Hi, recently there was a thread about a seemingly correct ntlm_auth setup that didn't work. Unfortunately, I have the same experience. I want to set up machine authentication using ntlm_auth against a samba4 AD. The AD was set up on a Fedora 27 machine using samba 4.7.9 rpms. I used this guide: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Dom... Everything worked as described in the guide. Freeradius 3.0.13 is on RHEL7 using samba 4.7.1 rpms. I was following this guide: http://deployingradius.com/documents/configuration/active_directory.html except for the following: 1. I didn't set password server in smb.conf (samba documents warned against that, and the config checker also didn't like it) 2. joining the domain was successful except for the DNS update in AD (but I think that's totally irrelevant to ntlm_auth) All checks were done as suggested in the guide and they were all successful until the very last step. While I got: ntlm_auth --request-nt-key --domain=EDUROAM-DOM --username=testuser --password=Testing123 NT_STATUS_OK: The operation completed successfully. (0x0) and radtest was also successful using DEFAULT Auth-Type = ntlm_auth, the ms-chap test failed: radtest -t mschap testuser Testing123 localhost 0 testing123 Sent Access-Request Id 11 from 0.0.0.0:52051 to 127.0.0.1:1812 length 134 User-Name = "testuser" MS-CHAP-Password = "Testing123" NAS-IP-Address = 193.6.210.36 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Testing123" MS-CHAP-Challenge = 0x16329f3a12ce9d71 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000097234aac0a958f53d2558adb390fa1c548f725f293a8ae6e Received Access-Reject Id 11 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=4a991b631c3542b4 V=2" (0) -: Expected Access-Accept got Access-Reject I checked the link for the samba bug at the end of the guide, but that bug had been fixed a long time ago, it should not be present in the samba version I use (and the problem with that was the NT-hash returned, not the success of ntlm_auth itself). Here is the debug log: (53638) Sun Sep 2 21:18:15 2018: Debug: Received Access-Request Id 11 from 127.0.0.1:52051 to 127.0.0.1:1812 length 134 (53638) Sun Sep 2 21:18:15 2018: Debug: User-Name = "testuser" (53638) Sun Sep 2 21:18:15 2018: Debug: NAS-IP-Address = 193.6.210.36 (53638) Sun Sep 2 21:18:15 2018: Debug: NAS-Port = 0 (53638) Sun Sep 2 21:18:15 2018: Debug: Message-Authenticator = 0x4ea9ec357718adf6fb51f6edc1b69663 (53638) Sun Sep 2 21:18:15 2018: Debug: MS-CHAP-Challenge = 0x16329f3a12ce9d71 (53638) Sun Sep 2 21:18:15 2018: Debug: MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000097234aac0a958f53d2558adb390fa1c548f725f293a8ae6e (53638) Sun Sep 2 21:18:15 2018: Debug: # Executing section authorize from file /etc/raddb/sites-enabled/default (53638) Sun Sep 2 21:18:15 2018: Debug: authorize { (53638) Sun Sep 2 21:18:15 2018: Debug: [preprocess] = ok (53638) Sun Sep 2 21:18:15 2018: Debug: [chap] = noop (53638) Sun Sep 2 21:18:15 2018: Debug: mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (53638) Sun Sep 2 21:18:15 2018: Debug: [mschap] = ok (53638) Sun Sep 2 21:18:15 2018: Debug: [digest] = noop (53638) Sun Sep 2 21:18:15 2018: Debug: suffix: Checking for suffix after "@" (53638) Sun Sep 2 21:18:15 2018: Debug: suffix: No '@' in User-Name = "testuser", looking up realm NULL (53638) Sun Sep 2 21:18:15 2018: Debug: suffix: Found realm "NULL" (53638) Sun Sep 2 21:18:15 2018: Debug: suffix: Adding Stripped-User-Name = "testuser" (53638) Sun Sep 2 21:18:15 2018: Debug: suffix: Adding Realm = "NULL" (53638) Sun Sep 2 21:18:15 2018: Debug: suffix: Authentication realm is LOCAL (53638) Sun Sep 2 21:18:15 2018: Debug: [suffix] = ok (53638) Sun Sep 2 21:18:15 2018: Debug: eap: No EAP-Message, not doing EAP (53638) Sun Sep 2 21:18:15 2018: Debug: [eap] = noop (53638) Sun Sep 2 21:18:15 2018: Debug: [files] = noop (53638) Sun Sep 2 21:18:15 2018: Debug: sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (53638) Sun Sep 2 21:18:15 2018: Debug: sql: --> testuser (53638) Sun Sep 2 21:18:15 2018: Debug: sql: SQL-User-Name set to 'testuser' (53638) Sun Sep 2 21:18:15 2018: Debug: sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (53638) Sun Sep 2 21:18:15 2018: Debug: sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id (53638) Sun Sep 2 21:18:15 2018: Debug: sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'testuser' ORDER BY id (53638) Sun Sep 2 21:18:16 2018: Debug: sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (53638) Sun Sep 2 21:18:16 2018: Debug: sql: --> SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority (53638) Sun Sep 2 21:18:16 2018: Debug: sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY priority (53638) Sun Sep 2 21:18:16 2018: Debug: sql: User not found in any groups (53638) Sun Sep 2 21:18:16 2018: Debug: [sql] = notfound (53638) Sun Sep 2 21:18:16 2018: Debug: ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (53638) Sun Sep 2 21:18:16 2018: Debug: ldap: --> (uid=testuser) (53638) Sun Sep 2 21:18:16 2018: Debug: ldap: Performing search in "dc=semmelweis-univ,dc=hu" with filter "(uid=testuser)", scope "sub" (53638) Sun Sep 2 21:18:16 2018: Debug: ldap: Waiting for search result... (53638) Sun Sep 2 21:18:16 2018: Debug: ldap: Search returned no results (53638) Sun Sep 2 21:18:16 2018: Debug: [ldap] = notfound (53638) Sun Sep 2 21:18:16 2018: Debug: [expiration] = noop (53638) Sun Sep 2 21:18:16 2018: Debug: [logintime] = noop (53638) Sun Sep 2 21:18:16 2018: WARNING: pap: No "known good" password found for the user. Not setting Auth-Type (53638) Sun Sep 2 21:18:16 2018: WARNING: pap: Authentication will fail unless a "known good" password is available (53638) Sun Sep 2 21:18:16 2018: Debug: [pap] = noop (53638) Sun Sep 2 21:18:16 2018: Debug: } # authorize = ok (53638) Sun Sep 2 21:18:16 2018: Debug: Found Auth-Type = MS-CHAP (53638) Sun Sep 2 21:18:16 2018: Debug: # Executing group from file /etc/raddb/sites-enabled/default (53638) Sun Sep 2 21:18:16 2018: Debug: Auth-Type MS-CHAP { (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: Client is using MS-CHAPv1 with NT-Password (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: Executing: /bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-EDUROAM-DOM} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: EXPAND --username=%{mschap:User-Name:-None} (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: --> --username=testuser (53638) Sun Sep 2 21:18:16 2018: ERROR: mschap: No NT-Domain was found in the User-Name (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-EDUROAM-DOM} (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: --> --domain=EDUROAM-DOM (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: mschap1: 16 (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: EXPAND --challenge=%{mschap:Challenge:-00} (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: --> --challenge=16329f3a12ce9d71 (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: --> --nt-response=97234aac0a958f53d2558adb390fa1c548f725f293a8ae6e (53638) Sun Sep 2 21:18:16 2018: ERROR: mschap: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)' (53638) Sun Sep 2 21:18:16 2018: Debug: mschap: External script failed (53638) Sun Sep 2 21:18:16 2018: ERROR: mschap: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) (53638) Sun Sep 2 21:18:16 2018: ERROR: mschap: MS-CHAP2-Response is incorrect (53638) Sun Sep 2 21:18:16 2018: Debug: [mschap] = reject (53638) Sun Sep 2 21:18:16 2018: Debug: } # Auth-Type MS-CHAP = reject (53638) Sun Sep 2 21:18:16 2018: Debug: Failed to authenticate the user Using ntlm-auth with the challenge and nt-response directly gives me the same: ntlm_auth --request-nt-key --domain=EDUROAM-DOM --username=testuser --nt=response=788a7e8e654c2d6758ef489ac0e24d87ebf3cd6f6f7bd8e3 --challenge=420dc315ee05355a The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d) no matter if I type that on the freeradius machine or the AD, so I don't think it is a problem with joining the domain. I really don't see what am I doing wrong, but I'd like to solve this problem. If any of you successfully implemented ntlm_auth with ms-chap in RHEL, please tell me how you did it. Or tell me what linux distro and which recent samba version actually worked for you. I think even a samba3 style domain controller would suffice instead of an AD for doing machine auth, is this correct? I know this is not really a freeradius problem, but I am sure some of the list members know a lot more about samba then me, so perhaps you can help me out. Thank you: Laszlo
Hi, On 09/02/2018 10:23 PM, Tornóci László wrote:
Hi,
recently there was a thread about a seemingly correct ntlm_auth setup that didn't work. Unfortunately, I have the same experience. I want to set up machine authentication using ntlm_auth against a samba4 AD.
in the meantime Elias Pereira gave the solution in the other thread: you need to put this into smb.conf of the AD: ntlm auth = yes It solved my problem, thank you very much! Laszlo
participants (1)
-
Tornóci László