Freeradius Active Directory Authentication using ntlm_auth
Hi All, I'm trying to configure Freeradius Active Directory Authentication using ntlm_auth.When I run from the shell I could get the positive response. ntlm_auth --username shyju --passwordPassword:NT_STATUS_OK: Success (0x0) But when I test with the radtest authentication does not work. Please Find below the logs. Client - Sideradtest shyju password localhost 0 testing123 Sending Access-Request of id 125 to 127.0.0.1 port 1812 User-Name = "shyju" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=125, length=20 Server-Side rad_recv: Access-Request packet from host 127.0.0.1 port 60581, id=253, length=131 User-Name = "shyju" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x0156cd3b06a063bf8c9dee41dca40c37 MS-CHAP-Challenge = 0x3b41e041947f5126 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003d43a50a42ac1c73b4beeab62bfba628013e7764d8651047# Executing section authorize from file /etc/freeradius/sites-enabled/default+- entering group authorize {...}++[preprocess] returns ok++[chap] returns noop[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'++[mschap] returns ok++[digest] returns noop[suffix] No '@' in User-Name = "shyju", looking up realm NULL[suffix] No such realm "NULL"++[suffix] returns noop[eap] No EAP-Message, not doing EAP++[eap] returns noop++[files] returns noop++[expiration] returns noop++[logintime] returns noop[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.++[pap] returns noopFound Auth-Type = MSCHAP# Executing group from file /etc/freeradius/sites-enabled/default+- entering group MS-CHAP {...}[mschap] Told to do MS-CHAPv1 with NT-Password[mschap] expand: %{Stripped-User-Name} ->[mschap] ... expanding second conditional[mschap] expand: %{User-Name} -> shyju[mschap] expand: %{%{User-Name}:-None} -> shyju[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=shyju[mschap] No NT-Domain was found in the User-Name.[mschap] expand: %{mschap:NT-Domain} ->[mschap] ... expanding second conditional[mschap] expand: --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL} -> --domain=DOMAIN.LOCAL[mschap] mschap1: 3b[mschap] expand: %{mschap:Challenge} -> 3b41e041947f5126[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=3b41e041947f5126[mschap] expand: %{mschap:NT-Response} -> 3d43a50a42ac1c73b4beeab62bfba628013e7764d8651047[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=3d43a50a42ac1c73b4beeab62bfba628013e7764d8651047Exec-Program output: Reading winbind reply failed! (0xc0000001)Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)Exec-Program: returned: 1[mschap] External script failed.[mschap] MS-CHAP-Response is incorrect.++[mschap] returns rejectFailed to authenticate the user.Using Post-Auth-Type Reject# Executing group from file /etc/freeradius/sites-enabled/default+- entering group REJECT {...}[attr_filter.access_reject] expand: %{User-Name} -> shyjuattr_filter: Matched entry DEFAULT at line 11++[attr_filter.access_reject] returns updatedDelaying reject of request 2 for 1 secondsGoing to the next requestWaking up in 0.8 seconds.Sending delayed reject for request 2Sending Access-Reject of id 253 to 127.0.0.1 port 60581 MS-CHAP-Error = "\000E=691 R=1"Waking up in 4.9 seconds.Cleaning up request 2 ID 253 with timestamp +73Ready to process requests. _______ Regards, Shyju
Your command line test didn't have a domain. Your freeradius request does have a realm - DOMAIN.LOCAL . Is that deliberate? alan
Shyju Kanaprath wrote: ...
Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
The radius server probably doesn't have permission to run ntlm_auth. Run the ntlm_auth test as user radiusd (or whatever you set it to on your system). Then, fix permissions until it works. Alan DeKok.
Hi Alan, I could run the command successfully. root@unifi-ubnt:/etc/freeradius# sudo -u freerad ntlm_auth --username shyju --passwordPassword:NT_STATUS_OK: Success (0x0) _______ Regards, Shyju
Date: Sat, 15 Nov 2014 09:41:43 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius Active Directory Authentication using ntlm_auth
Shyju Kanaprath wrote: ...
Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
The radius server probably doesn't have permission to run ntlm_auth.
Run the ntlm_auth test as user radiusd (or whatever you set it to on your system). Then, fix permissions until it works.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The permission for /var/run/samba/winbindd_privileged directorydrwxr-x--- 2 root winbindd_priv 40 Nov 15 12:56 winbindd_privileged/ Added the freerad user to the group usermod -a -G winbindd_priv freerad Run the test with no success. root@unifi-ubnt:/var/run/samba# radtest -t mschap shyju password 127.0.0.1 0 testing123Sending Access-Request of id 191 to 127.0.0.1 port 1812 User-Name = "shyju" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x71dd9a1c10b9bc4b MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000007e6ad0937ad4b3dfbe0f98ff7e6ccdd11d8f68a6579583f0rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=191, length=38 MS-CHAP-Error = "\000E=691 R=1" _______ Regards, Shyju
Date: Sat, 15 Nov 2014 09:41:43 -0500 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius Active Directory Authentication using ntlm_auth
Shyju Kanaprath wrote: ...
Exec-Program output: Reading winbind reply failed! (0xc0000001) Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
The radius server probably doesn't have permission to run ntlm_auth.
Run the ntlm_auth test as user radiusd (or whatever you set it to on your system). Then, fix permissions until it works.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Anil,Thank you Anil. That was the problem. Before I changed the user permission of /var/run/samba/winbindd_privileged/ with out any success. Below command done the trick. chgrp freerad /var/lib/samba/winbindd_privileged My FreeRADIUS is running in Ubuntu 14.04.1 LTS _______ Regards, Shyju Date: Sun, 16 Nov 2014 08:37:42 +0000 From: anilth@hi.is To: freeradius-users@lists.freeradius.org Subject: Re: Freeradius Active Directory Authentication using ntlm_auth What Linux distro are you running ? On 16/11/14 07:27, Shyju Kanaprath wrote: MS-CHAP-Error = "\000E=691 R=1" This stills seem to me permission issue. show your config modules/mscap ? If centos do this : chgrp radiusd /var/lib/samba/winbindd_privileged this should work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan Buxey -
Alan DeKok -
Anil Thapa -
Shyju Kanaprath