I use the default configuration. I did all the defaults ~ # radtest test password localhost 0 testing123 root@aaa Sent Access-Request Id 183 from 0.0.0.0:41926 to 127.0.0.1:1812 length 74 User-Name = "test" User-Password = "password" NAS-IP-Address = 192.168.8.27 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" Received Access-Accept Id 183 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 Ready to process requests (0) Received Access-Request Id 183 from 127.0.0.1:41926 to 127.0.0.1:1812 length 74 (0) User-Name = "test" (0) User-Password = "password" (0) NAS-IP-Address = 192.168.8.27 (0) NAS-Port = 0 (0) Message-Authenticator = 0x49c0aa6a8ab735b2268e1d6daaa09044 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "test", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=test (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password=password (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 48 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = NTLM (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain (0) Auth-Type NTLM { (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=test (0) ntlm_auth: EXPAND --password=%{User-Password} (0) ntlm_auth: --> --password=password (0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)' (0) ntlm_auth: Program executed successfully (0) [ntlm_auth] = ok (0) } # Auth-Type NTLM = ok (0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/domain (0) post-auth { (0) update { (0) No attributes updated (0) } # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # post-auth = noop (0) Sent Access-Accept Id 183 from 127.0.0.1:1812 to 127.0.0.1:41926 length 0 (0) Finished request Waking up in 4.9 seconds. (0) Cleaning up request packet ID 183 with timestamp +2 ~ # radtest -t mschap test password localhost 0 testing123 root@aaa Sent Access-Request Id 194 from 0.0.0.0:47270 to 127.0.0.1:1812 length 130 User-Name = "test" MS-CHAP-Password = "password" NAS-IP-Address = 192.168.8.27 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "password" MS-CHAP-Challenge = 0x64ffcaca1fad8737 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000044766b9a12bb4776e8e15e6b668e76003626fa2f448bf29a Received Access-Reject Id 194 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 (0) -: Expected Access-Accept got Access-Reject (1) Received Access-Request Id 194 from 127.0.0.1:47270 to 127.0.0.1:1812 length 130 (1) User-Name = "test" (1) NAS-IP-Address = 192.168.8.27 (1) NAS-Port = 0 (1) Message-Authenticator = 0xcae2002abb356fe5d79e1fc00a12c253 (1) MS-CHAP-Challenge = 0x64ffcaca1fad8737 (1) MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000044766b9a12bb4776e8e15e6b668e76003626fa2f448bf29a (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (1) [mschap] = ok (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "test", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}: (1) ntlm_auth: EXPAND --username=%{mschap:User-Name} (1) ntlm_auth: --> --username=test (1) ntlm_auth: EXPAND --password=%{User-Password} (1) ntlm_auth: --> --password= (1) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)' (1) [ntlm_auth] = reject (1) } # authorize = reject (1) Using Post-Auth-Type Reject (1) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> test (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 194 from 127.0.0.1:1812 to 127.0.0.1:47270 length 20 Waking up in 3.9 seconds. (1) Cleaning up request packet ID 194 with timestamp +45 Ready to process requests This is very confused. /usr/local/etc/raddb # cat mods-enabled/ntlm_auth root@aaa # # For testing ntlm_auth authentication with PAP. # # If you have problems with authentication failing, even when the # password is good, it may be a bug in Samba: # # https://bugzilla.samba.org/show_bug.cgi?id=6563 # exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}" } /usr/local/etc/raddb # cat mods-enabled/mschap # -*- text -*- # # $Id: 4673fa7f9fd1d9931fcf1e4e1cdd9bb656b1d434 $ # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { # # If you are using /etc/smbpasswd, see the 'passwd' # module for an example of how to use /etc/smbpasswd # if use_mppe is not set to no mschap will # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2 # # use_mppe = no # if mppe is enabled require_encryption makes # encryption moderate # # require_encryption = yes # require_strong always requires 128 bit key # encryption # # require_strong = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have "winbindd" and # "nmbd" running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # If ntlm_auth is configured below, then the mschap # module will call ntlm_auth for every MS-CHAP # authentication request. If there is a cleartext # or NT hashed password available, you can set # "MS-CHAP-Use-NTLM-Auth := No" in the control items, # and the mschap module will do the authentication itself, # without calling ntlm_auth. # # Be VERY careful when editing the following line! # # You can also try setting the user name as: # # ... --username=%{mschap:User-Name} ... # # In that case, the mschap module will look at the User-Name # attribute, and do prefix/suffix checks in order to obtain # the "best" user name for the request. # #ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" # The default is to wait 10 seconds for ntlm_auth to # complete. This is a long time, and if it's taking that # long then you likely have other problems in your domain. # The length of time can be decreased with the following # option, which can save clients waiting if your ntlm_auth # usually finishes quicker. Range 1 to 10 seconds. # # ntlm_auth_timeout = 10 # An alternative to using ntlm_auth is to connect to the # winbind daemon directly for authentication. This option # is likely to be faster and may be useful on busy systems, # but is less well tested. # # Using this option requires libwbclient from Samba 4.2.1 # or later to be installed. Make sure that ntlm_auth above is # commented out. # # winbind_username = "%{mschap:User-Name}" # winbind_domain = "%{mschap:NT-Domain}" # # Information for the winbind connection pool. The configuration # items below are the same for all modules which use the new # connection pool. # pool { # Connections to create during module instantiation. # If the server cannot create specified number of # connections during instantiation it will exit. # Set to 0 to allow the server to start without the # winbind daemon being available. start = ${thread[pool].start_servers} # Minimum number of connections to keep open min = ${thread[pool].min_spare_servers} # Maximum number of connections # # If these connections are all in use and a new one # is requested, the request will NOT get a connection. # # Setting 'max' to LESS than the number of threads means # that some threads may starve, and you will see errors # like 'No connections available and at max connection limit' # # Setting 'max' to MORE than the number of threads means # that there are more connections than necessary. max = ${thread[pool].max_servers} # Spare connections to be left idle # # NOTE: Idle connections WILL be closed if "idle_timeout" # is set. This should be less than or equal to "max" above. spare = ${thread[pool].max_spare_servers} # Number of uses before the connection is closed # # 0 means "infinite" uses = 0 # The number of seconds to wait after the server tries # to open a connection, and fails. During this time, # no new connections will be opened. retry_delay = 30 # The lifetime (in seconds) of the connection # # NOTE: A setting of 0 means infinite (no limit). lifetime = 86400 # The pool is checked for free connections every # "cleanup_interval". If there are free connections, # then one of them is closed. cleanup_interval = 300 # The idle timeout (in seconds). A connection which is # unused for this length of time will be closed. # # NOTE: A setting of 0 means infinite (no timeout). idle_timeout = 600 # NOTE: All configuration settings are enforced. If a # connection is closed because of "idle_timeout", # "uses", or "lifetime", then the total number of # connections MAY fall below "min". When that # happens, it will open a new connection. It will # also log a WARNING message. # # The solution is to either lower the "min" connections, # or increase lifetime/idle_timeout. } passchange { # This support MS-CHAPv2 (not v1) password change # requests. See doc/mschap.rst for more IMPORTANT # information. # # Samba/ntlm_auth - if you are using ntlm_auth to # validate passwords, you will need to use ntlm_auth # to change passwords. Uncomment the three lines # below, and change the path to ntlm_auth. # # ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1" # ntlm_auth_username = "username: %{mschap:User-Name}" # ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}" # To implement a local password change, you need to # supply a string which is then expanded, so that the # password can be placed somewhere. e.g. passed to a # script (exec), or written to SQL (UPDATE/INSERT). # We give both examples here, but only one will be # used. # # local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}" # # local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}" } # For Apple Server, when running on the same machine as # Open Directory. It has no effect on other systems. # # use_open_directory = yes # On failure, set (or not) the MS-CHAP error code saying # "retries allowed". # allow_retry = yes # An optional retry message. # retry_msg = "Re-enter (or reset) the password" } -----Ursprüngliche Nachricht----- Von: Freeradius-Users [mailto:freeradius-users-bounces+torsten=wilms-ac.de@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Freitag, 9. Oktober 2015 17:56 An: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Betreff: Re: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication On Oct 9, 2015, at 11:37 AM, Torsten Wilms <torsten@wilms-ac.de> wrote:
So now i changed the configuration to default, installed samba, added the system in the AD and tried the following:
...
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}: (0) ntlm_auth: EXPAND --username=%{mschap:User-Name} (0) ntlm_auth: --> --username=test (0) ntlm_auth: EXPAND --password=%{User-Password}
That is the wrong configuration. Start off with the default configuration, and follow the instructions at: http://deployingradius.com/ It *will work*. Whatever you're doing now is wrong and confused. So it doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html