Samba NT & LM hashes with PEAP

Juraj Hrubša freeradius at sitronicsts.sk
Tue Jun 24 08:07:12 CEST 2008 

Hello


I want to use an existing LDAP database for authentication of WIFI users
using EAP-PEAP. I am already using LDAP as a backend for samba, so I
have NT and LM hashes stored. The problem is I am still getting errors:

   rlm_mschap: Found LM-Password
   rlm_mschap: Found NT-Password
   rlm_mschap: Told to do MS-CHAPv2 for lolo with NT-Password
   rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
   modcall[authenticate]: module "mschap" returns reject for request 6
modcall: leaving group MS-CHAP (returns reject) for request 6
   rlm_eap: Freeing handler


I have generated NT and LM hashes for test user lolo like this:

# smbencrypt hoho
LM Hash                             NT Hash
--------------------------------    --------------------------------
E7B56BC6A10F5E88AAD3B435B51404EE    C32F64F9BD0708A6A055812D83B085E2


I have tried ntdomain hack on and off without any result...

  From radiusd.conf:
                 #  Note that NT-Passwords MUST be stored as a 32-digit hex
                 #  string, and MUST start off with "0x", such as:
                 #
                 #       0x000102030405060708090a0b0c0d0e0f
                 #
                 #  Without the leading "0x", NT-Passwords will not work.
                 #  This goes for NT-Passwords stored in SQL, too.

I have tried this, but I cannot set LDAP attributes to anything like
that, as I understand from samba ldap scheme.
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
         DESC 'LanManager Password'
         EQUALITY caseIgnoreIA5Match
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
         DESC 'MD4 hash of the unicode password'
         EQUALITY caseIgnoreIA5Match
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )


Do I have to add other attributes, or is it possible to add "0x" via
some freeradius configuration?


I have added complete output as an attachment for your convenience.




Thanks in advance...
Juraj

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeradius_output
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080624/466765ae/attachment.ksh>

More information about the Freeradius-Users mailing list