On Aug 31, 2018, at 1:36 PM, Jürgen Obermeyer <om@oegym.de> wrote:
I installed (for the very first time) freeradius on an Ubuntu 18.04 box. The version is 3.0.16. I would like to use freeradius to authenticate my users against Samba passwords using ntlm_auth. I followed EXACTLY the instructions on the website deployingradius.com, beginning from the initial setup to the last step, "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP". Only this last step fails, and I have no idea why. This is an excerpt of the debug output:
***
(2) Found Auth-Type = mschap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) mschap: Client is using MS-CHAPv1 with NT-Password (2) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=%{%{mschap:NT-Domain}:-OEGNET} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}: (2) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} (2) mschap: --> --username=om (2) mschap: ERROR: No NT-Domain was found in the User-Name (2) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-OEGNET} (2) mschap: --> --domain=OEGNET (2) mschap: mschap1: 12 (2) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00} (2) mschap: --> --challenge=12473d849ab42a45 (2) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00} (2) mschap: --> --nt-response=7cba13f9a4b65406feb11d25441a189c18b2389b0fe6e922 (2) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
That error comes from Samba. FreeRADIUS is just sending the MS-CHAP information over. And Samba is saying that it's wrong.
I tried with 'radtest -t mschap ...' getting the following answer:
***
root@hermes:/etc/freeradius.old# radtest -t mschap om topsecret localhost 0 testing123 Sent Access-Request Id 18 from 0.0.0.0:37196 to 127.0.0.1:1812 length 128 User-Name = "om" MS-CHAP-Password = "topsecret" NAS-IP-Address = 192.168.6.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "topsecret" MS-CHAP-Challenge = 0x6d7f7ccb15612a8a MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000db860e0276efb23bc02d3a0f2f5d0977ae73f0b6ea6f3937 Received Access-Reject Id 18 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=9c9615bf2537c293 V=2" (0) -: Expected Access-Accept got Access-Reject
Well, radclient implements MS-CHAP correctly. And again, FreeRADIUS is just handing the MS-CHAP data to Samba, and having Samba authenticate it. Maybe there's a Samba debug output you could look at to see what it's doing. Or, is Samba going to Active Directory? If so, then maybe Samba hasn't properly joined the Active Directory domain. Alan DeKok.