PAP and NT-hashed password
Hello! I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol. Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to do it. When I do radtest -t pap .... I see from freeradius -X: [pap] login attempt with password "n*******W" [pap] Using clear text password "1D******************************9B" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [user/n***********W] (from client localhost port 0) Using Post-Auth-Type Reject So, FreeRadius compares my clear-text password with NT-hash taken from LDAP. Of course they are mismatched and I got a reject. If I'm using this hash as a password, it works. At same time if I use mschap, it works well: radtest -t mschap ... +- entering group MS-CHAP {...} [mschap] Found LM-Password [mschap] Found NT-Password [mschap] Told to do MS-CHAPv1 with NT-Password [mschap] adding MS-CHAPv1 MPPE keys ++[mschap] returns ok So the question is: how to force PAP to create NT-hash from the given password and compare hash and hash. but not the password and hash? Thank you!
On Tue, Dec 30, 2014 at 4:46 PM, sb <superabx@gmail.com> wrote:
Hello!
I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol. Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to do it.
When I do
radtest -t pap ....
I see from freeradius -X:
[pap] login attempt with password "n*******W" [pap] Using clear text password "1D******************************9B"
Did you assign the hash as cleartext-password?
[pap] Passwords don't match
If yes, no wonder it doesn't work
So the question is: how to force PAP to create NT-hash from the given password and compare hash and hash. but not the password and hash?
It should work out of the box: http://deployingradius.com/documents/protocols/compatibility.html That is, assuming you correctly assign the hash as NT-Password, and not Cleartext-Password. -- Fajar
On Tue, Dec 30, 2014 at 1:09 PM, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Dec 30, 2014 at 4:46 PM, sb <superabx@gmail.com> wrote:
Hello!
I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol. Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to do it.
When I do
radtest -t pap ....
I see from freeradius -X:
[pap] login attempt with password "n*******W" [pap] Using clear text password "1D******************************9B"
Did you assign the hash as cleartext-password?
No, in ldap.attrmap I have: checkItem NT-Password sambaNtPassword I've tried to add checkItem User-Password sambaNtPassword But it makes no difference. So now there is no User-Password and no Cleartext-Password in attributes.
[pap] Passwords don't match
If yes, no wonder it doesn't work
So the question is: how to force PAP to create NT-hash from the given password and compare hash and hash. but not the password and hash?
It should work out of the box: http://deployingradius.com/documents/protocols/compatibility.html
Thank you, I will try.
That is, assuming you correctly assign the hash as NT-Password, and not Cleartext-Password.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 30, 2014, at 4:46 AM, sb <superabx@gmail.com> wrote:
I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol. Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to do it.
It works.
When I do
radtest -t pap ....
I see from freeradius -X:
[pap] login attempt with password "n*******W" [pap] Using clear text password "1D******************************9B”
No, that is not ALL of what you see. It’s an edited portion. When we say we need the debug output, we don’t mean we want random lines from part of the debug output. We want ALL of the debug output. There may be something important in the REST of the debug output. We may need that piece to solve the problem. By editing the debug output, you’ve made it difficult for us to help you. And which version are you running? That may help, too. Alan DeKok.
freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50 Rather old one, but it is not a new system, I just have to add this feature. It the upgrade is needed, it's ok, but it will take some time to stop the production. Full output of freeradius -X after command radtest -t pap abx n*************W localhost 0 secret ======================================================================= Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 51020, id=47, length=55 User-Name = "abx" User-Password = "n*************W" NAS-IP-Address = 192.168.3.5 NAS-Port = 0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20141230 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20141230 [auth_log] expand: %t -> Tue Dec 30 16:30:56 2014 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "abx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++- entering policy redundant {...} [local] performing user authorization for abx [local] expand: %{Stripped-User-Name} -> [local] ... expanding second conditional [local] expand: %{User-Name} -> abx [local] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=abx) [local] expand: dc=ourcorp,dc=net -> dc=ourcorp,dc=net [local] ldap_get_conn: Checking Id: 0 [local] ldap_get_conn: Got Id: 0 [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx) [local] checking if remote access for abx is allowed by dialupAccess [local] Added User-Password = 1D*************************************9B in check items [local] No default NMAS login sequence [local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42 [local] sambaLmPassword -> LM-Password == 0x42***********************************************************************36 [local] looking for reply items in directory... [local] radiusFramedIPAddress -> Framed-IP-Address = 10.0.0.198 [local] user abx authorized to use remote access [local] ldap_release_conn: Release Id: 0 +++[local] returns ok ++- policy redundant returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/freeradius/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "n****************W" [pap] Using clear text password "1D********************************9B" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [abx/n***********************W] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> abx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 47 to 127.0.0.1 port 51020 Waking up in 4.9 seconds. Cleaning up request 2 ID 47 with timestamp +66 Ready to process requests. ============================================================================ I can guess the problem is here [local] Added User-Password = 1D*************************************9B in check items It should be NT-Password, not User-Password, right? But how to fix it... On Tue, Dec 30, 2014 at 3:13 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 30, 2014, at 4:46 AM, sb <superabx@gmail.com> wrote:
I'm trying to authenticate users from LDAP with FreeRadius by PAP protocol. Passwords are stored in LDAP in NT-hash. It's not my idea, I just have to do it.
It works.
When I do
radtest -t pap ....
I see from freeradius -X:
[pap] login attempt with password "n*******W" [pap] Using clear text password "1D******************************9B”
No, that is not ALL of what you see. It’s an edited portion.
When we say we need the debug output, we don’t mean we want random lines from part of the debug output. We want ALL of the debug output. There may be something important in the REST of the debug output. We may need that piece to solve the problem.
By editing the debug output, you’ve made it difficult for us to help you.
And which version are you running? That may help, too.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 30, 2014, at 8:50 AM, sb <superabx@gmail.com> wrote:
freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50
Rather old one, but it is not a new system, I just have to add this feature. It the upgrade is needed, it's ok, but it will take some time to stop the production.
You shouldn’t need to upgrade.
Full output of freeradius -X after command
[local] performing search in dc=ourcorp,dc=net, with filter (uid=abx) [local] checking if remote access for abx is allowed by dialupAccess [local] Added User-Password = 1D*************************************9B in check items
And… that’s the issue. You’ve configured it to get the User-Password from LDAP.
[local] No default NMAS login sequence [local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42
That means it’s not using the NT-Password.
Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It helps to READ these messages and fix the problem. If you had done that, it would have worked. Alan DeKok.
Kiedy idziemy? T. W dniu 2014-12-30 o 16:00, Alan DeKok pisze:
On Dec 30, 2014, at 8:50 AM, sb <superabx@gmail.com> wrote:
freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50
Rather old one, but it is not a new system, I just have to add this feature. It the upgrade is needed, it's ok, but it will take some time to stop the production. You shouldn’t need to upgrade.
Full output of freeradius -X after command
[local] performing search in dc=ourcorp,dc=net, with filter (uid=abx) [local] checking if remote access for abx is allowed by dialupAccess [local] Added User-Password = 1D*************************************9B in check items And… that’s the issue. You’ve configured it to get the User-Password from LDAP.
[local] No default NMAS login sequence [local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42 That means it’s not using the NT-Password.
Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! It helps to READ these messages and fix the problem. If you had done that, it would have worked.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Tomasz Wolniewicz twoln@umk.pl http://www.home.umk.pl/~twoln Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
Terribly sorry for the last post. Tomasz W dniu 2014-12-30 o 16:08, Tomasz Wolniewicz pisze:
Kiedy idziemy? T.
W dniu 2014-12-30 o 16:00, Alan DeKok pisze:
On Dec 30, 2014, at 8:50 AM, sb <superabx@gmail.com> wrote:
freeradius: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 15:16:50
Rather old one, but it is not a new system, I just have to add this feature. It the upgrade is needed, it's ok, but it will take some time to stop the production. You shouldn’t need to upgrade.
Full output of freeradius -X after command
[local] performing search in dc=ourcorp,dc=net, with filter (uid=abx) [local] checking if remote access for abx is allowed by dialupAccess [local] Added User-Password = 1D*************************************9B in check items And… that’s the issue. You’ve configured it to get the User-Password from LDAP.
[local] No default NMAS login sequence [local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42 That means it’s not using the NT-Password.
Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! It helps to READ these messages and fix the problem. If you had done that, it would have worked.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Tomasz Wolniewicz twoln@umk.pl http://www.home.umk.pl/~twoln Uczelniane Centrum Informatyczne Information&Communication Technology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University, pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576
On Tue, Dec 30, 2014 at 5:00 PM, Alan DeKok <aland@deployingradius.com> wrote:
Full output of freeradius -X after command
[local] performing search in dc=ourcorp,dc=net, with filter (uid=abx) [local] checking if remote access for abx is allowed by dialupAccess [local] Added User-Password = 1D*************************************9B in check items
And… that’s the issue. You’ve configured it to get the User-Password from LDAP.
Yes, but how to prevent it? I have nothing about User-Password in freeradius configs: ================================================================= /etc/freeradius# grep -R User-Password * attrs.pre-proxy:# User-Password =* ANY, attrs.pre-proxy: #User-Password =* ANY, eap.conf: # User-Password, or the NT-Password attributes. eap.conf: # the User-Password. eap.conf: # is put into a User-Password attribute, eap.conf: # the module will look for a User-Password experimental.conf: # packets containing a User-Password attribute. modules/ntlm_auth: program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" modules/smsotp:# The module does not check the User-Password, this should be done with modules/detail: # Certain attributes such as User-Password may be modules/detail: # User-Password modules/sql_log: ('%{User-Name}', '%{User-Password:-Chap-Password}', \ modules/detail.log: User-Password modules/detail.log: # User-Password modules/pap:# In this case, the module will look inside of the User-Password modules/ldap:# Access-Request packet contains a clear-text User-Password modules/ldap: # By default, if the packet contains a User-Password, root@ukv69:/etc/freeradius# =================================================================== Everything is commented, exclude ntlm_auth and detail.log, I believe both are not what I have to change. ldap.attrmap: =================================================================== checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword checkItem LM-Password dBCSPwd checkitem Password-With-Header userPassword checkItem SMB-Account-CTRL-TEXT acctFlags checkItem Expiration radiusExpiration checkItem NAS-IP-Address radiusNASIpAddress ====================================================================
[local] No default NMAS login sequence [local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31***********************************************************************42
That means it’s not using the NT-Password.
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It helps to READ these messages and fix the problem. If you had done that, it would have worked.
I've tried, but there is nothing about User-Password in configs, so I can not replace it with Cleartext-Password.
On Dec 30, 2014, at 10:28 AM, sb <superabx@gmail.com> wrote:
Yes, but how to prevent it? I have nothing about User-Password in freeradius configs:
Try version 2.2.6. The PAP module has been updated to do a better job of discovering which password is where. And you probably want to double-check the *format* of the passwords. You seem to have put the hashed version of the password into the userPassword field. Then, taken that, turned it into hex, and put that into the ntPassword field in LDAP. That’s wrong. The userPassword field in LDAP should contain the clear-text password. e.g. “hello”, or “password”. The ntPassword field in LDAP should contain the hex version of NT hashed password. e.g. 01abcdef… OR, the userPassword field in LDAP should contain "{nt}01abcdef…” The {nt} prefix says that the rest of the password is the NT hash. Alan DeKok.
On Tue, Dec 30, 2014 at 5:44 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 30, 2014, at 10:28 AM, sb <superabx@gmail.com> wrote:
Yes, but how to prevent it? I have nothing about User-Password in freeradius configs:
Try version 2.2.6. The PAP module has been updated to do a better job of discovering which password is where.
Thank you, Alan! I will try to upgrade to 2.2.6.
And you probably want to double-check the *format* of the passwords. You seem to have put the hashed version of the password into the userPassword field. Then, taken that, turned it into hex, and put that into the ntPassword field in LDAP. That’s wrong.
Actually we have no userPassword field in LDAP, the string checkitem Password-With-Header userPassword should be there from default config. I've commented it out, but got the same. All that we have in LDAP: sambaLMPassword: B4****************************************C6 sambaNTPassword: 1D****************************************9B mapped to: checkItem LM-Password sambaLmPassword checkItem NT-Password sambaNtPassword
The userPassword field in LDAP should contain the clear-text password. e.g. “hello”, or “password”. The ntPassword field in LDAP should contain the hex version of NT hashed password. e.g. 01abcdef… OR, the userPassword field in LDAP should contain "{nt}01abcdef…” The {nt} prefix says that the rest of the password is the NT hash.
Possible I have to add {nt} prefix before the password? "checkItem User-Password {nt}sambaNtPassword" - that won't work?
On Dec 30, 2014, at 10:58 AM, sb <superabx@gmail.com> wrote:
Thank you, Alan! I will try to upgrade to 2.2.6.
That’s really the best solution.
Actually we have no userPassword field in LDAP, the string
The debug output shows you do. FreeRADIUS doesn’t *invent* a password.
Possible I have to add {nt} prefix before the password?
"checkItem User-Password {nt}sambaNtPassword" - that won't work?
No. The “userPassword” field in LDAP can contain passwords in many formats. In order to tell them apart, the contents of “userPassword” have a prefix added. The prefix says what format is used by the rest of the userPassword field. For NT passwords, it’s {nt}. Alan DeKok.
On Wed, Dec 31, 2014 at 3:34 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 30, 2014, at 10:58 AM, sb <superabx@gmail.com> wrote:
Thank you, Alan! I will try to upgrade to 2.2.6.
That’s really the best solution.
Upgraded to 2.2.6, nothing changes. ======================================================================================================= # radiusd -v radiusd: FreeRADIUS Version 2.2.6, for host x86_64-unknown-linux-gnu, built on Jan 2 2015 at 13:43:16 rad_recv: Access-Request packet from host 127.0.0.1 port 32834, id=32, length=55 User-Name = "abx" User-Password = "n***********W" NAS-IP-Address = 192.168.203.235 NAS-Port = 0 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok [auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1 [auth_log] expand: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20150102 [auth_log] /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20150102 [auth_log] expand: %t -> Fri Jan 2 15:07:04 2015 ++[auth_log] = ok ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "abx", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop ++policy redundant { [local] performing user authorization for abx [local] expand: %{Stripped-User-Name} -> [local] ... expanding second conditional [local] expand: %{User-Name} -> abx [local] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=abx) [local] expand: dc=ourcorp,dc=net -> dc=ourcorp,dc=net [local] ldap_get_conn: Checking Id: 0 [local] ldap_get_conn: Got Id: 0 [local] attempting LDAP reconnection [local] (re)connect to localhost:389, authentication 0 [local] setting TLS CACert File to certs/ourcorp.net.ca.cer [local] setting TLS CACert Directory to /etc/ssl/certs [local] setting TLS Cert File to certs/wildcard.ourcorp.net.cer [local] setting TLS Key File to certs/wildcard.ourcorp.net.key [local] bind as cn=readuser,dc=ourcorp,dc=net/******* to localhost:389 [local] waiting for bind result ... [local] Bind was successful [local] performing search in dc=ourcorp,dc=net, with filter (uid=abx) [local] checking if remote access for abx is allowed by dialupAccess [local] Added User-Password = 1D*********************9B in check items [local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31**********************************************************42 [local] sambaLmPassword -> LM-Password == 0x42**********************************************************36 [local] looking for reply items in directory... [local] radiusFramedIPAddress -> Framed-IP-Address = 10.0.0.198 [local] user abx authorized to use remote access [local] ldap_release_conn: Release Id: 0 +++[local] = ok ++} # policy redundant = ok ++[expiration] = noop ++[logintime] = noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding ++[pap] = updated +} # group authorize = updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group PAP { [pap] login attempt with password "n**************W" [pap] Using clear text password "1D********************9B" [pap] Passwords don't match ++[pap] = reject +} # group PAP = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> abx attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 32 to 127.0.0.1 port 32834 Waking up in 4.9 seconds. Cleaning up request 0 ID 32 with timestamp +4 Ready to process requests. ============================================================================ I can not understand why is this: [local] Added User-Password = 1D*********************9B in check items There is nothing of User-Password in ldap.attrmap, why the radius adds it from sambaLmPassword? I can not put cleartext passwords in LDAP, so I have to work with NT-hashed passwords only. So, how to tell the radius that User-Password and Cleartext-Password are empty and it has to operate with NT-Password? I believe it should be smth simple that I forgot to do...
On Jan 2, 2015, at 7:26 AM, sb <superabx@gmail.com> wrote:
Upgraded to 2.2.6, nothing changes.
Because the LDAP database is storing the NT password in the userPassword field.
[local] Added User-Password = 1D*********************9B in check items
Which looks to be 32 hex characters. i.e. the NT password. Here’s a simple question. Is the “correct” password for the user really “1D…”, or is it something else?
[local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31**********************************************************42
Which is the *previous* password (1D…) converted to hex. i.e. the “sambaNtPassword” field doesn’t look like it’s actually an NT password. It’s something else.
I can not understand why is this:
[local] Added User-Password = 1D*********************9B in check items
There is nothing of User-Password in ldap.attrmap,
The LDAP module adds it automatically. “userPassword” in LDAP maps to “User-Password’ in RADIUS.
why the radius adds it from sambaLmPassword?
It doesn’t. I have no idea why you think that’s happening.
I can not put cleartext passwords in LDAP, so I have to work with NT-hashed passwords only.
Then make sure to put an “{nt}” prefix in front of them in LDAP. I already said to do this. LDAP should have “userPassword” with value “{nt4}1D…."
So, how to tell the radius that User-Password and Cleartext-Password are empty and it has to operate with NT-Password?
You don’t. What you’re doing with LDAP is incorrect. The data you’re putting into the userPassword field in LDAP is *wrong*. The data that’s in the sambaNtPassword field is VERY WRONG. You can work around it by doing the following. In “sites-enabled/default”, look for the “authorize” section. It should have a line which is “ldap”. After that line, add the following: update control { NT-Password := “%{control:User-Password}” User-Password != * } This will make the NT-Password have the value of the userPassword field. And then it deletes the *wrong* User-Password. But the underlying issue is that the data in LDAP is wrong. You’re putting NT-Passwords into the userPassword field. That’s wrong. Alan DeKok.
You're absolutely right (as usual!). Thank you very much for help, Alan. Unfortunately both LDAP and Freeradius came to me with working server, so there're strange things in the configs. In module/ldap I've found this: password_attribute = sambaNTPassword When I commented it out PAP started to work as it should! For now I have to find why it was done and what can stop to work without this string. Looks really weird. \ Thanx again! On Fri, Jan 2, 2015 at 3:27 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jan 2, 2015, at 7:26 AM, sb <superabx@gmail.com> wrote:
Upgraded to 2.2.6, nothing changes.
Because the LDAP database is storing the NT password in the userPassword field.
[local] Added User-Password = 1D*********************9B in check items
Which looks to be 32 hex characters. i.e. the NT password.
Here’s a simple question. Is the “correct” password for the user really “1D…”, or is it something else?
[local] looking for check items in directory... [local] sambaNtPassword -> NT-Password == 0x31**********************************************************42
Which is the *previous* password (1D…) converted to hex. i.e. the “sambaNtPassword” field doesn’t look like it’s actually an NT password. It’s something else.
I can not understand why is this:
[local] Added User-Password = 1D*********************9B in check items
There is nothing of User-Password in ldap.attrmap,
The LDAP module adds it automatically. “userPassword” in LDAP maps to “User-Password’ in RADIUS.
why the radius adds it from sambaLmPassword?
It doesn’t. I have no idea why you think that’s happening.
I can not put cleartext passwords in LDAP, so I have to work with NT-hashed passwords only.
Then make sure to put an “{nt}” prefix in front of them in LDAP. I already said to do this.
LDAP should have “userPassword” with value “{nt4}1D…."
So, how to tell the radius that User-Password and Cleartext-Password are empty and it has to operate with NT-Password?
You don’t. What you’re doing with LDAP is incorrect. The data you’re putting into the userPassword field in LDAP is *wrong*. The data that’s in the sambaNtPassword field is VERY WRONG.
You can work around it by doing the following. In “sites-enabled/default”, look for the “authorize” section. It should have a line which is “ldap”. After that line, add the following:
update control { NT-Password := “%{control:User-Password}” User-Password != * }
This will make the NT-Password have the value of the userPassword field. And then it deletes the *wrong* User-Password.
But the underlying issue is that the data in LDAP is wrong. You’re putting NT-Passwords into the userPassword field. That’s wrong.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Fajar A. Nugraha -
sb -
Tomasz Wolniewicz