That ntlm_auth line should have read: ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=sambatest --password=Thursday77 which is a test account. The other account and passwd has been promptly nuked. Sorry bout that folks. E- On Fri, Feb 18, 2011 at 6:11 PM, E Rossiter <phedup@gmail.com> wrote:
Trying to use FR to query AD as an authentication oracle and set up per the docs at http://deployingradius.com/documents/configuration/active_directory.htmland several others pertaining to setting up Kerberos and winbind.
smb/krb/winbind all run. The usual testing commands all produce the proper output. wbinfo, kbinit, kblist, net join, etc.
FreeRADIUS Version 2.1.7, CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP Samba Version 3.3.8-0.52.el5_5.2 KRB5
I have been able to authenticate and authorize accounts using PAP via a Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and use ntlm_auth and eventually MSCHAP.
Upon issuing the command:
ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=eric.rossiter --password=Cyt3w0rk5
I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to an NT_KEY:
I believe that's why the radtest command is failing:
radtest sambatest somepass localhost 0 somesecret Sending Access-Request of id 225 to 127.0.0.1 port 1812 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20
Been reading and researching and testing for 3 weeks, but I'm stuck now.
radius -X output:
rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, length=61 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 [auth_log] expand: %t -> Fri Feb 18 17:19:10 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sambatest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 17 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest [ntlm_auth] expand: --password=%{User-Password} -> --password=somepass username must be specified! *# don't understand this... username is two lines up* If I shut down winbind, a winbind error preceeds "username must be specified! " don't understand # why samba is puking a help screen?
Usage: [OPTION...] --helper-protocol=helper protocol to use operate as a stdio-based helper --username=STRING username --domain=STRING domain name --workstation=STRING workstation --challenge=STRING challenge (HEX encoded) --lm-response=STRING LM Response to the challenge (HEX encoded) --nt-response=STRING NT or NTLMv2 Response to the challenge (HEX encoded) --password=STRING User's plaintext password --request-lm-key Retrieve LM session key --request-nt-key Retrieve User (NT) session key --use-cached-creds Use cached credentials if no password is given --diagnostics Perform diagnostics on the authentictaion chain --require-membership-of=STRING Require that a user be a member of this group (either name or SID) for authentication to succeed
Help options: -?, --help Show this help message --usage Display brief usage message
Common samba config: --configfile=CONFIGFILE Use alternate configuration file
Common samba options: -V, --version Print version Exec-Program output: Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sambatest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 4 to 127.0.0.1 port 39195 Waking up in 4.9 seconds. Cleaning up request 2 ID 4 with timestamp +349 Ready to process requests. wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, id=225, length=61 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 [auth_log] expand: %t -> Fri Feb 18 17:32:09 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sambatest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 17 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest [ntlm_auth] expand: --password=%{User-Password} -> --password=Thursday77 username must be specified!
Usage: [OPTION...] --helper-protocol=helper protocol to use operate as a stdio-based helper --username=STRING username --domain=STRING domain name --workstation=STRING workstation --challenge=STRING challenge (HEX encoded) --lm-response=STRING LM Response to the challenge (HEX encoded) --nt-response=STRING NT or NTLMv2 Response to the challenge (HEX encoded) --password=STRING User's plaintext password --request-lm-key Retrieve LM session key --request-nt-key Retrieve User (NT) session key --use-cached-creds Use cached credentials if no password is given --diagnostics Perform diagnostics on the authentictaion chain --require-membership-of=STRING Require that a user be a member of this group (either name or SID) for authentication to succeed
Help options: -?, --help Show this help message --usage Display brief usage message
Common samba config: --configfile=CONFIGFILE Use alternate configuration file
Common samba options: -V, --version Print version Exec-Program output: Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sambatest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 225 to 127.0.0.1 port 57210 Waking up in 4.9 seconds. Cleaning up request 3 ID 225 with timestamp +1128 Ready to process requests.
/etc/krb.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = ADMIN.CYTEWORKS.LOCAL # dns_lookup_realm = false # all of these entries have been used for testing and are commented out now # dns_lookup_kdc = true # ticket_lifetime = 24h # forwardable = yes # default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC # default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC # preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms] ADMIN.CYTEWORKS.LOCAL = { kdc = cyteworks.admin.cyteworks.local admin_server = cyteworks.admin.cyteworks.local default_domain = ADMIN.CYTEWORKS.LOCAL }
[domain_realm] .cyteworks.local = ADMIN.CYTEWORKS.LOCAL cyteworks.local = ADMIN.CYTEWORKS.LOCAL
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
/etc/samba/smb.conf
#======================= Global Settings =====================================
[global]
idmap uid = 200000 - 300000 idmap gid = 200000 - 300000 workgroup = ADMIN ; netbios name = cyteworks
realm = ADMIN.CYTEWORKS.LOCAL server string = Samba Server Version %v security = ads local master = no domain master = no preferred master = no
winbind separator = + winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. 10.12.4 10.88.8
# --------------------------- Logging Options ----------------------------- # # Log File let you specify where to put logs and how to split them up. # # Max Log Size let you specify the max size log files should reach
# logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50
# ----------------------- Domain Members Options ------------------------
; password server = *
security = ads ; passdb backend = tdbsam realm = ADMIN.CYTEWORKS.LOCAL
; password server = 10.12.1.40
Everything else is commented out in smb.conf. Don't need any printers, no shares, etc.
/etc/raddb/radius.conf:
# -*- text -*- ## #
prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/${name}.pid
user = radiusd group = radiusd
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen { type = auth
ipaddr = *
port = 0
clients = per_socket_clients }
listen { ipaddr = * port = 0 type = acct clients = per_socket_clients }
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes extended_expressions = yes
log { destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = yes
auth = yes
auth_badpass = yes auth_goodpass = yes
}
checkrad = ${sbindir}/checkrad
security { max_attributes = 200
reject_delay = 2
status_server = yes }
proxy_requests = no
$INCLUDE clients.conf
thread pool { start_servers = 5
max_servers = 32
min_spare_servers = 3 max_spare_servers = 10
max_requests_per_server = 0 }
modules { $INCLUDE ${confdir}/modules/
$INCLUDE eap.conf }
instantiate { exec
expr
expiration logintime }
$INCLUDE policy.conf
$INCLUDE sites-enabled/
/etc/raddb/clients.conf:
# -*- text -*- ## ## clients.conf -- client configuration directives ##
client localhost { ipaddr = 127.0.0.1
secret = somesecret
require_message_authenticator = yes
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
clients per_socket_clients {
client 127.0.0.1 { secret = somesecret }
# Juniper - ESR - 01.24.11
client 192.168.20.254 { secret = somesecret shortname = juniper nastype = netscreen }
# Dell PowerConnect 3448 - ESR - 02.01.11
client 10.12.1.11 { secret = somesecret shortname = dpc3448 nastype = other } }
/etc/raddb/users
# -*- text -*- # # Copyright (C) 2009 Deploying RADIUS Partnerships # All rights reserved. # # Save this file as "raddb/users", after first backing up # the copy that you have there. # # http://deployingradius.com/documents/configuration/pap.html # # Window 1: radiusd -X # Window 2: radtest bob hello localhost 0 testing123 #
# ntlm_auth testing ESR 02.17.11
DEFAULT Auth-Type = ntlm_auth
#************************ Juniper conf # - ESR - 01.24.11
#some.user Cleartext-Password := "somepass" # NS-Admin-Privilege := 4, # NS-VSYS-Name := "Read-Only-Admin"
#some.user Cleartext-Password := "somepass # NS-Admin-Privilege := 2, # NS-VSYS-Name := "ROOT"
# End of the file
I commented out the PAP entries in the users file because one of the users has the same user.name in AD but a different password, and that was causing me some conflict.
So, can anyone tell me why I'm not getting an *NT_KEY* reply when I issue the *ntml_auth* command?
Is the missing key the reason the *radtest* command is failing? See any other glaring errors?
Thanks for your time.
E Rossiter