El 30/11/2011 16:57, Alan Buxey escribió:
Hi,
Hello friends, I tell them:
When I try to authenticate using mschap I encounter this 
error''NT_STATUS_WRONG_PASSWORD: Wrong Password'', yet when I do the 
test using authentic pap without problems. I'm trying to authenticate my 
freeradius server with active directory server.
Greetings and waiting for your help. William
what happens when you run the ntlm_auth command direct on command line?

what version of SAMBA are you running?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com
Hi Alan, when I run the ntlm_auth command gives me an effective response.
ntlm_auth --request-nt-key --domain=MyDomain --username=USER--password=PASS
NT_STATUS_OK: Success (0x0)

freeradius -X (DEBUG MODE)
rad_recv: Access-Request packet from host 127.0.0.1 port 55866, id=115, length=60
        User-Name = "gwilliam"
        User-Password = "1qazxsw23edc@"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130
[auth_log]      expand: %t -> Wed Nov 30 17:05:41 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> TRUE
++? if (!control:Auth-Type && User-Password) -> TRUE
++- entering if (!control:Auth-Type && User-Password) {...}
+++[control] returns noop
++- if (!control:Auth-Type && User-Password) returns noop
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=gwilliam
[ntlm_auth]     expand: --password=%{User-Password} -> --password=1qazxsw23edc@
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
[suffix] No '@' in User-Name = "gwilliam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group ntlm_auth {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=gwilliam
[ntlm_auth]     expand: --password=%{User-Password} -> --password=1qazxsw23edc@
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)

Exec-Program: returned: 0
++[ntlm_auth] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 115 to 127.0.0.1 port 55866
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 115 with timestamp +34
Ready to process requests.

when I do the test using mschap radtest-t is when the key is erroneous
radtest -t mschap gwilliam 1qazxsw23edc@ localhost 0 testing123

rad_recv: Access-Request packet from host 127.0.0.1 port 37155, id=130, length=116
        User-Name = "gwilliam"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        MS-CHAP-Challenge = 0xd85c0848bec6df72
        MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000d6f2f97947a122925fa9019e04b04834cc4857db4a4d359f
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130
[auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130
[auth_log]      expand: %t -> Wed Nov 30 17:07:09 2011
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> FALSE
? Skipping (User-Password)
++? if (!control:Auth-Type && User-Password) -> FALSE
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=gwilliam
[ntlm_auth]     expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject

Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> gwilliam
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 130 to 127.0.0.1 port 37155
Waking up in 4.9 seconds.
Cleaning up request 1 ID 130 with timestamp +122
Ready to process requests.

My samba version is 3.5.8, my OS is ubuntu server version 11.04.
Thanks for you help.