FR + ADS 2003 + ntlm_auth

Jacob Jarick mem.namefix at gmail.com
Tue Apr 24 09:54:58 CEST 2007 

For any1 else who might have the same problem, it was resolved by the
following cmd:

chgrp radiusd /var/cache/samba/winbindd_privileged/

original article:
http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_10.htm

Thanks to google and Alan for tipping me off.

Yes I am about to backup everything :P before resuming ldap.

On 4/24/07, Jacob Jarick <mem.namefix at gmail.com> wrote:
> radiusd -X -f: http://pastebin.ca/455497
>
> Alan, I have been trying todo my groundwork / homework is all, ie
> research before asking.
> Its simply a case of taking whatever support is available and not
> always being aware who the devs are. When nothing you have tried works
> try something you havent. Its rare to be told, dont google, ask.
>
> Anyway, I appoligize for getting testy, I should have said if there is
> a doc I should be reading paste the link, rather than have me google,
> find the incorrect one then be told the howto/document is incorrect.
>
> Now regarding your document Alan,
>
> Page 12 of 20
>
> "Make sure that fhe following lines are uncommented and that the value
> is the same as indicated here
>
> authtype = MS-CHAP"
>
> Is this the line in question
>
> "
>        #  An example configuration for using /etc/smbpasswd.
>        #
>        #passwd etc_smbpasswd {
>        #       filename = /etc/smbpasswd
>        #       format =
> "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
>  >     #       authtype = MS-CHAP
>        #       hashsize = 100
>        #       ignorenislike = no
>        #       allowmultiplekeys = no
>        #}
> "
>
> I have checked through the tutorial again, all my config files were in
> order but ntlm_auth was failing for some reason, a reboot later and
> all was well again.
>
> Here is the output of my testing ntlm_auth, so you know I have the
> samba side working.
>
> "
> [root at localhost ~]# net join -U Administrator
> Administrator's password:
> Using short domain name -- TFXSCHOOL
> Joined 'LOCALHOST' to realm 'TFXSCHOOL.INTERNAL'
> [root at localhost ~]# wbinfo -a jacob%pass
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user jacob%pass with plaintext password
> challenge/response password authentication succeeded
> [root at localhost ~]# ntlm_auth --request-nt-key --domain=tfxschool
> --username=jacob
> password:
> NT_STATUS_OK: Success (0x0)
> [root at localhost ~]#
> "
>
> So thats samba checking passwords fine.
>
> I ask because it is not under the "# Microsoft CHAP authentication"
> section at all.
>
> I went through the whole log this time (sorry bad habbit of scrolling
> up for the last error then working on that 1 1st)
>
> "
> modcall: entering group MS-CHAP for request 6
>  rlm_mschap: No User-Password configured.  Cannot create LM-Password.
>  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
>  rlm_mschap: Told to do MS-CHAPv2 for jacob with NT-Password
> "
>
> ^ Does that mean it did not get sent the password, or simply that it
> didnt find User-Password so its using the found NT-Password ?.
>
> And just below that (mem feels silly) I see:
> "
> Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=jacob
> --domain=TFXSCHOOL --challenge=a1a6b069c8d565ac
> --nt-response=abd3d6a8f9fdef0cf50b4ea12325cbaa9fbeccfd716c07ec
> Exec-Program output: winbind client not authorized to use
> winbindd_pam_auth_crap. Ensure permissions on
> /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
> Exec-Program-Wait: plaintext: winbind client not authorized to use
> winbindd_pam_auth_crap. Ensure permissions on
> /var/cache/samba/winbindd_privileged are set correctly. (0xc0000022)
> Exec-Program: returned: 1
>  rlm_mschap: External script failed.
>  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
>  modcall[authenticate]: module "mschap" returns reject for request 6
> modcall: leaving group MS-CHAP (returns reject) for request 6
> "
>
> Looking at resolving that issue right now.
>
>
>
> On 4/24/07, Alan DeKok <aland at deployingradius.com> wrote:
> > Jacob Jarick wrote:
> > > Sorry to offend,
> > > But I have been seeing alot of "Docs warn u of this etc" but seeing as
> > > there are so many conflicting documents seeing the generic reply when
> > > I have read / googled high and low is quite frustrating.
> >
> >   The authors of the program you're using have told you what works and
> > what doesn't.  You have a hard time believing them, because of some
> > random web page that isn't associated with the project.
> >
> >   Is that really what you're saying?
> >
> >   If your boss tells you to come in to work at 9am, do you show up at
> > noon, claiming confusion, because the 10 year old newspaper boy down the
> > street said you could show up at noon?
> >
> >   Alan DeKok.
> > --
> >   http://deployingradius.com       - The web site of the book
> >   http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>

More information about the Freeradius-Users mailing list