etc_passwd module doesnt authenticate
Ramses van Pinxteren
ramses at niob.knaw.nl
Thu Jul 28 11:39:30 CEST 2005
> > Module: Loaded passwd
> > passwd: filename = "/etc/samba/smbpasswd"
>> passwd: format =
>>"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
>> passwd: authtype = "MS-CHAP"
>
> You've configured the passwd module to set Auth-Type = MSCHAP.
>Don't do that.
This is the config file I am using minus all the comments:
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = no
extended_expressions = no
log_stripped_names = yes
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
usercollide = no
lower_user = yes
lower_pass = no
nospace_user = yes
nospace_pass = yes
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp = no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
}
passwd etc_smbpasswd {
filename = /etc/samba/smbpasswd
format =
"*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
# authtype = MS-CHAP
hashsize = 100
ignorenislike = no
allowmultiplekeys = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ntdomain_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
}
authorize {
preprocess
mschap
etc_smbpasswd
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
}
I commented it out the Auth-Type = MSCHAP, restarted the radiusd and
found out how to test radiusclient.
I just copied the NT password from the /etc/sambpasswd file and did
the following:
echo "User-Name = ramses, password = xxxxxxxxxxxxx" | radclient
127.0.0.1 auth mysecretkey
This is the complete output:
[root at h222 raddb]# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "yes"
main: lower_pass = "no"
main: nospace_user = "yes"
main: nospace_pass = "yes"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded passwd
passwd: filename = "/etc/samba/smbpasswd"
passwd: format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
passwd: authtype = "(null)"
passwd: delimiter = ":"
passwd: ignorenislike = no
passwd: ignoreempty = yes
passwd: allowmultiplekeys = no
passwd: hashsize = 100
rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no
Module: Instantiated passwd (etc_smbpasswd)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32774, id=224, length=62
User-Name = "ramses"
User-Password = "95903FD81E9ECFEC17306D272A9441BB"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_passwd: Added LM-Password: '95903FD81E9ECFEC17306D272A9441BB' to
config_items
rlm_passwd: Added NT-Password: '435979E55C915EC8AD30AF6418407E89' to
config_items
rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items
modcall[authorize]: module "etc_smbpasswd" returns ok for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [ramses/95903FD81E9ECFEC17306D272A9441BB] (from
client localhost port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 224 to 127.0.0.1:32774
Waking up in 4 seconds...
I start to get the feeling my users file is not right. It is now just
default and I am afraid that when i am going to mess with it (I dont
understand hell about it even after reading everything for 4 or 5
times, lack of experience with radius)
>
>> rad_recv: Access-Request packet from host 192.87.138.222:32774,
>> id=176, length=68
>> Service-Type = Framed-User
>> Framed-Protocol = PPP
>> User-Name = "ramses"
>> Calling-Station-Id = "192.87.138.220"
>> NAS-IP-Address = 192.87.138.222
>> NAS-Port = 0
>
> Which doesn't contain an MS-CHAP password.
>
> Or any password, for that matter. How do you expect to authenticate
>that request?
That is the second problem. I am using radius to check passwords of
my VPN server. When I am testing pppd against a chap-secrets file, it
can authenticate, but it looks to me like the radiusclient is not
relayting the right info. Can someone tell me where I went wrong with
configuring it?
# General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order radius,local
# maximum login tries a user has
login_tries 4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout 60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue /etc/radiusclient/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
#authserver localhost
authserver h222.niob.knaw.nl:1812
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
#acctserver localhost
acctserver h222.niob.knaw.nl:1813
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers /etc/radiusclient/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary /etc/radiusclient/dictionary
# program to call for a RADIUS authenticated login
login_radius /usr/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile /etc/radiusclient/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local /bin/login
More information about the Freeradius-Users
mailing list