<font style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
If no one else pipes in I'll try to help, but I'm gone for the night.</font><br> <br>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<font style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<b>From</b>: E Rossiter [mailto:phedup@gmail.com]
<br><b>Sent</b>: Friday, February 18, 2011 06:11 PM<br><b>To</b>: freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org>
<br><b>Subject</b>: FR/AD integration
<br></font> <br></div>
Trying to use FR to query AD as an authentication oracle and set up per the docs at <a href="http://deployingradius.com/documents/configuration/active_directory.html">http://deployingradius.com/documents/configuration/active_directory.html</a> and several others pertaining to setting up Kerberos and winbind.<br>
<br>smb/krb/winbind all run. The usual testing commands all produce the proper output. wbinfo, kbinit, kblist, net join, etc.<br><br>FreeRADIUS Version 2.1.7,<br>CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP<br>Samba Version 3.3.8-0.52.el5_5.2<br>
KRB5<br><br>I have been able to authenticate and authorize accounts using PAP via a Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and use ntlm_auth and eventually MSCHAP.<br><br>Upon issuing the command:<br>
<br>ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=eric.rossiter --password=Cyt3w0rk5<br><br>I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to an NT_KEY:<br><br>I believe that's why the radtest command is failing:<br>
<br> radtest sambatest somepass localhost 0 somesecret <br>Sending Access-Request of id 225 to 127.0.0.1 port 1812<br> User-Name = "sambatest"<br> User-Password = "somepass"<br> NAS-IP-Address = 64.126.127.208<br>
NAS-Port = 0<br>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20<br><br>Been reading and researching and testing for 3 weeks, but I'm stuck now.<br><br>radius -X output:<br><br>rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, length=61<br>
User-Name = "sambatest"<br> User-Password = "somepass"<br> NAS-IP-Address = 64.126.127.208<br> NAS-Port = 0<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218">127.0.0.1/auth-detail-20110218</a><br>[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218">127.0.0.1/auth-detail-20110218</a><br>
[auth_log] expand: %t -> Fri Feb 18 17:19:10 2011<br>++[auth_log] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "sambatest", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>[files] users: Matched entry DEFAULT at line 17<br>++[files] returns ok<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = ntlm_auth<br>
+- entering group authenticate {...}<br>[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest<br>[ntlm_auth] expand: --password=%{User-Password} -> --password=somepass<br>username must be specified! <b># don't understand this... username is two lines up</b> If I shut down winbind, a winbind error preceeds "username must be specified! " don't understand # why samba is puking a help screen?<br>
<br>Usage: [OPTION...]<br> --helper-protocol=helper protocol to use operate as a stdio-based helper<br> --username=STRING username<br> --domain=STRING domain name<br>
--workstation=STRING workstation<br> --challenge=STRING challenge (HEX encoded)<br> --lm-response=STRING LM Response to the challenge<br> (HEX encoded)<br>
--nt-response=STRING NT or NTLMv2 Response to the<br> challenge (HEX encoded)<br> --password=STRING User's plaintext password<br>
--request-lm-key Retrieve LM session key<br> --request-nt-key Retrieve User (NT) session key<br> --use-cached-creds Use cached credentials if no<br>
password is given<br> --diagnostics Perform diagnostics on the<br> authentictaion chain<br> --require-membership-of=STRING Require that a user be a member<br>
of this group (either name or<br> SID) for authentication to<br> succeed<br><br>Help options:<br>
-?, --help Show this help message<br> --usage Display brief usage message<br><br>Common samba config:<br> --configfile=CONFIGFILE Use alternate configuration file<br>
<br>Common samba options:<br> -V, --version Print version<br>Exec-Program output: <br>Exec-Program: returned: 1<br>++[ntlm_auth] returns reject<br>Failed to authenticate the user.<br>Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> sambatest<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 2 for 2 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 2<br>Sending Access-Reject of id 4 to 127.0.0.1 port 39195<br>
Waking up in 4.9 seconds.<br>Cleaning up request 2 ID 4 with timestamp +349<br>Ready to process requests.<br>wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, id=225, length=61<br> User-Name = "sambatest"<br>
User-Password = "somepass"<br> NAS-IP-Address = 64.126.127.208<br> NAS-Port = 0<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218">127.0.0.1/auth-detail-20110218</a><br>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218">127.0.0.1/auth-detail-20110218</a><br>[auth_log] expand: %t -> Fri Feb 18 17:32:09 2011<br>
++[auth_log] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "sambatest", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>[files] users: Matched entry DEFAULT at line 17<br>++[files] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = ntlm_auth<br>+- entering group authenticate {...}<br>[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest<br>
[ntlm_auth] expand: --password=%{User-Password} -> --password=Thursday77<br>username must be specified!<br><br>Usage: [OPTION...]<br> --helper-protocol=helper protocol to use operate as a stdio-based helper<br>
--username=STRING username<br> --domain=STRING domain name<br> --workstation=STRING workstation<br> --challenge=STRING challenge (HEX encoded)<br>
--lm-response=STRING LM Response to the challenge<br> (HEX encoded)<br> --nt-response=STRING NT or NTLMv2 Response to the<br>
challenge (HEX encoded)<br> --password=STRING User's plaintext password<br> --request-lm-key Retrieve LM session key<br>
--request-nt-key Retrieve User (NT) session key<br> --use-cached-creds Use cached credentials if no<br> password is given<br>
--diagnostics Perform diagnostics on the<br> authentictaion chain<br> --require-membership-of=STRING Require that a user be a member<br>
of this group (either name or<br> SID) for authentication to<br> succeed<br><br>Help options:<br>
-?, --help Show this help message<br> --usage Display brief usage message<br><br>Common samba config:<br> --configfile=CONFIGFILE Use alternate configuration file<br>
<br>Common samba options:<br> -V, --version Print version<br>Exec-Program output: <br>Exec-Program: returned: 1<br>++[ntlm_auth] returns reject<br>Failed to authenticate the user.<br>Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> sambatest<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 3 for 2 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 3<br>Sending Access-Reject of id 225 to 127.0.0.1 port 57210<br>
Waking up in 4.9 seconds.<br>Cleaning up request 3 ID 225 with timestamp +1128<br>Ready to process requests.<br><br>/etc/krb.conf:<br><br>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br>
admin_server = FILE:/var/log/kadmind.log<br><br>[libdefaults]<br> default_realm = ADMIN.CYTEWORKS.LOCAL<br># dns_lookup_realm = false # all of these entries have been used for testing and are commented out now<br># dns_lookup_kdc = true<br>
# ticket_lifetime = 24h<br># forwardable = yes<br># default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br># default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br># preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br>
<br><br>[realms]<br>ADMIN.CYTEWORKS.LOCAL = {<br> kdc = cyteworks.admin.cyteworks.local<br> admin_server = cyteworks.admin.cyteworks.local<br> default_domain = ADMIN.CYTEWORKS.LOCAL<br> }<br><br>[domain_realm]<br> .cyteworks.local = ADMIN.CYTEWORKS.LOCAL<br>
cyteworks.local = ADMIN.CYTEWORKS.LOCAL<br><br>[kdc]<br>profile = /var/kerberos/krb5kdc/kdc.conf<br><br>[appdefaults]<br> pam = {<br> debug = false<br> ticket_lifetime = 36000<br> renew_lifetime = 36000<br> forwardable = true<br>
krb4_convert = false<br> }<br><br>/etc/samba/smb.conf<br><br>#======================= Global Settings =====================================<br><br>[global]<br><br> idmap uid = 200000 - 300000<br> idmap gid = 200000 - 300000<br>
workgroup = ADMIN<br>; netbios name = cyteworks<br><br> realm = ADMIN.CYTEWORKS.LOCAL<br> server string = Samba Server Version %v<br> security = ads<br> local master = no<br> domain master = no <br>
preferred master = no<br><br> winbind separator = +<br> winbind uid = 10000-20000<br> winbind gid = 10000-20000<br> winbind enum users = yes<br> winbind enum groups = yes<br> winbind use default domain = yes<br>
<br>; interfaces = lo eth0 <a href="http://192.168.12.2/24">192.168.12.2/24</a> <a href="http://192.168.13.2/24">192.168.13.2/24</a> <br> hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. 10.12.4 10.88.8<br>
<br># --------------------------- Logging Options -----------------------------<br>#<br># Log File let you specify where to put logs and how to split them up.<br>#<br># Max Log Size let you specify the max size log files should reach<br>
<br> # logs split per machine<br> log file = /var/log/samba/log.%m<br> # max 50KB per log file, then rotate<br> max log size = 50<br><br># ----------------------- Domain Members Options ------------------------<br>
<br>; password server = *<br><br><br> security = ads<br>; passdb backend = tdbsam<br> realm = ADMIN.CYTEWORKS.LOCAL<br><br>; password server = 10.12.1.40<br><br><br>Everything else is commented out in smb.conf. Don't need any printers, no shares, etc.<br>
<br>/etc/raddb/radius.conf:<br><br># -*- text -*-<br>##<br>#<br><br>prefix = /usr<br>exec_prefix = /usr<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = /usr/sbin<br>logdir = ${localstatedir}/log/radius<br>raddbdir = ${sysconfdir}/raddb<br>
radacctdir = ${logdir}/radacct<br><br>name = radiusd<br><br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/${name}<br><br>db_dir = ${raddbdir}<br><br>libdir = /usr/lib/freeradius<br><br>pidfile = ${run_dir}/${name}.pid<br>
<br>user = radiusd<br>group = radiusd<br><br>max_request_time = 30<br><br>cleanup_delay = 5<br><br>max_requests = 1024<br><br>listen {<br> type = auth<br><br> ipaddr = *<br><br> port = 0<br><br> clients = per_socket_clients<br>
}<br><br>listen {<br> ipaddr = *<br> port = 0<br> type = acct<br> clients = per_socket_clients<br>}<br><br>hostname_lookups = no<br><br>allow_core_dumps = no<br><br>regular_expressions = yes<br>
extended_expressions = yes<br><br>log {<br> destination = files<br><br> file = ${logdir}/radius.log<br><br> syslog_facility = daemon<br><br> stripped_names = yes<br><br> auth = yes<br>
<br> auth_badpass = yes<br> auth_goodpass = yes<br><br>}<br><br>checkrad = ${sbindir}/checkrad<br><br>security {<br> max_attributes = 200<br><br> reject_delay = 2<br><br> status_server = yes<br>
}<br><br><br>proxy_requests = no<br><br>$INCLUDE clients.conf<br><br>thread pool {<br> start_servers = 5<br><br> max_servers = 32<br><br> min_spare_servers = 3<br> max_spare_servers = 10<br><br>
max_requests_per_server = 0<br>}<br><br>modules {<br> $INCLUDE ${confdir}/modules/<br><br> $INCLUDE eap.conf<br>}<br><br>instantiate {<br> exec<br><br> expr<br><br> expiration<br>
logintime<br>}<br><br>$INCLUDE policy.conf<br><br>$INCLUDE sites-enabled/<br><br>/etc/raddb/clients.conf:<br><br># -*- text -*-<br>##<br>## clients.conf -- client configuration directives<br>##<br><br>client localhost {<br>
ipaddr = 127.0.0.1<br><br> secret = somesecret<br><br> require_message_authenticator = yes<br><br> shortname = localhost<br><br> nastype = other # localhost isn't usually a NAS...<br>
<br>}<br><br>clients per_socket_clients {<br><br><br> client 127.0.0.1 {<br> secret = somesecret<br> }<br><br># Juniper - ESR - 01.24.11<br><br> client 192.168.20.254 {<br> secret = somesecret<br>
shortname = juniper<br> nastype = netscreen<br> }<br><br># Dell PowerConnect 3448 - ESR - 02.01.11<br><br> client 10.12.1.11 {<br> secret = somesecret<br> shortname = dpc3448<br>
nastype = other<br> }<br>}<br><br>/etc/raddb/users<br><br># -*- text -*-<br>#<br># Copyright (C) 2009 Deploying RADIUS Partnerships<br># All rights reserved.<br>#<br># Save this file as "raddb/users", after first backing up<br>
# the copy that you have there.<br>#<br># <a href="http://deployingradius.com/documents/configuration/pap.html">http://deployingradius.com/documents/configuration/pap.html</a><br>#<br># Window 1: radiusd -X<br>
# Window 2: radtest bob hello localhost 0 testing123<br>#<br><br># ntlm_auth testing ESR 02.17.11<br><br>DEFAULT Auth-Type = ntlm_auth <br><br><br><br>#************************ Juniper conf<br># - ESR - 01.24.11<br><br>
#some.user Cleartext-Password := "somepass"<br># NS-Admin-Privilege := 4,<br># NS-VSYS-Name := "Read-Only-Admin"<br><br>#some.user Cleartext-Password := "somepass<br># NS-Admin-Privilege := 2,<br>
# NS-VSYS-Name := "ROOT"<br><br><br># End of the file<br><br>I commented out the PAP entries in the users file because one of the users has the same <a href="http://user.name">user.name</a> in AD but a different password, and that was causing me some conflict.<br>
<br>So, can anyone tell me why I'm not getting an <b>NT_KEY</b> reply when I issue the <b>ntml_auth</b> command?<br><br>Is the missing key the reason the <b>radtest</b> command is failing? See any other glaring errors?<br>
<br>Thanks for your time.<br><br>E Rossiter<br><div style="visibility: hidden; display: inline;" id="avg_ls_inline_popup"></div><style type="text/css">#avg_ls_inline_popup { position:absolute; z-index:9999; padding: 0px 0px; margin-left: 0px; margin-top: 0px; width: 240px; overflow: hidden; word-wrap: break-word; color: black; font-size: 10px; text-align: left; line-height: 13px;}</style>
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>