On Mon, Sep 21, 2015 at 05:02:05PM -0500, Alex Moen wrote:
...
sambaLMPassword: B15F999EA3OBFUSCATED!NOTHING2SEE sambaAcctFlags: [U] sambaNTPassword: 6F005855B7OBFUSCATED!NOTHING2SEE ... userPassword:: e1NTSEF9cEkwUUOBFUSCATED!NOTHING2SEERWJ5VFlLTVkyUzk=
so there you've got userPassword (I presume plaintext)
Nope. It's definitely an ssha. Her password is not 50 characters long. But it would definitely explain why it's not working, if SSHA passwords won't work.
You can forget about trying to use that one then. Though I'm slightly confused where the plaintext password came from in the first debug output. But that doesn't really matter.
Yes, there are NTLM passwords on the accounts I want to use, since they are the same authentication mechanism used for our Samba server...
So, I have switched (in the /etc/raddb/mods-available/ldap file) from: control:Password-With-Header += 'userPassword' to: control:Password-With-Header += 'sambaNTPassword'
Password-With-Header expects a {...} header at the start (see the man page for rlm_pap). So you can either use unlang to add the header on, or just update NT-Password instead, as in the ldap config. So in mods-enabled/ldap update {}, comment out control:Password-With-Header += 'userPassword', then uncomment # control:NT-Password := 'ntPassword' and set it to control:NT-Password := 'sambaNTPassword'
(7) ldap: User object found at DN "uid=alexm@ndtel.com,ou=ndtel,o=ndtc" (7) ldap: Processing user attributes (7) ldap: control:Password-With-Header += 'CF1189B22D7E43F062F8E1A4AE1B8418'
^^^ rlm_ldap gets sambaNTPassword and puts it in Password-With-Header
rlm_ldap (ldap): Released connection (0) rlm_ldap (ldap): 0 of 5 connections in use. Need more spares rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots used rlm_ldap (ldap): Connecting to ldap://66.163.129.140:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (7) [ldap] = updated (7) [expiration] = noop (7) [logintime] = noop (7) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password
^^^ rlm_pap checks the passwords are in a good form. Here it notices that Password-With-Header doesn't have a header, so it copies it to Cleartext-Password and then removes it.
(7) pap: Removing &control:Password-With-Header (7) pap: WARNING: Auth-Type already set. Not setting to PAP (7) [pap] = noop (7) } # authorize = updated (7) Found Auth-Type = EAP (7) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) authenticate { (7) eap: Expiring EAP session with state 0xf624fb83f67ee10e (7) eap: Finished EAP session with state 0xf624fb83f67ee10e (7) eap: Previous EAP request found for state 0xf624fb83f67ee10e, released from the list (7) eap: Peer sent packet with method EAP MSCHAPv2 (26) (7) eap: Calling submodule eap_mschapv2 to process data (7) eap_mschapv2: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (7) eap_mschapv2: Auth-Type MS-CHAP { (7) mschap: Found Cleartext-Password, hashing to create NT-Password (7) mschap: Found Cleartext-Password, hashing to create LM-Password
^^^ rlm_mschap notices that Cleartext-Password exists (which actually contains the NT-Password), and hashes that again and puts it in NT-Password. What you really want is that value in NT-Password directly, which the above ldap config should do. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>