ntlm_auth fails for none domain

John elmer_radius at yahoo.com.cn
Fri Jul 2 05:19:25 CEST 2010

It is the whole debug info. I think the problem is we could not get the default domain name "xjtu".
Listening on authentication address * port 1812
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host port 32807, id=118, length=125
 Service-Type = Authorize-Only
 NAS-Port-Type = Wireless-802.11
 User-Name = "hhe"
 MS-CHAP-Challenge = 0xd764c8cce93255c4478d7aa05d83f3ea
 MS-CHAP2-Response = 0x9c00a2b7249b043e23cd2866211bff3783d60000000000000000924fed02a24dee7533a7b9af370e858e1b798d9151617838
 NAS-IP-Address =
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] performing user authorization for hhe
[ldap]  expand: (sAMAccountName=%{mschap:User-Name}) -> (sAMAccountName=hhe)
[ldap]  expand: OU=Domain Controllers,dc=xjtu,dc=cn -> OU=Domain Controllers,dc=xjtu,dc=cn
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to, authentication 0
  [ldap] bind as hhe at xjtu.cn/w2006njh to
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in OU=Domain Controllers,dc=xjtu,dc=cn, with filter (sAMAccountName=hhe)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user hhe authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for hhe with NT-Password
[mschap] No NT-Domain was found in the User-Name.

[mschap]  expand: --domain=%{mschap:NT-Domain:-xjtu} -> --domain=

[mschap]  expand: --username=%{mschap:User-Name:-None} -> --username=hhe
[mschap]  mschap2: d7
[mschap]  expand: --challenge=%{mschap:Challenge:-00} -> --challenge=cf5ba32b520debdd
[mschap]  expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=924fed02a24dee7533a7b9af370e858e1b798d9151617838
Exec-Program output: No such user (0xc0000064) 
Exec-Program-Wait: plaintext: No such user (0xc0000064) 
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Failed to authenticate the user.
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 118 to port 32807
 MS-CHAP-Error = "\234E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 118 with timestamp +33
Ready to process requests.

--- 10年7月1日,周四, Alan DeKok <aland at deployingradius.com> 写道:

发件人: Alan DeKok <aland at deployingradius.com>
主题: Re: ntlm_auth fails for none domain
收件人: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
日期: 2010年7月1日,周四,下午2:02

John wrote:
> "xjtu" is our default domain, for users under this domain will only use
> username to authenticate to RADIUS. With 1.1.6, it will get "xjtu" as
> domain; But with 2.1.9, it will not, please see the debug info below.

  You have deleted nearly all of the debug information, including the
information we need to help you.

  Alan DeKok.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100702/a90b4da1/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debug
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100702/a90b4da1/attachment.ksh>

More information about the Freeradius-Users mailing list