Hello everyone, I’m trying to bring up a fresh instance using 2.2.0, rather than just cloning old 1.x configs as has been done in previous upgrades. In building a new Ubuntu server, I grabbed the latest available build of samba (3.6.3); I’ve read that a version of at least version 3.5.4 is required to work with Windows Server 2008 r2 AD. Compatibility with 2008 r2 is what is driving this upgrade. Working from the Deploying Radius site, I’ve made good progress. So far, the directions have been clear and everything has worked well. I even took the opportunity to learn mercurial along the way… thanks ☺. I also created two virtual servers, to support different policies for our main campus wireless and eduroam. That also seems to be working well, with one SSID pointing to each virtual server… slick! Ntlm works: /usr/bin/ntlm_auth --request-nt-key --domain=COLOSTATE --username=slovaas password: NT_STATUS_OK: Success (0x0) root@freerad13:/etc/freeradius/modules# Winbind looks OK, though only the challenge/response version of authentication… that’s normal?: wbinfo -a slovaas Enter slovaas's password: plaintext password authentication failed Could not authenticate user slovaas with plaintext password Enter slovaas's password: challenge/response password authentication succeeded root@freerad13:/etc/freeradius# And with a forced default ntlm_auth in the users file, I can authenticate with radtest. But here’s where I’m stuck. When I remove the default ntlm_auth line in the users file and put the ntlm_auth line in mschap, I no longer get access_accept. The debug of the request is pasted below. But I wondered… basic authentication is working (with ntlm_auth) but mschap doesn’t get what it wants back (using ntlm_auth), which sounds like an issue that was around in earlier versions of samba. Before I go downgrading samba, though, I was wondering if anyone saw anything I missed or had any other suggestions. Thanks, Steve =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.08 07:43:48 =~=~=~=~=~=~=~=~=~=~=~= rad_recv: Access-Request packet from host 127.0.0.1 port 35685, id=59, length=133 User-Name = "slovaas" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x160e7734756ad5899a83bbc504bd937c MS-CHAP-Challenge = 0x105268b03ae9b2ee MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10 server eid-dot11i { # Executing section authorize from file /etc/freeradius/sites-enabled/eid-dot11i +- entering group authorize {...} ++- entering policy filter_username_csu {...} +++? if (User-Name != "%{tolower:%{User-Name}}") expand: %{User-Name} -> slovaas expand: %{tolower:%{User-Name}} -> slovaas ? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE +++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE +++? if (User-Name =~ / /) ? Evaluating (User-Name =~ / /) -> FALSE +++? if (User-Name =~ / /) -> FALSE +++? if (User-Name =~ /@(.+)?@/i ) ? Evaluating (User-Name =~ /@(.+)?@/i) -> FALSE +++? if (User-Name =~ /@(.+)?@/i ) -> FALSE +++? if (User-Name =~ /\\.\\./ ) ? Evaluating (User-Name =~ /\\.\\./) -> FALSE +++? if (User-Name =~ /\\.\\./ ) -> FALSE ++- policy filter_username_csu returns notfound ++[preprocess] returns ok [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708 [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708 [auth_log] expand: %t -> Mon Jul 8 07:45:04 2013 ++[auth_log] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "slovaas", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/eid-dot11i +- entering group MS-CHAP {...} [mschap] Client is using MS-CHAPv1 with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] expand: %{User-Name} -> slovaas [mschap] expand: %{%{User-Name}:-None} -> slovaas [mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=slovaas [mschap] mschap1: 10 [mschap] expand: %{mschap:Challenge} -> 105268b03ae9b2ee [mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=105268b03ae9b2ee [mschap] expand: %{mschap:NT-Response} -> 3487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10 [mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=3487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10 Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. } # server eid-dot11i Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/eid-dot11i +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> slovaas attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 59 to 127.0.0.1 port 35685 MS-CHAP-Error = "\000E=691 R=1" Waking up in 4.9 seconds. Cleaning up request 0 ID 59 with timestamp +96 Ready to process requests.