Using ntlm_auth with AD subdomains

Dow, Corey corey.dow at hp.com
Mon Aug 4 18:39:12 CEST 2008 

Hi All,

I have an environment where I'm trying to use FreeRADIUS to authenticate with two Active Directory domains at the same time.  The problem I'm encountering is that I can authenticate one domain at a time, but not both, by manipulating the ntlm_auth syntax in radiusd.conf.

For example, my parent AD domain is idmcorp.net (IDMCORP), and my subdomain is sub.idmcorp.net (SUB). The redhat linux system is joined to the parent domain and I can authenticate users via the ntlm_auth command line executable as shown.

ProCurve RADIUS(ms):/etc/raddb # ntlm_auth --nt-request-key --username=codo
password:
NT_STATUS_OK: Success (0x0)

ProCurve RADIUS(ms):/etc/raddb # ntlm_auth --nt-request-key --username='SUB\subusr1'
password:
NT_STATUS_OK: Success (0x0)

I have two test systems which are Windows XP, configured for machine authentication, and each joined to one of the AD domains.  The following radiusd.conf ntlm_auth configuration will allow machines in idmcorp.net to authenticate successfully, but not sub.idmcorp.net. If I change the --domain to sub.idmcorp.net, then that domain can authentication successfully but not idmcorp.net.

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{NT-Domain:-idmcorp.net} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

The bottom line when I look at radiusd -X is that the challenge fails because only idmcorp.net is applied:
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
radius_xlat:  '--username=subusr1'
WARNING: Attempt to use unknown xlat function, or non-existent attribute in string %{NT-Domain}
radius_xlat:  '--domain=idmcorp.net'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
 mschap2: b2
radius_xlat:  '--challenge=f5ba542c686e9959'
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat:  '--nt-response=dfdebeef4582ae2ee49bba789b110a6af1507b67abc97e5e'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6

I thought removing the domain argument from ntlm_auth might work, but this fails as well:
radius_xlat: Running registered xlat function of module mschap for string 'User-Name'
radius_xlat:  '--username=subusr1'
radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
 mschap2: 49
radius_xlat:  '--challenge=dcadf8974326b238'
radius_xlat: Running registered xlat function of module mschap for string 'NT-Response'
radius_xlat:  '--nt-response=804ebd5ea2b41d58ee34f221268885086ca958434d969593'
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
  modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6

Sorry so wordy.  Can anyone think of a way to get this working for both the parent/child domains ?

Thanks,
Corey

Corey Dow
Security Solutions Test Engineer
ProCurve Networking
Hewlett-Packard Company
8000 Foothills Blvd.  (MS 5549)
Roseville, CA   95747

More information about the Freeradius-Users mailing list