MS-CHAPv2 change password not working in master
Hi, I downloaded git master yesterday to test the new MS-CHAPv2 change password functionality. My setup is a Cisco router with "passwd-expiry" setup with Cisco VPN client for login, with FreeRadius to Windows AD through Winbind. MS-CHAPv2 authentication works fine. Winbind and AD setup is right. But testing the new passchange functionality by selecting "User must change password at next logon" in the Windows user, the New password windows popup in Cisco VPN client, but the change password process fails: ntlm_auth said: Password-Change: No Password-Change-Error: Wrong Password . . Winbind logs also shows: NT_STATUS_WRONG_PASSWORD Looking into code I suppose the problem is something with the old NT hash, but not an expert here. Any help would be apreciated. In these logs the user is "NIMASTELECOM\testpw". The current password is "y58R41ut8W" (expired). And the new password used was "H6eEWu7r65tw38ert1". Some radius logs: === # radiusd -X radiusd: FreeRADIUS Version 3.0.0, for host x86_64-unknown-linux-gnu, built on Nov 16 2012 at 01:46:19 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. Starting - reading configuration files ... ...................................... Ready to process requests. rad_recv: Access-Request packet from host 10.112.14.2 port 1645, id=127, length=202 User-Name = "NIMASTELECOM\\testpw" Calling-Station-Id = "217.126.166.195" MS-CHAP-Challenge = 0xdd2a98d3c3c69fb959df2f561d50d025 MS-CHAP2-Response = 0x01007b0896de80c7098bac5566313c61d1b200000000000000003cc2724e1d2be6d1868df97bd0607859441dc99b5ef37af0 NAS-Port-Type = Virtual Cisco-NAS-Port = "85.112.6.36" NAS-Port = 0 NAS-Port-Id = "85.112.6.36" Service-Type = Login-User NAS-IP-Address = 10.112.14.2 Event-Timestamp = "Nov 16 2012 10:39:06 CET" (0) # Executing section authorize from file /etc/raddb/sites-enabled/vpn_nimas_tk (0) group authorize { (0) - entering group authorize {...} (0) mschap-vpn_nimas_tk : Found MS-CHAP attributes. Setting 'Auth-Type = mschap-vpn_nimas_tk' (0) [mschap-vpn_nimas_tk] = ok (0) ? if (!control:Auth-Type) (0) ? Evaluating !(control:Auth-Type) -> FALSE (0) ? if (!control:Auth-Type) -> FALSE (0) detail-vpn_nimas_tk-auth : expand: /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d -> /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (0) detail-vpn_nimas_tk-auth : /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d expands to /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (0) detail-vpn_nimas_tk-auth : expand: %t -> Fri Nov 16 10:39:06 2012 (0) [detail-vpn_nimas_tk-auth] = ok (0) Found Auth-Type = MSCHAP (0) # Executing group from file /etc/raddb/sites-enabled/vpn_nimas_tk (0) group MS-CHAP { (0) - entering group MS-CHAP {...} (0) mschap-vpn_nimas_tk : Creating challenge hash with username: testpw (0) mschap-vpn_nimas_tk : Client is using MS-CHAPv2 for testpw, we need NT-Password (0) mschap-vpn_nimas_tk : expand: --username=%{mschap-vpn_nimas_tk:User-Name} -> --username=testpw (0) mschap-vpn_nimas_tk : expand: --domain=%{mschap-vpn_nimas_tk:NT-Domain} -> --domain=NIMASTELECOM (0) mschap-vpn_nimas_tk : Creating challenge hash with username: testpw (0) mschap-vpn_nimas_tk : expand: --challenge=%{mschap-vpn_nimas_tk:Challenge:-00} -> --challenge=3550f7bf5746677f (0) mschap-vpn_nimas_tk : expand: --nt-response=%{mschap-vpn_nimas_tk:NT-Response:-00} -> --nt-response=3cc2724e1d2be6d1868df97bd0607859441dc99b5ef37af0 Exec-Program output: Must change password (0xc0000224) Exec-Program-Wait: plaintext: Must change password (0xc0000224) Exec-Program: returned: 1 (0) mschap-vpn_nimas_tk : ntlm_auth says Must change password (0xc0000224) (0) [mschap-vpn_nimas_tk] = reject (0) Failed to authenticate the user. (0) Login incorrect: [NIMASTELECOM\\testpw] (from client RMADTKNIMAS01 port 0 cli 217.126.166.195) (0) Using Post-Auth-Type Reject (0) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. (0) Finished request 0. Waking up in 0.9 seconds. (0) Sending delayed reject Sending Access-Reject of id 127 from 85.112.8.156 port 1812 to 10.112.14.2 port 1645 MS-CHAP-Error = "\001E=648 R=0 C=47763c0a72e4fb2d546c9a413245f87b V=3 M=Password Expired" Waking up in 4.9 seconds. (0) Cleaning up request packet ID 127 with timestamp +14 Ready to process requests. rad_recv: Access-Request packet from host 10.112.14.2 port 1645, id=128, length=755 User-Name = "NIMASTELECOM\\testpw" MS-CHAP-Challenge = 0xf42a98d3c3c69fb959df2f561d50d025 MS-CHAP2-CPW = 0x070100000000000000000000000000000000b79a22699ae1dedc832935c8f5c5d7880000000000000000b0bfd263d6c0bbc0b2b28e085c072676857cf1f7c6f88a300000 MS-CHAP-NT-Enc-PW = 0x0601000176116065c54f9ef590a62a9e5d90a75e906e19b76954e1ff0deeb5f3a5212f64e16adf48e0f1e3bb2cd3c3889dac2d67b6584725b87c28d1612fdedf8268e3af3096a2c596ea8efb16697a10b5e726a86e457a84669c6ec82cfc67a301ff9d329b0ef45b96084d099823105412e0779971079efc9260b6ab1805df81b10f3fa65d4aa859beeaae01f0a2311f51bfc9c84f0168b595fa80273b6a08180e83ec63f03a6face5015ccb52114017 MS-CHAP-NT-Enc-PW = 0x060100025ddd392405df3b0952a11ad2158f1c26398cdd6f2eb4be40607ff1fe81fc1e4f335e9b1a8a8a4a081f4b6834fe8e8d024ae1c80da758057f9505f8dff2a0211dd68d67fea4cb6de33f582be526fb0698669878264cb7ab61883a4caa4e4bc60f5421496218319c3ad4c0210383edc4daf25f43a55002d8014c287659c32cdbc6a43e0dc01c2c2effc7aa43267a0cf5c2100b4d25de0408559dd012496716837562ff79032b2f1671cd85d582 MS-CHAP-NT-Enc-PW = 0x060100030c2cb9971bac6562e7e0615b9d89c703e7bbd4e0765af7c420590cd3b6d0149ab90d95b03f56e543759da80aea68ca44bf4b7514a1f2550fa2be6571c1639fd67738d2351a248f43f7ce4e1c552cf769416be4b6b78e7c1f49b32e5f2b7421acebab117a2009ccb87e0170cd30b31024a331920c5c2891a939ec22061af7fad85140a0bd99e89c3c6d56a3e9eb3a8025d5ef968ba7523c78f11bb43cd49936d2b28d289788d164b507a76fb6 NAS-Port-Type = Virtual Cisco-NAS-Port = "85.112.6.36" NAS-Port = 0 NAS-Port-Id = "85.112.6.36" Service-Type = Login-User NAS-IP-Address = 10.112.14.2 Event-Timestamp = "Nov 16 2012 10:39:20 CET" (1) # Executing section authorize from file /etc/raddb/sites-enabled/vpn_nimas_tk (1) group authorize { (1) - entering group authorize {...} (1) mschap-vpn_nimas_tk : Found MS-CHAP attributes. Setting 'Auth-Type = mschap-vpn_nimas_tk' (1) [mschap-vpn_nimas_tk] = ok (1) ? if (!control:Auth-Type) (1) ? Evaluating !(control:Auth-Type) -> FALSE (1) ? if (!control:Auth-Type) -> FALSE (1) detail-vpn_nimas_tk-auth : expand: /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d -> /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (1) detail-vpn_nimas_tk-auth : /var/log/radius/radacct/vpn_nimas_tk-auth-%Y%m%d expands to /var/log/radius/radacct/vpn_nimas_tk-auth-20121116 (1) detail-vpn_nimas_tk-auth : expand: %t -> Fri Nov 16 10:39:20 2012 (1) [detail-vpn_nimas_tk-auth] = ok (1) Found Auth-Type = MSCHAP (1) # Executing group from file /etc/raddb/sites-enabled/vpn_nimas_tk (1) group MS-CHAP { (1) - entering group MS-CHAP {...} (1) mschap-vpn_nimas_tk : MS-CHAPv2 password change request received (1) mschap-vpn_nimas_tk : Password change payload valid (1) mschap-vpn_nimas_tk : Doing MS-CHAPv2 password change via ntlm_auth helper (1) mschap-vpn_nimas_tk : expand: username: %{mschap-vpn_nimas_tk:User-Name} -> username: testpw (1) mschap-vpn_nimas_tk : expand: nt-domain: %{mschap-vpn_nimas_tk:NT-Domain} -> nt-domain: NIMASTELECOM (1) mschap-vpn_nimas_tk : ntlm_auth said: Password-Change: No Password-Change-Error: Wrong Password . . (1) mschap-vpn_nimas_tk : ntlm auth password change failed: Password-Change-Error: Wrong Password (1) mschap-vpn_nimas_tk : Password change failed (1) [mschap-vpn_nimas_tk] = reject (1) Failed to authenticate the user. (1) Login incorrect: [NIMASTELECOM\\testpw] (from client RMADTKNIMAS01 port 0) (1) Using Post-Auth-Type Reject (1) WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. (1) Finished request 1. Waking up in 0.2 seconds. Waking up in 0.7 seconds. (1) Sending delayed reject Sending Access-Reject of id 128 from 85.112.8.156 port 1812 to 10.112.14.2 port 1645 MS-CHAP-Error = "\001E=709 R=0 M=Password change failed" Waking up in 4.9 seconds. (1) Cleaning up request packet ID 128 with timestamp +28 Ready to process requests. === The mschap derived module is simple: === mschap mschap-vpn_nimas_tk { with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap-vpn_nimas_tk:User-Name} --domain=%{mschap-vpn_nimas_tk:NT-Domain} --challenge=%{mschap-vpn_nimas_tk:Challenge:-00} --nt-response=%{mschap-vpn_nimas_tk:NT-Response:-00}" passchange { ntlm_auth = "/usr/bin/ntlm_auth -d 10 -l /var/log/samba --helper-protocol=ntlm-change-password-1" ntlm_auth_username = "username: %{mschap-vpn_nimas_tk:User-Name}" ntlm_auth_domain = "nt-domain: %{mschap-vpn_nimas_tk:NT-Domain}" retry_msg = "Re-enter (or reset) the password" } === Winbind logs: === [2012/11/16 10:39:06.810639, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:06.810793, 10] winbindd/winbindd.c:644(process_request) process_request: request fn INTERFACE_VERSION [2012/11/16 10:39:06.810841, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 9918]: request interface version [2012/11/16 10:39:06.810906, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:INTERFACE_VERSION]: delivered response to client [2012/11/16 10:39:06.810964, 10] winbindd/winbindd.c:644(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/11/16 10:39:06.811002, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 9918]: request location of privileged pipe [2012/11/16 10:39:06.811068, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/11/16 10:39:06.811117, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:06.811171, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:06.811227, 10] winbindd/winbindd.c:617(process_request) process_request: Handling async request 9918:PAM_AUTH_CRAP [2012/11/16 10:39:06.811266, 3] winbindd/winbindd_pam_auth_crap.c:56(winbindd_pam_auth_crap_send) [ 9918]: pam auth crap domain: [NIMASTELECOM] user: testpw [2012/11/16 10:39:07.071142, 10] winbindd/winbindd.c:679(wb_request_done) wb_request_done[9918:PAM_AUTH_CRAP]: NT_STATUS_PASSWORD_MUST_CHANGE [2012/11/16 10:39:07.071243, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9918:PAM_AUTH_CRAP]: delivered response to client [2012/11/16 10:39:07.071320, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:20.825567, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:20.825731, 10] winbindd/winbindd.c:644(process_request) process_request: request fn INTERFACE_VERSION [2012/11/16 10:39:20.825780, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 9957]: request interface version [2012/11/16 10:39:20.825851, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:INTERFACE_VERSION]: delivered response to client [2012/11/16 10:39:20.825916, 10] winbindd/winbindd.c:644(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/11/16 10:39:20.825960, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 9957]: request location of privileged pipe [2012/11/16 10:39:20.826035, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/11/16 10:39:20.826106, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited [2012/11/16 10:39:20.826169, 6] winbindd/winbindd.c:794(new_connection) accepted socket 25 [2012/11/16 10:39:20.826235, 10] winbindd/winbindd.c:644(process_request) process_request: request fn DOMAIN_NAME [2012/11/16 10:39:20.826279, 3] winbindd/winbindd_misc.c:394(winbindd_domain_name) [ 9957]: request domain name [2012/11/16 10:39:20.826341, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:DOMAIN_NAME]: delivered response to client [2012/11/16 10:39:20.826497, 10] winbindd/winbindd.c:617(process_request) process_request: Handling async request 9957:PAM_CHNG_PSWD_AUTH_CRAP [2012/11/16 10:39:20.826544, 3] winbindd/winbindd_pam_chng_pswd_auth_crap.c:57(winbindd_pam_chng_pswd_auth_crap_send) [ 9957]: pam change pswd auth crap domain: NIMASTELECOM user: testpw [2012/11/16 10:39:20.856407, 10] winbindd/winbindd.c:679(wb_request_done) wb_request_done[9957:PAM_CHNG_PSWD_AUTH_CRAP]: NT_STATUS_WRONG_PASSWORD [2012/11/16 10:39:20.856498, 10] winbindd/winbindd.c:740(winbind_client_response_written) winbind_client_response_written[9957:PAM_CHNG_PSWD_AUTH_CRAP]: delivered response to client [2012/11/16 10:39:20.856674, 6] winbindd/winbindd.c:842(winbind_client_request_read) closing socket 25, client exited === Regards, Carlos Velasco
Looking into code I suppose the problem is something with the old NT hash, but not an expert here. Any help would be apreciated.
Adding some debug to code, this seems really wrong: (1) mschap-vpn_nimas_tk : old_nt_hash: 3497295200 || Write buf: old-nt-hash-blob: 00000000000000000000000000000000 len = sprintf(buf, "old-nt-hash-blob: "); fr_bin2hex(old_nt_hash, buf+len, 16); buf[len+32] = '\n'; buf[len+33] = '\0'; len = strlen(buf); ++ RDEBUG2("old_nt_hash: %u || Write buf: %s", old_nt_hash, buf); if (write_all(to_child, buf, len) != len) { RDEBUG2("failed to write old hash blob to child"); goto ntlm_auth_err; }
participants (1)
-
Carlos Velasco