Debian 9 - Samba 4.5.12 - Freeradius 3.02 ntlm_auth not working
Hi I have tried everything possible. I have read every publication available and I am about to give up !!! I could not make it work: Radius using ntlm_auth to autenthicate. Details ..: a bit long . apologies :-) --------------------------------- SAMBA --------------------------------- I have samba 4.5.12 working OK ------------------- smb.conf # Global parameters [global] netbios name = GALAPA realm = MINUT.EDU.CO workgroup = MINUT-EXT dns forwarder = 192.168.32.1 server role = active directory domain controller # Autenticaion sin dominio winbind use default domain = no [netlogon] path = /var/lib/samba/sysvol/minut.edu.co/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ------------------- All tests of samba working OK ------------------- #>> smbclient -L localhost -U% Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.5.12-Debian) Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP GALAPA ------------------- #>> root@galapa:/etc/freeradius/3.0# smbclient //localhost/netlogon -Uskina%'Nio4LasOo' -c 'ls' Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] . D 0 Tue Jan 30 11:11:29 2018 .. D 0 Tue Jan 30 11:11:48 2018 65799648 blocks of size 1024. 61762632 blocks available #>> ntlm_auth --request-nt-key --domain=MINUT-EXT --username=skina --password='Nio4LasOo' NT_STATUS_OK: Success (0x0) #>> wbinfo --ntlmv2 -a 'skina'%'Nio4LasOo' plaintext password authentication succeeded challenge/response password authentication succeeded # wbinfo -a 'skina'%'Nio4LasOo' plaintext password authentication succeeded challenge/response password authentication failed wbcAuthenticateUserEx(MINUT-EXT\skina): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user skina with challenge/response ------------------- **** This last message is my only clue. --------------------------------- FREERADIUS --------------------------------- I have installed y configured freeradius following every manual .. First .. the basic configuration .. and working OK http://wiki.freeradius.org/guide/Basic-configuration-HOWTO ------------------- #>> radtest bob hello localhost 0 testing123 Sent Access-Request Id 70 from 0.0.0.0:37544 to 127.0.0.1:1812 length 73 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Accept Id 70 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 Reply-Message = "Hello, bob" ------------------- Second .. configure OK freeradius with ntlm_auth and PAP http://wiki.freeradius.org/guide/NTLM%20Auth%20with%20PAP%20HOWTO ------------------- #>> radtest 'skina' 'Nio4LasOo' localhost 0 testing123 Sent Access-Request Id 14 from 0.0.0.0:34004 to 127.0.0.1:1812 length 75 User-Name = "skina" User-Password = "Nio4Las2Oo" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Nio4LasOo" Received Access-Accept Id 14 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 ------------------- Third .. tryied to configure freeradius ntlm_auth and MSCHAP http://deployingradius.com/documents/configuration/active_directory.html I have already set all the permissions to user freerad to winbindd_private directory so that not the issue. It does not matter what I do .. I always get the same error .. ------------------- #>> radtest -t mschap 'skina' 'Nio4LasOo' localhost 0 testing123 Sent Access-Request Id 158 from 0.0.0.0:33353 to 127.0.0.1:1812 length 131 User-Name = "skina" MS-CHAP-Password = "Nio4LasOo" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Nio4LasOo" MS-CHAP-Challenge = 0x59e2a1e585ad94e6 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000001eacb1bfed243034f718b74d89b6b11b84af50869ab40b06 Received Access-Reject Id 158 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=c3f65e6f825239e4 V=2" (0) -: Expected Access-Accept got Access-Reject ------------------- And the output of "freeradius -X" ------------------- (2) Received Access-Request Id 57 from 127.0.0.1:34102 to 127.0.0.1:1812 length 131 (2) User-Name = "skina" (2) NAS-IP-Address = 127.0.1.1 (2) NAS-Port = 0 (2) Message-Authenticator = 0xe88750a3ffc2bc75b90b872caf81f7e5 (2) MS-CHAP-Challenge = 0x1fa8d5c8e307ea3f (2) MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000074102cb712031d37dcb5bda4745b7e918794c4168fa1e5f5 (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy ntlm_auth.authorize { (2) if (!control:Auth-Type && User-Password) { (2) if (!control:Auth-Type && User-Password) -> FALSE (2) } # policy ntlm_auth.authorize = notfound (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (2) [mschap] = ok (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "skina", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: No EAP-Message, not doing EAP (2) [eap] = noop (2) [files] = noop (2) [sql] = notfound (2) [expiration] = noop (2) [logintime] = noop (2) } # authorize = ok (2) Found Auth-Type = mschap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) mschap: Client is using MS-CHAPv1 with NT-Password (2) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --ntlmv2 --request-nt-key --username=%{mschap:User-Name:-None} --domain=MINUT-EXT --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (2) mschap: EXPAND --username=%{mschap:User-Name:-None} (2) mschap: --> --username=skina (2) mschap: mschap1: 1f (2) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (2) mschap: --> --challenge=1fa8d5c8e307ea3f (2) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (2) mschap: --> --nt-response=74102cb712031d37dcb5bda4745b7e918794c4168fa1e5f5 (2) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (2) mschap: External script failed (2) mschap: ERROR: External script says: Logon failure (0xc000006d) (2) mschap: ERROR: MS-CHAP2-Response is incorrect (2) [mschap] = reject (2) } # authenticate = reject (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Post-Auth-Type REJECT { (2) [sql] = ok (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> skina (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:34102 length 61 (2) MS-CHAP-Error = "\000E=691 R=1 C=be58a2cfd7660c37 V=2" Waking up in 3.9 seconds. (2) Cleaning up request packet ID 57 with timestamp +161 Ready to process requests ------------------- This is the same error when I used wbinfo without --ntlmv2 ... ( might be a clue) In mods_enabled/mschap I have tried many parameters in ntlm_auth command .. including hardcoding a known user .. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MINUT-EXT --username=skina --password='Nio4LasOo'" It returned NT OK . .. but when I added the other to parameters .. i came back to the same error. --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" ----------- I was wondering if it is a kind of incompatibility concerning the version of MSCHAP or NTLM .. I appreciate any help you can give me. I have four days trying every option, reading every post, .. without success. Kasandra
On Tue, 2018-01-30 at 18:06 -0500, Kasandra Padisha via Freeradius- Users wrote:
I was wondering if it is a kind of incompatibility concerning the version of MSCHAP or NTLM ..
Set ntlm auth = yes in smb.conf. They (sensibly) changed the defaults in Samba 4.5, for security. -- Matthew
So silly .. that do it. It is working now I really appreciate your help Cheers El 30/01/18 a las 6:11 p.m., Matthew Newton escribió:
On Tue, 2018-01-30 at 18:06 -0500, Kasandra Padisha via Freeradius- Users wrote:
I was wondering if it is a kind of incompatibility concerning the version of MSCHAP or NTLM ..
Set
ntlm auth = yes
in smb.conf.
They (sensibly) changed the defaults in Samba 4.5, for security.
What is it that you are trying to achieve? You'll be better off using eg eapol_test if you are working on having eg an 802.1X wireless authentication environment alan On 30 Jan 2018 11:06 pm, "Kasandra Padisha via Freeradius-Users" < freeradius-users@lists.freeradius.org> wrote:
Hi
I have tried everything possible. I have read every publication available and I am about to give up !!! I could not make it work:
Radius using ntlm_auth to autenthicate.
Details ..: a bit long . apologies :-)
--------------------------------- SAMBA ------------------------------ ---
I have samba 4.5.12 working OK
------------------- smb.conf
# Global parameters [global] netbios name = GALAPA realm = MINUT.EDU.CO workgroup = MINUT-EXT dns forwarder = 192.168.32.1 server role = active directory domain controller # Autenticaion sin dominio winbind use default domain = no
[netlogon] path = /var/lib/samba/sysvol/minut.edu.co/scripts read only = No
[sysvol] path = /var/lib/samba/sysvol read only = No
-------------------
All tests of samba working OK
-------------------
#>> smbclient -L localhost -U%
Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.5.12-Debian) Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP GALAPA
-------------------
#>> root@galapa:/etc/freeradius/3.0# smbclient //localhost/netlogon -Uskina%'Nio4LasOo' -c 'ls' Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] . D 0 Tue Jan 30 11:11:29 2018 .. D 0 Tue Jan 30 11:11:48 2018
65799648 blocks of size 1024. 61762632 blocks available
#>> ntlm_auth --request-nt-key --domain=MINUT-EXT --username=skina --password='Nio4LasOo' NT_STATUS_OK: Success (0x0)
#>> wbinfo --ntlmv2 -a 'skina'%'Nio4LasOo' plaintext password authentication succeeded challenge/response password authentication succeeded
# wbinfo -a 'skina'%'Nio4LasOo' plaintext password authentication succeeded challenge/response password authentication failed wbcAuthenticateUserEx(MINUT-EXT\skina): error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) error message was: Wrong Password Could not authenticate user skina with challenge/response
-------------------
**** This last message is my only clue.
--------------------------------- FREERADIUS ---------------------------------
I have installed y configured freeradius following every manual ..
First .. the basic configuration .. and working OK http://wiki.freeradius.org/guide/Basic-configuration-HOWTO
-------------------
#>> radtest bob hello localhost 0 testing123 Sent Access-Request Id 70 from 0.0.0.0:37544 to 127.0.0.1:1812 length 73 User-Name = "bob" User-Password = "hello" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "hello" Received Access-Accept Id 70 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 Reply-Message = "Hello, bob"
-------------------
Second .. configure OK freeradius with ntlm_auth and PAP http://wiki.freeradius.org/guide/NTLM%20Auth%20with%20PAP%20HOWTO
-------------------
#>> radtest 'skina' 'Nio4LasOo' localhost 0 testing123 Sent Access-Request Id 14 from 0.0.0.0:34004 to 127.0.0.1:1812 length 75 User-Name = "skina" User-Password = "Nio4Las2Oo" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Nio4LasOo" Received Access-Accept Id 14 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
-------------------
Third .. tryied to configure freeradius ntlm_auth and MSCHAP http://deployingradius.com/documents/configuration/active_directory.html
I have already set all the permissions to user freerad to winbindd_private directory so that not the issue.
It does not matter what I do .. I always get the same error ..
-------------------
#>> radtest -t mschap 'skina' 'Nio4LasOo' localhost 0 testing123 Sent Access-Request Id 158 from 0.0.0.0:33353 to 127.0.0.1:1812 length 131 User-Name = "skina" MS-CHAP-Password = "Nio4LasOo" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Nio4LasOo" MS-CHAP-Challenge = 0x59e2a1e585ad94e6 MS-CHAP-Response = 0x0001000000000000000000000000 0000000000000000000000001eacb1bfed243034f718b74d89b6b11b84af50869ab40b06 Received Access-Reject Id 158 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=c3f65e6f825239e4 V=2" (0) -: Expected Access-Accept got Access-Reject
-------------------
And the output of "freeradius -X"
-------------------
(2) Received Access-Request Id 57 from 127.0.0.1:34102 to 127.0.0.1:1812 length 131 (2) User-Name = "skina" (2) NAS-IP-Address = 127.0.1.1 (2) NAS-Port = 0 (2) Message-Authenticator = 0xe88750a3ffc2bc75b90b872caf81f7e5 (2) MS-CHAP-Challenge = 0x1fa8d5c8e307ea3f (2) MS-CHAP-Response = 0x0001000000000000000000000000 00000000000000000000000074102cb712031d37dcb5bda4745b7e918794c4168fa1e5f5 (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enab led/default (2) authorize { (2) policy ntlm_auth.authorize { (2) if (!control:Auth-Type && User-Password) { (2) if (!control:Auth-Type && User-Password) -> FALSE (2) } # policy ntlm_auth.authorize = notfound (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (2) [mschap] = ok (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "skina", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: No EAP-Message, not doing EAP (2) [eap] = noop (2) [files] = noop (2) [sql] = notfound (2) [expiration] = noop (2) [logintime] = noop (2) } # authorize = ok (2) Found Auth-Type = mschap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) mschap: Client is using MS-CHAPv1 with NT-Password (2) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --ntlmv2 --request-nt-key --username=%{mschap:User-Name:-None} --domain=MINUT-EXT --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Resp onse:-00}: (2) mschap: EXPAND --username=%{mschap:User-Name:-None} (2) mschap: --> --username=skina (2) mschap: mschap1: 1f (2) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (2) mschap: --> --challenge=1fa8d5c8e307ea3f (2) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (2) mschap: --> --nt-response=74102cb712031d37 dcb5bda4745b7e918794c4168fa1e5f5 (2) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (2) mschap: External script failed (2) mschap: ERROR: External script says: Logon failure (0xc000006d) (2) mschap: ERROR: MS-CHAP2-Response is incorrect (2) [mschap] = reject (2) } # authenticate = reject (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Post-Auth-Type REJECT { (2) [sql] = ok (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> skina (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:34102 length 61 (2) MS-CHAP-Error = "\000E=691 R=1 C=be58a2cfd7660c37 V=2" Waking up in 3.9 seconds. (2) Cleaning up request packet ID 57 with timestamp +161 Ready to process requests
-------------------
This is the same error when I used wbinfo without --ntlmv2 ... ( might be a clue)
In mods_enabled/mschap I have tried many parameters in ntlm_auth command .. including hardcoding a known user ..
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MINUT-EXT --username=skina --password='Nio4LasOo'"
It returned NT OK . .. but when I added the other to parameters .. i came back to the same error.
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Resp onse:-00}"
-----------
I was wondering if it is a kind of incompatibility concerning the version of MSCHAP or NTLM ..
I appreciate any help you can give me. I have four days trying every option, reading every post, .. without success.
Kasandra
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
Hello,
Looking at your smb.conf You're missing few parameters, You have to
enable ntlmv1 in order for ntlm_auth to work correctly. In samba 4.5
release notes You can read:
NTLMv1 authentication disabled by default
-----------------------------------------
In order to improve security we have changed
the default value for the "ntlm auth" option from
"yes" to "no". This may have impact on very old
clients which doesn't support NTLMv2 yet.
The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
By default, Samba will only allow NTLMv2 via NTLMSSP now,
as we have the following default "lanman auth = no",
"ntlm auth = no" and "raw NTLMv2 auth = no".
W dniu 31.01.2018 o 00:14, Alan Buxey pisze:
> What is it that you are trying to achieve? You'll be better off using eg
> eapol_test if you are working on having eg an 802.1X wireless
> authentication environment
>
> alan
>
> On 30 Jan 2018 11:06 pm, "Kasandra Padisha via Freeradius-Users" <
> freeradius-users@lists.freeradius.org> wrote:
>
>> Hi
>>
>> I have tried everything possible. I have read every publication available
>> and I am about to give up !!! I could not make it work:
>>
>> Radius using ntlm_auth to autenthicate.
>>
>>
>> Details ..: a bit long . apologies :-)
>>
>> --------------------------------- SAMBA ------------------------------
>> ---
>>
>> I have samba 4.5.12 working OK
>>
>> ------------------- smb.conf
>>
>> # Global parameters
>> [global]
>> netbios name = GALAPA
>> realm = MINUT.EDU.CO
>> workgroup = MINUT-EXT
>> dns forwarder = 192.168.32.1
>> server role = active directory domain controller
>> # Autenticaion sin dominio
>> winbind use default domain = no
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/minut.edu.co/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> -------------------
>>
>> All tests of samba working OK
>>
>> -------------------
>>
>> #>> smbclient -L localhost -U%
>>
>> Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>> Sharename Type Comment
>> --------- ---- -------
>> netlogon Disk
>> sysvol Disk
>> IPC$ IPC IPC Service (Samba 4.5.12-Debian)
>> Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian
>> Server Comment
>> --------- -------
>> Workgroup Master
>> --------- -------
>> WORKGROUP GALAPA
>>
>> -------------------
>>
>> #>> root@galapa:/etc/freeradius/3.0# smbclient //localhost/netlogon
>> -Uskina%'Nio4LasOo' -c 'ls'
>> Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>> . D 0 Tue Jan 30 11:11:29 2018
>> .. D 0 Tue Jan 30 11:11:48 2018
>>
>> 65799648 blocks of size 1024. 61762632 blocks available
>>
>> #>> ntlm_auth --request-nt-key --domain=MINUT-EXT --username=skina
>> --password='Nio4LasOo'
>> NT_STATUS_OK: Success (0x0)
>>
>> #>> wbinfo --ntlmv2 -a 'skina'%'Nio4LasOo'
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> # wbinfo -a 'skina'%'Nio4LasOo'
>> plaintext password authentication succeeded
>> challenge/response password authentication failed
>> wbcAuthenticateUserEx(MINUT-EXT\skina): error code was
>> NT_STATUS_WRONG_PASSWORD (0xc000006a)
>> error message was: Wrong Password
>> Could not authenticate user skina with challenge/response
>>
>> -------------------
>>
>> **** This last message is my only clue.
>>
>> --------------------------------- FREERADIUS
>> ---------------------------------
>>
>> I have installed y configured freeradius following every manual ..
>>
>> First .. the basic configuration .. and working OK
>> http://wiki.freeradius.org/guide/Basic-configuration-HOWTO
>>
>> -------------------
>>
>> #>> radtest bob hello localhost 0 testing123
>> Sent Access-Request Id 70 from 0.0.0.0:37544 to 127.0.0.1:1812 length 73
>> User-Name = "bob"
>> User-Password = "hello"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0x00
>> Cleartext-Password = "hello"
>> Received Access-Accept Id 70 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>> Reply-Message = "Hello, bob"
>>
>> -------------------
>>
>> Second .. configure OK freeradius with ntlm_auth and PAP
>> http://wiki.freeradius.org/guide/NTLM%20Auth%20with%20PAP%20HOWTO
>>
>> -------------------
>>
>> #>> radtest 'skina' 'Nio4LasOo' localhost 0 testing123
>> Sent Access-Request Id 14 from 0.0.0.0:34004 to 127.0.0.1:1812 length 75
>> User-Name = "skina"
>> User-Password = "Nio4Las2Oo"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0x00
>> Cleartext-Password = "Nio4LasOo"
>> Received Access-Accept Id 14 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>>
>> -------------------
>>
>> Third .. tryied to configure freeradius ntlm_auth and MSCHAP
>> http://deployingradius.com/documents/configuration/active_directory.html
>>
>> I have already set all the permissions to user freerad to winbindd_private
>> directory so that not the issue.
>>
>> It does not matter what I do .. I always get the same error ..
>>
>> -------------------
>>
>> #>> radtest -t mschap 'skina' 'Nio4LasOo' localhost 0 testing123
>> Sent Access-Request Id 158 from 0.0.0.0:33353 to 127.0.0.1:1812 length 131
>> User-Name = "skina"
>> MS-CHAP-Password = "Nio4LasOo"
>> NAS-IP-Address = 127.0.1.1
>> NAS-Port = 0
>> Message-Authenticator = 0x00
>> Cleartext-Password = "Nio4LasOo"
>> MS-CHAP-Challenge = 0x59e2a1e585ad94e6
>> MS-CHAP-Response = 0x0001000000000000000000000000
>> 0000000000000000000000001eacb1bfed243034f718b74d89b6b11b84af50869ab40b06
>> Received Access-Reject Id 158 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
>> MS-CHAP-Error = "\000E=691 R=1 C=c3f65e6f825239e4 V=2"
>> (0) -: Expected Access-Accept got Access-Reject
>>
>> -------------------
>>
>> And the output of "freeradius -X"
>>
>> -------------------
>>
>> (2) Received Access-Request Id 57 from 127.0.0.1:34102 to 127.0.0.1:1812
>> length 131
>> (2) User-Name = "skina"
>> (2) NAS-IP-Address = 127.0.1.1
>> (2) NAS-Port = 0
>> (2) Message-Authenticator = 0xe88750a3ffc2bc75b90b872caf81f7e5
>> (2) MS-CHAP-Challenge = 0x1fa8d5c8e307ea3f
>> (2) MS-CHAP-Response = 0x0001000000000000000000000000
>> 00000000000000000000000074102cb712031d37dcb5bda4745b7e918794c4168fa1e5f5
>> (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enab
>> led/default
>> (2) authorize {
>> (2) policy ntlm_auth.authorize {
>> (2) if (!control:Auth-Type && User-Password) {
>> (2) if (!control:Auth-Type && User-Password) -> FALSE
>> (2) } # policy ntlm_auth.authorize = notfound
>> (2) policy filter_username {
>> (2) if (&User-Name) {
>> (2) if (&User-Name) -> TRUE
>> (2) if (&User-Name) {
>> (2) if (&User-Name =~ / /) {
>> (2) if (&User-Name =~ / /) -> FALSE
>> (2) if (&User-Name =~ /@[^@]*@/ ) {
>> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> (2) if (&User-Name =~ /\.\./ ) {
>> (2) if (&User-Name =~ /\.\./ ) -> FALSE
>> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
>> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>> -> FALSE
>> (2) if (&User-Name =~ /\.$/) {
>> (2) if (&User-Name =~ /\.$/) -> FALSE
>> (2) if (&User-Name =~ /@\./) {
>> (2) if (&User-Name =~ /@\./) -> FALSE
>> (2) } # if (&User-Name) = notfound
>> (2) } # policy filter_username = notfound
>> (2) [preprocess] = ok
>> (2) [chap] = noop
>> (2) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
>> (2) [mschap] = ok
>> (2) [digest] = noop
>> (2) suffix: Checking for suffix after "@"
>> (2) suffix: No '@' in User-Name = "skina", looking up realm NULL
>> (2) suffix: No such realm "NULL"
>> (2) [suffix] = noop
>> (2) eap: No EAP-Message, not doing EAP
>> (2) [eap] = noop
>> (2) [files] = noop
>> (2) [sql] = notfound
>> (2) [expiration] = noop
>> (2) [logintime] = noop
>> (2) } # authorize = ok
>> (2) Found Auth-Type = mschap
>> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (2) authenticate {
>> (2) mschap: Client is using MS-CHAPv1 with NT-Password
>> (2) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --ntlmv2
>> --request-nt-key --username=%{mschap:User-Name:-None} --domain=MINUT-EXT
>> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Resp
>> onse:-00}:
>> (2) mschap: EXPAND --username=%{mschap:User-Name:-None}
>> (2) mschap: --> --username=skina
>> (2) mschap: mschap1: 1f
>> (2) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
>> (2) mschap: --> --challenge=1fa8d5c8e307ea3f
>> (2) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
>> (2) mschap: --> --nt-response=74102cb712031d37
>> dcb5bda4745b7e918794c4168fa1e5f5
>> (2) mschap: ERROR: Program returned code (1) and output 'Logon failure
>> (0xc000006d)'
>> (2) mschap: External script failed
>> (2) mschap: ERROR: External script says: Logon failure (0xc000006d)
>> (2) mschap: ERROR: MS-CHAP2-Response is incorrect
>> (2) [mschap] = reject
>> (2) } # authenticate = reject
>> (2) Failed to authenticate the user
>> (2) Using Post-Auth-Type Reject
>> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (2) Post-Auth-Type REJECT {
>> (2) [sql] = ok
>> (2) attr_filter.access_reject: EXPAND %{User-Name}
>> (2) attr_filter.access_reject: --> skina
>> (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> (2) [attr_filter.access_reject] = updated
>> (2) [eap] = noop
>> (2) policy remove_reply_message_if_eap {
>> (2) if (&reply:EAP-Message && &reply:Reply-Message) {
>> (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>> (2) else {
>> (2) [noop] = noop
>> (2) } # else = noop
>> (2) } # policy remove_reply_message_if_eap = noop
>> (2) } # Post-Auth-Type REJECT = updated
>> (2) Delaying response for 1.000000 seconds
>> Waking up in 0.2 seconds.
>> Waking up in 0.7 seconds.
>> (2) Sending delayed response
>> (2) Sent Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:34102
>> length 61
>> (2) MS-CHAP-Error = "\000E=691 R=1 C=be58a2cfd7660c37 V=2"
>> Waking up in 3.9 seconds.
>> (2) Cleaning up request packet ID 57 with timestamp +161
>> Ready to process requests
>>
>> -------------------
>>
>> This is the same error when I used wbinfo without --ntlmv2 ... ( might be
>> a clue)
>>
>> In mods_enabled/mschap I have tried many parameters in ntlm_auth command
>> .. including hardcoding a known user ..
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MINUT-EXT
>> --username=skina --password='Nio4LasOo'"
>>
>> It returned NT OK . .. but when I added the other to parameters .. i came
>> back to the same error.
>>
>> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Resp
>> onse:-00}"
>>
>> -----------
>>
>> I was wondering if it is a kind of incompatibility concerning the version
>> of MSCHAP or NTLM ..
>>
>>
>> I appreciate any help you can give me. I have four days trying every
>> option, reading every post, .. without success.
>>
>>
>> Kasandra
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan Buxey -
Kacper Wirski -
Kasandra Padisha -
Matthew Newton