How to? - use/configure winbind/ntlm_auth for Windowsauthentication
Pete Flynt
peteflynt at hotmail.com
Wed Jun 1 13:54:27 CEST 2005
>Hi Pete,
>look at the radiusd.conf file, there is a sample line for ntml_auth.
>"man ntml_auth" will give you details on the parameters.
>regards,
>Stéphane
Hi!
Yes, that famous line! But I can't imagine that the configuration depends
all on that single line.
Here is my new state:
I have configured Samba to join the Windows domain. This is working (with
net rpc join..)
Then I launched nmbd and winbindd.
Winbind starts but gives the following errors:
Kinit failed: Malformed representation of principal
krb5_cc_get_principal failed (No credentials cache found)
kerberos_kinit_password host /SMF-210-1@ failed: Malformed representation of
principal
As I do not use Kerberos I think that those errors can be ignored.
wbinfo -g shows me the groups but wbinfo -u fails with "Error looking up
domain users".
When executing ntlm_auth --request-nt-key --domain=TESTDOMAIN
--username=pete --nt-response I am prompted for the password and then I get
NT_STATUS_OK: Success (0x0)
So ntlm_auth seems to work.
But even when checking the manual I can't figure out what hexadecimal string
I have to put for testing --challenge from the command line.
Back to freeradius.
In the Users file I added MS-CHAP-USE-NTLM-Auth = 1 but I cannot see in the
execution of ntlm_auth in the debug output. It should be logged at
"radius_xlat:" or not?
Here is the complete output that is generated:
rad_recv: Access-Request packet from host 192.168.33.44:1812, id=123,
length=108
NAS-IP-Address = 192.168.33.44
NAS-Port-Type = Async
User-Name = "pete"
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = "00-11-43-5c-77-d6"
EAP-Message = 0x0200000e0163736368776172747a
Message-Authenticator = 0x25f38b75fa3cb4abe24e239a027fee0c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "pete", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 0 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 159
users: Matched entry DEFAULT at line 178
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 123 to 192.168.33.44:1812
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010100160410b9e2efb64f157d1421f9078e7a3bea4c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4ec2da2c4cfabac97ead6fe8e31653bf
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.33.44:1812, id=124,
length=143
NAS-IP-Address = 192.168.33.44
NAS-Port-Type = Async
User-Name = "pete"
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = "00-11-43-5c-77-d6"
State = 0x4ec2da2c4cfabac97ead6fe8e31653bf
EAP-Message =
0x0201001f04102f942aff5c15b303e8f9165af155871063736368776172747a
Message-Authenticator = 0x2000b9a88b196b010901c1f9e01d3555
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "pete", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 31
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 159
users: Matched entry DEFAULT at line 178
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/md5
rlm_eap: processing type md5
rlm_eap_md5: User-Password is required for EAP-MD5 authentication
rlm_eap: Handler failed in EAP/md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.33.44:1812, id=124,
length=143
Sending Access-Reject of id 124 to 192.168.33.44:1812
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 123 with timestamp 429e8ebe
Cleaning up request 1 ID 124 with timestamp 429e8ebe
Nothing to do. Sleeping until we see a request.
Regards,
Pete
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
More information about the Freeradius-Users
mailing list