How to? - use/configure winbind/ntlm_auth for Windowsauthentication

Pete Flynt peteflynt at hotmail.com
Wed Jun 1 13:54:27 CEST 2005


>Hi Pete,

>look at the radiusd.conf file, there is a sample line for ntml_auth.

>"man ntml_auth" will give you details on the parameters.

>regards,
>Stéphane

Hi!

Yes, that famous line! But I can't imagine that the configuration depends 
all on that single line.


Here is my new state:

I have configured Samba to join the Windows domain. This is working (with 
net rpc join..)
Then I launched nmbd and winbindd.
Winbind starts but gives the following errors:

Kinit failed: Malformed representation of principal
krb5_cc_get_principal failed (No credentials cache found)
kerberos_kinit_password host /SMF-210-1@ failed: Malformed representation of 
principal

As I do not use Kerberos I think that those errors can be ignored.

wbinfo -g shows me the groups but wbinfo -u fails with "Error looking up 
domain users".

When executing ntlm_auth --request-nt-key --domain=TESTDOMAIN 
--username=pete --nt-response I am prompted for the password and then I get 
NT_STATUS_OK: Success (0x0)
So ntlm_auth seems to work.
But even when checking the manual I can't figure out what hexadecimal string 
I have to put for testing --challenge from the command line.

Back to freeradius.
In the Users file I added MS-CHAP-USE-NTLM-Auth = 1 but I cannot see in the 
execution of ntlm_auth in the debug output. It should be logged at 
"radius_xlat:" or not?

Here is the complete output that is generated:

rad_recv: Access-Request packet from host 192.168.33.44:1812, id=123, 
length=108
        NAS-IP-Address = 192.168.33.44
        NAS-Port-Type = Async
        User-Name = "pete"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "00-11-43-5c-77-d6"
        EAP-Message = 0x0200000e0163736368776172747a
        Message-Authenticator = 0x25f38b75fa3cb4abe24e239a027fee0c
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "pete", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 0 length 14
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 159
    users: Matched entry DEFAULT at line 178
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 123 to 192.168.33.44:1812
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010100160410b9e2efb64f157d1421f9078e7a3bea4c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4ec2da2c4cfabac97ead6fe8e31653bf
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.33.44:1812, id=124, 
length=143
        NAS-IP-Address = 192.168.33.44
        NAS-Port-Type = Async
        User-Name = "pete"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Calling-Station-Id = "00-11-43-5c-77-d6"
        State = 0x4ec2da2c4cfabac97ead6fe8e31653bf
        EAP-Message = 
0x0201001f04102f942aff5c15b303e8f9165af155871063736368776172747a
        Message-Authenticator = 0x2000b9a88b196b010901c1f9e01d3555
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "pete", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 1 length 31
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 159
    users: Matched entry DEFAULT at line 178
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/md5
  rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.33.44:1812, id=124, 
length=143
Sending Access-Reject of id 124 to 192.168.33.44:1812
        EAP-Message = 0x04010004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 123 with timestamp 429e8ebe
Cleaning up request 1 ID 124 with timestamp 429e8ebe
Nothing to do.  Sleeping until we see a request.

Regards,
Pete

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




More information about the Freeradius-Users mailing list