El 30/11/2011 16:57, Alan Buxey escribió:
Hi,
Hello friends, I tell them: When I try to authenticate using mschap I encounter this error''NT_STATUS_WRONG_PASSWORD: Wrong Password'', yet when I do the test using authentic pap without problems. I'm trying to authenticate my freeradius server with active directory server. Greetings and waiting for your help. William what happens when you run the ntlm_auth command direct on command line?
what version of SAMBA are you running?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com Hi Alan, when I run the ntlm_auth command gives me an effective response. *ntlm_auth --request-nt-key --domain=MyDomain --username=USER--password=PASS* _/NT_STATUS_OK: Success (0x0)/_
_*freeradius -X (DEBUG MODE)*_ rad_recv: Access-Request packet from host 127.0.0.1 port 55866, id=115, length=60 User-Name = "gwilliam" User-Password = "1qazxsw23edc@" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130 [auth_log] expand: %t -> Wed Nov 30 17:05:41 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++? if (!control:Auth-Type && User-Password) ? Evaluating !(control:Auth-Type ) -> TRUE ? Evaluating (User-Password) -> TRUE ++? if (!control:Auth-Type && User-Password) -> TRUE ++- entering if (!control:Auth-Type && User-Password) {...} +++[control] returns noop ++- if (!control:Auth-Type && User-Password) returns noop [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=gwilliam [ntlm_auth] expand: --password=%{User-Password} -> --password=1qazxsw23edc@ Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok [suffix] No '@' in User-Name = "gwilliam", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/freeradius/sites-enabled/default +- entering group ntlm_auth {...} *[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=gwilliam [ntlm_auth] expand: --password=%{User-Password} -> --password=1qazxsw23edc@ Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)* Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 115 to 127.0.0.1 port 55866 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 115 with timestamp +34 Ready to process requests. _*when I do the test using mschap radtest-t is when the key is erroneous*_ /radtest -t mschap gwilliam 1qazxsw23edc@ localhost 0 testing123/ rad_recv: Access-Request packet from host 127.0.0.1 port 37155, id=130, length=116 User-Name = "gwilliam" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 MS-CHAP-Challenge = 0xd85c0848bec6df72 MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000d6f2f97947a122925fa9019e04b04834cc4857db4a4d359f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130 [auth_log] expand: %t -> Wed Nov 30 17:07:09 2011 ++[auth_log] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++? if (!control:Auth-Type && User-Password) ? Evaluating !(control:Auth-Type ) -> FALSE ? Skipping (User-Password) ++? if (!control:Auth-Type && User-Password) -> FALSE *[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=gwilliam [ntlm_auth] expand: --password=%{User-Password} -> --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec-Program: returned: 1 ++[ntlm_auth] returns reject* Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> gwilliam attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 130 to 127.0.0.1 port 37155 Waking up in 4.9 seconds. Cleaning up request 1 ID 130 with timestamp +122 Ready to process requests. My samba version is 3.5.8, my OS is ubuntu server version 11.04. Thanks for you help. Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com