Trouble authenticating against samba 4 DC
Hello, I've just set up a DC controller using samba 4 on Debian 9 and FreeRADIUS 3 root@dc:~# samba -V Version 4.5.8-Debian root@dc:~# uname -a Linux dc 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64 GNU/Linux root@dc:~# freeradius -v radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on May 30 2017 at 15:18:34 Samba DC is running OK, i can authenticate against it using ntlm_auth root@dc:~# ntlm_auth --request-nt-key --domain=CCBPINHAIS --username=teste-login --password=Thebas@1234 NT_STATUS_OK: Success (0x0) I've followed the setup tutorial at: http://deployingradius.com/documents/configuration/active_directory.html and everything works fine until the part that I setup mschap, the test using the config "DEFAULT Auth-Type = ntlm_auth" at users file is OK, but when I remove the test config and setup mschap I cant authenticate, I'll post the debug log below and aprreciate if anyone can help me. First the output using test config: root@dc:~# radtest teste-login Thebas@1234 localhost 0 testing123 Sent Access-Request Id 152 from 0.0.0.0:59761 to 127.0.0.1:1812 length 81 User-Name = "teste-login" User-Password = "Thebas@1234" NAS-IP-Address = 172.16.100.254 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Thebas@1234" Received Access-Accept Id 152 from 127.0.0.1:1812 to 0.0.0.0:0 length 20 Now removing the test config and using mschap: root@dc:~# radtest -t mschap teste-login Thebas@1234 localhost 0 testing123 Sent Access-Request Id 41 from 0.0.0.0:41126 to 127.0.0.1:1812 length 137 User-Name = "teste-login" MS-CHAP-Password = "Thebas@1234" NAS-IP-Address = 172.16.100.254 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "Thebas@1234" MS-CHAP-Challenge = 0x5c2a896e7b319f2f MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000073a248201d2f5611be653fd75e48b46b9e08d049cb60122d Received Access-Reject Id 41 from 127.0.0.1:1812 to 0.0.0.0:0 length 61 MS-CHAP-Error = "\000E=691 R=1 C=81c1063947fe901b V=2" (0) -: Expected Access-Accept got Access-Reject Below is the debug log: (0) Received Access-Request Id 41 from 127.0.0.1:41126 to 127.0.0.1:1812 length 137 (0) User-Name = "teste-login" (0) NAS-IP-Address = 172.16.100.254 (0) NAS-Port = 0 (0) Message-Authenticator = 0x97d3daecfc41cd5c63cca87fcae738c8 (0) MS-CHAP-Challenge = 0x5c2a896e7b319f2f (0) MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000073a248201d2f5611be653fd75e48b46b9e08d049cb60122d (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) mschap: Found MS-CHAP attributes. Setting 'Auth-Type = mschap' (0) [mschap] = ok (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "teste-login", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) mschap: Client is using MS-CHAPv1 with NT-Password (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (0) mschap: EXPAND --username=%{mschap:User-Name:-None} (0) mschap: --> --username=teste-login (0) mschap: ERROR: No NT-Domain was found in the User-Name (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS} (0) mschap: --> --domain=CCBPINHAIS (0) mschap: mschap1: 5c (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (0) mschap: --> --challenge=5c2a896e7b319f2f (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=73a248201d2f5611be653fd75e48b46b9e08d049cb60122d (0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: Logon failure (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> teste-login (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 41 from 127.0.0.1:1812 to 127.0.0.1:41126 length 61 (0) MS-CHAP-Error = "\000E=691 R=1 C=81c1063947fe901b V=2" Waking up in 3.9 seconds. (0) Cleaning up request packet ID 41 with timestamp +4 Stripping the debug log, the error lines are: (0) mschap: ERROR: No NT-Domain was found in the User-Name ... 0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (0) mschap: External script failed (0) mschap: ERROR: External script says: Logon failure (0xc000006d) (0) mschap: ERROR: MS-CHAP2-Response is incorrect (0) [mschap] = reject I think the problem has something about that last error about MS-CHAP2-Response, but I don't have a clue what it could it be, I also noticed that radtest sent a MS-CHAPv1 auth request, is it OK? Thank you very much. Best Reagrds, Hugo Thebas
On Aug 3, 2017, at 9:51 PM, Hugo Thebas <thebashugo@gmail.com> wrote:
I've followed the setup tutorial at: http://deployingradius.com/documents/configuration/active_directory.html and everything works fine until the part that I setup mschap, the test using the config "DEFAULT Auth-Type = ntlm_auth" at users file is OK, but when I remove the test config and setup mschap I cant authenticate, I'll post the debug log below and aprreciate if anyone can help me.
First the output using test config:
root@dc:~# radtest teste-login Thebas@1234 localhost 0 testing123
That's good.
Now removing the test config and using mschap:
root@dc:~# radtest -t mschap teste-login Thebas@1234 localhost 0 testing123 Sent Access-Request Id 41 from 0.0.0.0:41126 to 127.0.0.1:1812 length 137 User-Name = "testa-login"
Is that a value username / domain at the AD server? ...
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}: (0) mschap: EXPAND --username=%{mschap:User-Name:-None} (0) mschap: --> --username=teste-login (0) mschap: ERROR: No NT-Domain was found in the User-Name (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS} (0) mschap: --> --domain=CCBPINHAIS (0) mschap: mschap1: 5c (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00} (0) mschap: --> --challenge=5c2a896e7b319f2f (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00} (0) mschap: --> --nt-response=73a248201d2f5611be653fd75e48b46b9e08d049cb60122d (0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)' (0) mschap: External script failed
You can run the ntlm_auth program manually to see what parameters are required. In this case, it looks like either the username doesn't exist at that domain, or the password is wrong. We can'y help you fix those errors. The purpose of the guide is to take you step by step through the process, so that you can see exactly when it goes form "working" to "not working". The thing that changes is the source of the problem. In this case, AD is returning "logon failure". That means the user is unknown, or the user is known but the password is wrong. You need to send FreeRADIUS the correct name / domain / password for it to work. Alan DeKok.
participants (2)
-
Alan DeKok -
Hugo Thebas