On Jul 8, 2020, at 3:46 AM, Piviul <piviul@riminilug.it> wrote:
Does ntlm_auth work when you run it from the command line? of course: # ntlm_auth --request-nt-key --domain=$domain --username=$username --password=$password NT_STATUS_OK: The operation completed successfully. (0x0)
Ok, but that doesn't test the MS-CHAP side.
But when I go to the section "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" fails; on the server I can see these logs: If ntlm_auth works from the command line, then it should work when run from FreeRADIUS. but didn't! these are the authentication logs from freeradius server (forget the previous logs because there was an error in mschap config file): (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CSATEST} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (0) mschap: EXPAND --username=%{mschap:User-Name:-None} (0) mschap: --> --username=user1 (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CSATEST} (0) mschap: --> --domain=CSATEST (0) mschap: mschap1: 7f (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (0) mschap: --> --challenge=7f51b8630dacf162 (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313 (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
That's pretty definitive.
I can observe that mschap contact the freeradius server using the old mschap v1 version (we can read "Client is using MS-CHAPv1") but at the end of the auth logs we can read "ERROR: MS-CHAP2-Response is incorrect". In your opinion that's OK?
Yes, that's how it works.
Furthermore I have successfully completed the "Configuring FreeRADIUS to use ntlm_auth" section and the server correctly complete the authentication:
That's good.
But mschap use the same ntlm_auth command to authenticate the user!
With different parameters. If the client was given the wrong password, then it will do the MS-CHAP calculations, and get a different answer than what Samba has. Samba will then reject the user.
From the server logs we can affirm that domain and username are correctly expanded. Password is not used but --challenge and --nt-response are. How mschap module expand challenge and nt-response? In effect I have tried but this command fails:
# /usr/bin/ntlm_auth --request-nt-key --username=user1 --domain=CSATEST --challenge=7f51b8630dacf162 --nt-response=474c816acb5d5a19f27c4ee8709104172b172989fe7c4313 The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
So challenge or nt-response are not correct.
Yes. There isn't much you can do on the FreeRADIUS side to fix this. Either the user is entering the wrong password, or something between ntlm_auth and Samba is causing an issue. FreeRADIUS does the MS-CHAP calculations correctly. There are tests run on every code change to ensure that it is correct. Plus, everyone *else* has a working MS-CHAP with FreeRADIUS. So something in your local system is broken. It's hard to say exactly what. Alan DeKok.