 200<br><br>        reject_delay = 2<br><br>        status_server = yes<br>
}<br><br><br>proxy_requests  = no<br><br>$INCLUDE clients.conf<br><br>thread pool {<br>        start_servers = 5<br><br>        max_servers = 32<br><br>        min_spare_servers = 3<br>        max_spare_servers = 10<br><br>
        max_requests_per_server = 0<br>}<br><br>modules {<br>        $INCLUDE ${confdir}/modules/<br><br>        $INCLUDE eap.conf<br>}<br><br>instantiate {<br>        exec<br><br>        expr<br><br>        expiration<br>
        logintime<br>}<br><br>$INCLUDE policy.conf<br><br>$INCLUDE sites-enabled/<br><br>/etc/raddb/clients.conf:<br><br># -*- text -*-<br>##<br>## clients.conf -- client configuration directives<br>##<br><br>client localhost {<br>
        ipaddr = 127.0.0.1<br><br>        secret          = somesecret<br><br>        require_message_authenticator = yes<br><br>        shortname       = localhost<br><br>        nastype     = other     # localhost isn't usually a NAS...<br>
<br>}<br><br>clients per_socket_clients {<br><br><br>        client 127.0.0.1 {<br>                secret = somesecret<br>        }<br><br># Juniper - ESR - 01.24.11<br><br>        client 192.168.20.254 {<br>                secret = somesecret<br>
                shortname = juniper<br>                nastype = netscreen<br>        }<br><br># Dell PowerConnect 3448 - ESR - 02.01.11<br><br>        client 10.12.1.11 {<br>                secret = somesecret<br>                shortname = dpc3448<br>
                nastype = other<br>        }<br>}<br><br>/etc/raddb/users<br><br># -*- text -*-<br>#<br>#       Copyright (C) 2009 Deploying RADIUS Partnerships<br>#       All rights reserved.<br>#<br>#       Save this file as "raddb/users", after first backing up<br>
#       the copy that you have there.<br>#<br>#       <a href="http://deployingradius.com/documents/configuration/pap.html">http://deployingradius.com/documents/configuration/pap.html</a><br>#<br>#  Window 1: radiusd -X<br>
#  Window 2: radtest bob hello localhost 0 testing123<br>#<br><br># ntlm_auth testing ESR 02.17.11<br><br>DEFAULT     Auth-Type = ntlm_auth <br><br><br><br>#************************ Juniper conf<br># - ESR - 01.24.11<br><br>
#some.user Cleartext-Password := "somepass"<br>#       NS-Admin-Privilege := 4,<br>#       NS-VSYS-Name := "Read-Only-Admin"<br><br>#some.user Cleartext-Password := "somepass<br>#       NS-Admin-Privilege := 2,<br>
#       NS-VSYS-Name := "ROOT"<br><br><br># End of the file<br><br>I commented out the PAP entries in the users file because one of the users has the same <a href="http://user.name">user.name</a> in AD but a different password, and that was causing me some conflict.<br>
<br>So, can anyone tell me why I'm not getting an <b>NT_KEY</b> reply when I issue the <b>ntml_auth</b> command?<br><br>Is the missing key the reason the <b>radtest</b> command is failing?  See any other glaring errors?<br>
<br>Thanks for your time.<br><br>E Rossiter<br><div style="visibility: hidden; display: inline;" id="avg_ls_inline_popup"></div><style type="text/css">#avg_ls_inline_popup {  position:absolute;  z-index:9999;  padding: 0px 0px;  margin-left: 0px;  margin-top: 0px;  width: 240px;  overflow: hidden;  word-wrap: break-word;  color: black;  font-size: 10px;  text-align: left;  line-height: 13px;}</style>