ntlm_auth - rlm_mschap: No User-Password configured. Cannot create NT-Password.
eter de Groot <peter.de.groot@det.wa.edu.au> wrote:
I am trying to autheticate against a different domain that than the samba server is joined to.. should be ok ??
Probably not.
[root@curric4182-05 raddb]# ntlm_auth --request-nt-key --domain=admin4182 --username=e2052982 password: NT_STATUS_OK: Success (0x0)
That's nice, but it's not what the server is doing:
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=7801a84637ef5c68 --nt-response=4f77faa8137d60ae186c5f910fea83f936dbd827ac54f757'
What happens when you run the above command from the command line?
Alan DeKok.
Thanks for the reply .... I re-ran the connect and then copy and pasted onto the command line from the (radiusd -X ) log.. [root@curric4182-05 raddb]# [root@curric4182-05 raddb]# [root@curric4182-05 raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=6151ad29f27eff47 --nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 Logon failure (0xc000006d) [root@curric4182-05 raddb]# [root@curric4182-05 raddb]# Not good. :-( .. but they do give me the domain option .. so it "should" be ok. ? . . . Sorry ... couple more idiot (newbie) questions .... I am using PEAP with MSCHAPv2 .. and (I think) according to the how-tos .. I do NOT need ANY certificate(s) on the client PC... Is this correct ??.... or, if not .. which certificate(s) are REQUIRED on the PC... ?? I am using tinyCA with the OID extra bits for the XP extensions. Is this an error in the following certficate stuff ?? . . . rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0927], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED . . . . IS the following significant ... ?? It seems to say it cannot create the password ?? modcall: entering group MS-CHAP for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for e2052982 with NT-Password Thanks Peter de Groot Windows Re-Installation Engineer Eastern Goldfields College Ph 08) 90801800 Fax 08) 90801866 Mob 0418915312 http://egshs.wa.edu.au
Peter de Groot <peter.de.groot@det.wa.edu.au> wrote:
[root@curric4182-05 raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=6151ad29f27eff47 --nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 Logon failure (0xc000006d)
If you can get it working from the command-line, it will work in FreeRADIUS. I have few ideas why it doesn't work, though. Maybe upper/lowercase issues in the domain name? Alan DeKok.
[root@curric4182-05 raddb]# [root@curric4182-05 raddb]# [root@curric4182-05 raddb]# /usr/bin/ntlm_auth --request-nt-key --username=e2052982 --domain=ADMIN4182 --challenge=6151ad29f27eff47 --nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 Logon failure (0xc000006d) [root@curric4182-05 raddb]# [root@curric4182-05 raddb]#
Not good. :-( .. but they do give me the domain option .. so it "should" be ok. ?
Try asking on the Samba lists. Also, check the event logs on the other domain - it might be that you don't have the relevant options enabled or permissions set to do inter-domain mschap (I don't know what, if any, options you need)
. . .
Sorry ... couple more idiot (newbie) questions ....
I am using PEAP with MSCHAPv2 .. and (I think) according to the how-tos .. I do NOT need ANY certificate(s) on the client PC... Is this correct ??.... or, if not
Correct
.. which certificate(s) are REQUIRED on the PC... ?? I am using tinyCA with the OID extra bits for the XP extensions. Is this an error in the following certficate stuff ??
ignore that
. . . IS the following significant ... ?? It seems to say it cannot create the password ??
modcall: entering group MS-CHAP for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for e2052982 with NT-Password
ignore that, since you're using ntlm_auth it's irrelevant
Tx for the reply..... Am cross posting to the samba list .... Can you tell me how to create the challenge and response stuff .... I can then test it outside of radius.... I can then check agains both domains..... Please humour another query ... how do I test to see if I have the XP extensions in the certificates .. It is beginning to look that I am going to have to go down that road... Bummer .. the users are going to love that .. NOT. More work for me :-( TIA Peter Peter de Groot Windows Re-Installation Engineer Eastern Goldfields College Ph 08) 90801800 Fax 08) 90801866 Mob 0418915312 http://egshs.wa.edu.au Phil Mayers wrote:
[root@curric4182-05 raddb]# [root@curric4182-05 raddb]# [root@curric4182-05 raddb]# /usr/bin/ntlm_auth --request-nt-key -- username=e2052982 --domain=ADMIN4182 --challenge=6151ad29f27eff47 -- nt-response=01e42eabc464bf9915883d804457069d4702d95534ce4d53 Logon failure (0xc000006d) [root@curric4182-05 raddb]# [root@curric4182-05 raddb]#
Not good. :-( .. but they do give me the domain option .. so it "should" be ok. ?
Try asking on the Samba lists. Also, check the event logs on the other domain - it might be that you don't have the relevant options enabled or permissions set to do inter-domain mschap (I don't know what, if any, options you need)
. . .
Sorry ... couple more idiot (newbie) questions ....
I am using PEAP with MSCHAPv2 .. and (I think) according to the how- tos .. I do NOT need ANY certificate(s) on the client PC... Is this correct ??.... or, if not
Correct
.. which certificate(s) are REQUIRED on the PC... ?? I am using tinyCA with the OID extra bits for the XP extensions. Is this an error in the following certficate stuff ??
ignore that
. . . IS the following significant ... ?? It seems to say it cannot create the password ??
modcall: entering group MS-CHAP for request 7 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for e2052982 with NT-Password
ignore that, since you're using ntlm_auth it's irrelevant - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html
Peter de Groot <peter.de.groot@det.wa.edu.au> wrote:
Can you tell me how to create the challenge and response stuff .... I can then test it outside of radius....
See src/modules/rlm_mschap/rlm_mschap.c It's non trivial.
Please humour another query ... how do I test to see if I have the XP extensions in the certificates ..
Print out the certificate information using OpenSSL. You should see "TLS Web Server" stuff. Alan DeKok.
Peter de Groot wrote:
Eeeerrk....
Given that I suspect that this form of authentication is going to be popular ... I was wondering if it could be "broken out" into a test program to add to the others....
See the "eapol_test" program from the "wpa_supplicant" package. Works very well. Alternatively, since the response for a given username/password and challenge is always the same, you can just run one auth, record those, and re-use them. The obvious insecurity behind this is why the RPC call used to pass username/challenge/response must be authenticated with domain machine account credentials.
participants (3)
-
Alan DeKok -
Peter de Groot -
Phil Mayers