That ntlm_auth line should have read:<br><br>ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=sambatest --password=Thursday77<br><br>which is a test account. The other account and passwd has been promptly nuked.<br>
<br>Sorry bout that folks.<br><br>E-<br><br><div class="gmail_quote">On Fri, Feb 18, 2011 at 6:11 PM, E Rossiter <span dir="ltr"><<a href="mailto:phedup@gmail.com">phedup@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Trying to use FR to query AD as an authentication oracle and set up per the docs at <a href="http://deployingradius.com/documents/configuration/active_directory.html" target="_blank">http://deployingradius.com/documents/configuration/active_directory.html</a> and several others pertaining to setting up Kerberos and winbind.<br>
<br>smb/krb/winbind all run. The usual testing commands all produce the proper output. wbinfo, kbinit, kblist, net join, etc.<br><br>FreeRADIUS Version 2.1.7,<br>CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP<br>Samba Version 3.3.8-0.52.el5_5.2<br>
KRB5<br><br>I have been able to authenticate and authorize accounts using PAP via a Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and use ntlm_auth and eventually MSCHAP.<br><br>Upon issuing the command:<br>
<br>ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=eric.rossiter --password=Cyt3w0rk5<br><br>I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to an NT_KEY:<br><br>I believe that's why the radtest command is failing:<br>
<br> radtest sambatest somepass localhost 0 somesecret <br>Sending Access-Request of id 225 to 127.0.0.1 port 1812<br> User-Name = "sambatest"<br> User-Password = "somepass"<br> NAS-IP-Address = 64.126.127.208<br>
NAS-Port = 0<br>rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20<br><br>Been reading and researching and testing for 3 weeks, but I'm stuck now.<br><br>radius -X output:<br><br>
rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, length=61<br>
User-Name = "sambatest"<br> User-Password = "somepass"<br> NAS-IP-Address = 64.126.127.208<br> NAS-Port = 0<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218" target="_blank">127.0.0.1/auth-detail-20110218</a><br>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218" target="_blank">127.0.0.1/auth-detail-20110218</a><br>
[auth_log] expand: %t -> Fri Feb 18 17:19:10 2011<br>++[auth_log] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "sambatest", looking up realm NULL<br>
[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>[files] users: Matched entry DEFAULT at line 17<br>++[files] returns ok<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = ntlm_auth<br>
+- entering group authenticate {...}<br>[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest<br>[ntlm_auth] expand: --password=%{User-Password} -> --password=somepass<br>username must be specified! <b># don't understand this... username is two lines up</b> If I shut down winbind, a winbind error preceeds "username must be specified! " don't understand # why samba is puking a help screen?<br>
<br>Usage: [OPTION...]<br> --helper-protocol=helper protocol to use operate as a stdio-based helper<br> --username=STRING username<br> --domain=STRING domain name<br>
--workstation=STRING workstation<br> --challenge=STRING challenge (HEX encoded)<br> --lm-response=STRING LM Response to the challenge<br> (HEX encoded)<br>
--nt-response=STRING NT or NTLMv2 Response to the<br> challenge (HEX encoded)<br> --password=STRING User's plaintext password<br>
--request-lm-key Retrieve LM session key<br> --request-nt-key Retrieve User (NT) session key<br> --use-cached-creds Use cached credentials if no<br>
password is given<br> --diagnostics Perform diagnostics on the<br> authentictaion chain<br> --require-membership-of=STRING Require that a user be a member<br>
of this group (either name or<br> SID) for authentication to<br> succeed<br><br>Help options:<br>
-?, --help Show this help message<br> --usage Display brief usage message<br><br>Common samba config:<br> --configfile=CONFIGFILE Use alternate configuration file<br>
<br>Common samba options:<br> -V, --version Print version<br>Exec-Program output: <br>Exec-Program: returned: 1<br>++[ntlm_auth] returns reject<br>Failed to authenticate the user.<br>Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> sambatest<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 2 for 2 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 2<br>Sending Access-Reject of id 4 to 127.0.0.1 port 39195<br>
Waking up in 4.9 seconds.<br>Cleaning up request 2 ID 4 with timestamp +349<br>Ready to process requests.<br>wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, id=225, length=61<br> User-Name = "sambatest"<br>
User-Password = "somepass"<br> NAS-IP-Address = 64.126.127.208<br> NAS-Port = 0<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218" target="_blank">127.0.0.1/auth-detail-20110218</a><br>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/<a href="http://127.0.0.1/auth-detail-20110218" target="_blank">127.0.0.1/auth-detail-20110218</a><br>[auth_log] expand: %t -> Fri Feb 18 17:32:09 2011<br>
++[auth_log] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "sambatest", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>
[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>++[unix] returns notfound<br>[files] users: Matched entry DEFAULT at line 17<br>++[files] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = ntlm_auth<br>+- entering group authenticate {...}<br>[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest<br>
[ntlm_auth] expand: --password=%{User-Password} -> --password=Thursday77<br>username must be specified!<br><br>Usage: [OPTION...]<br> --helper-protocol=helper protocol to use operate as a stdio-based helper<br>
--username=STRING username<br> --domain=STRING domain name<br> --workstation=STRING workstation<br> --challenge=STRING challenge (HEX encoded)<br>
--lm-response=STRING LM Response to the challenge<br> (HEX encoded)<br> --nt-response=STRING NT or NTLMv2 Response to the<br>
challenge (HEX encoded)<br> --password=STRING User's plaintext password<br> --request-lm-key Retrieve LM session key<br>
--request-nt-key Retrieve User (NT) session key<br> --use-cached-creds Use cached credentials if no<br> password is given<br>
--diagnostics Perform diagnostics on the<br> authentictaion chain<br> --require-membership-of=STRING Require that a user be a member<br>
of this group (either name or<br> SID) for authentication to<br> succeed<br><br>Help options:<br>
-?, --help Show this help message<br> --usage Display brief usage message<br><br>Common samba config:<br> --configfile=CONFIGFILE Use alternate configuration file<br>
<br>Common samba options:<br> -V, --version Print version<br>Exec-Program output: <br>Exec-Program: returned: 1<br>++[ntlm_auth] returns reject<br>Failed to authenticate the user.<br>Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> sambatest<br> attr_filter: Matched entry DEFAULT at line 11<br>++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 3 for 2 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 3<br>Sending Access-Reject of id 225 to 127.0.0.1 port 57210<br>
Waking up in 4.9 seconds.<br>Cleaning up request 3 ID 225 with timestamp +1128<br>Ready to process requests.<br><br>/etc/krb.conf:<br><br>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br>
admin_server = FILE:/var/log/kadmind.log<br><br>[libdefaults]<br> default_realm = ADMIN.CYTEWORKS.LOCAL<br># dns_lookup_realm = false # all of these entries have been used for testing and are commented out now<br># dns_lookup_kdc = true<br>
# ticket_lifetime = 24h<br># forwardable = yes<br># default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br># default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br># preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC<br>
<br><br>[realms]<br>ADMIN.CYTEWORKS.LOCAL = {<br> kdc = cyteworks.admin.cyteworks.local<br> admin_server = cyteworks.admin.cyteworks.local<br> default_domain = ADMIN.CYTEWORKS.LOCAL<br> }<br><br>[domain_realm]<br> .cyteworks.local = ADMIN.CYTEWORKS.LOCAL<br>
cyteworks.local = ADMIN.CYTEWORKS.LOCAL<br><br>[kdc]<br>profile = /var/kerberos/krb5kdc/kdc.conf<br><br>[appdefaults]<br> pam = {<br> debug = false<br> ticket_lifetime = 36000<br> renew_lifetime = 36000<br> forwardable = true<br>
krb4_convert = false<br> }<br><br>/etc/samba/smb.conf<br><br>#======================= Global Settings =====================================<br><br>[global]<br><br> idmap uid = 200000 - 300000<br> idmap gid = 200000 - 300000<br>
workgroup = ADMIN<br>; netbios name = cyteworks<br><br> realm = ADMIN.CYTEWORKS.LOCAL<br> server string = Samba Server Version %v<br> security = ads<br> local master = no<br> domain master = no <br>
preferred master = no<br><br> winbind separator = +<br> winbind uid = 10000-20000<br> winbind gid = 10000-20000<br> winbind enum users = yes<br> winbind enum groups = yes<br> winbind use default domain = yes<br>
<br>; interfaces = lo eth0 <a href="http://192.168.12.2/24" target="_blank">192.168.12.2/24</a> <a href="http://192.168.13.2/24" target="_blank">192.168.13.2/24</a> <br> hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. 10.12.4 10.88.8<br>
<br># --------------------------- Logging Options -----------------------------<br>#<br># Log File let you specify where to put logs and how to split them up.<br>#<br># Max Log Size let you specify the max size log files should reach<br>
<br> # logs split per machine<br> log file = /var/log/samba/log.%m<br> # max 50KB per log file, then rotate<br> max log size = 50<br><br># ----------------------- Domain Members Options ------------------------<br>
<br>; password server = *<br><br><br> security = ads<br>; passdb backend = tdbsam<br> realm = ADMIN.CYTEWORKS.LOCAL<br><br>; password server = 10.12.1.40<br><br><br>Everything else is commented out in smb.conf. Don't need any printers, no shares, etc.<br>
<br>/etc/raddb/radius.conf:<br><br># -*- text -*-<br>##<br>#<br><br>prefix = /usr<br>exec_prefix = /usr<br>sysconfdir = /etc<br>localstatedir = /var<br>sbindir = /usr/sbin<br>logdir = ${localstatedir}/log/radius<br>raddbdir = ${sysconfdir}/raddb<br>
radacctdir = ${logdir}/radacct<br><br>name = radiusd<br><br>confdir = ${raddbdir}<br>run_dir = ${localstatedir}/run/${name}<br><br>db_dir = ${raddbdir}<br><br>libdir = /usr/lib/freeradius<br><br>pidfile = ${run_dir}/${name}.pid<br>
<br>user = radiusd<br>group = radiusd<br><br>max_request_time = 30<br><br>cleanup_delay = 5<br><br>max_requests = 1024<br><br>listen {<br> type = auth<br><br> ipaddr = *<br><br> port = 0<br><br> clients = per_socket_clients<br>
}<br><br>listen {<br> ipaddr = *<br> port = 0<br> type = acct<br> clients = per_socket_clients<br>}<br><br>hostname_lookups = no<br><br>allow_core_dumps = no<br><br>regular_expressions = yes<br>
extended_expressions = yes<br><br>log {<br> destination = files<br><br> file = ${logdir}/radius.log<br><br> syslog_facility = daemon<br><br> stripped_names = yes<br><br> auth = yes<br>
<br> auth_badpass = yes<br> auth_goodpass = yes<br><br>}<br><br>checkrad = ${sbindir}/checkrad<br><br>security {<br> max_attributes = 200<br><br> reject_delay = 2<br><br> status_server = yes<br>
}<br><br><br>proxy_requests = no<br><br>$INCLUDE clients.conf<br><br>thread pool {<br> start_servers = 5<br><br> max_servers = 32<br><br> min_spare_servers = 3<br> max_spare_servers = 10<br><br>
max_requests_per_server = 0<br>}<br><br>modules {<br> $INCLUDE ${confdir}/modules/<br><br> $INCLUDE eap.conf<br>}<br><br>instantiate {<br> exec<br><br> expr<br><br> expiration<br>
logintime<br>}<br><br>$INCLUDE policy.conf<br><br>$INCLUDE sites-enabled/<br><br>/etc/raddb/clients.conf:<br><br># -*- text -*-<br>##<br>## clients.conf -- client configuration directives<br>##<br><br>client localhost {<br>
ipaddr = 127.0.0.1<br><br> secret = somesecret<br><br> require_message_authenticator = yes<br><br> shortname = localhost<br><br> nastype = other # localhost isn't usually a NAS...<br>
<br>}<br><br>clients per_socket_clients {<br><br><br> client 127.0.0.1 {<br> secret = somesecret<br> }<br><br># Juniper - ESR - 01.24.11<br><br> client 192.168.20.254 {<br> secret = somesecret<br>
shortname = juniper<br> nastype = netscreen<br> }<br><br># Dell PowerConnect 3448 - ESR - 02.01.11<br><br> client 10.12.1.11 {<br> secret = somesecret<br> shortname = dpc3448<br>
nastype = other<br> }<br>}<br><br>/etc/raddb/users<br><br># -*- text -*-<br>#<br># Copyright (C) 2009 Deploying RADIUS Partnerships<br># All rights reserved.<br>#<br># Save this file as "raddb/users", after first backing up<br>
# the copy that you have there.<br>#<br># <a href="http://deployingradius.com/documents/configuration/pap.html" target="_blank">http://deployingradius.com/documents/configuration/pap.html</a><br>#<br># Window 1: radiusd -X<br>
# Window 2: radtest bob hello localhost 0 testing123<br>#<br><br># ntlm_auth testing ESR 02.17.11<br><br>DEFAULT Auth-Type = ntlm_auth <br><br><br><br>#************************ Juniper conf<br># - ESR - 01.24.11<br>
<br>
#some.user Cleartext-Password := "somepass"<br># NS-Admin-Privilege := 4,<br># NS-VSYS-Name := "Read-Only-Admin"<br><br>#some.user Cleartext-Password := "somepass<br># NS-Admin-Privilege := 2,<br>
# NS-VSYS-Name := "ROOT"<br><br><br># End of the file<br><br>I commented out the PAP entries in the users file because one of the users has the same <a href="http://user.name" target="_blank">user.name</a> in AD but a different password, and that was causing me some conflict.<br>
<br>So, can anyone tell me why I'm not getting an <b>NT_KEY</b> reply when I issue the <b>ntml_auth</b> command?<br><br>Is the missing key the reason the <b>radtest</b> command is failing? See any other glaring errors?<br>
<br>Thanks for your time.<br><font color="#888888"><br>E Rossiter<br><div style="display: inline;"></div>
</font></blockquote></div><br><div style="visibility: hidden; display: inline;" id="avg_ls_inline_popup"></div><style type="text/css">#avg_ls_inline_popup { position:absolute; z-index:9999; padding: 0px 0px; margin-left: 0px; margin-top: 0px; width: 240px; overflow: hidden; word-wrap: break-word; color: black; font-size: 10px; text-align: left; line-height: 13px;}</style>