Authenticating agains AD issues

Johnson, Neil M neil-johnson at uiowa.edu
Thu Oct 28 22:02:27 CEST 2010


I ran across a post on the redhat forums that stated that you must start smbd before winbindd, otherwise even though running ntlm_auth seems to work from the command line. It doesn't work when running FreeRadius.

Issue resolved. Thanks for the help.

-Neil

-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
319 384-0938
neil-johnson at uiowa.edu 


> -----Original Message-----
> From: freeradius-users-bounces+neil-
> johnson=uiowa.edu at lists.freeradius.org [mailto:freeradius-users-
> bounces+neil-johnson=uiowa.edu at lists.freeradius.org] On Behalf Of
> Johnson, Neil M
> Sent: Thursday, October 28, 2010 11:27 AM
> To: FreeRadius users mailing list
> Subject: RE: Authenticating agains AD issues
> 
> Could this be the samba bug ? I'm running 3.4.9 of samba. I thought it
> was fixed in that release.
> 
> -Neil
> 
> 
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> 319 384-0938
> neil-johnson at uiowa.edu
> 
> 
> > -----Original Message-----
> > From: freeradius-users-bounces+neil-
> > johnson=uiowa.edu at lists.freeradius.org [mailto:freeradius-users-
> > bounces+neil-johnson=uiowa.edu at lists.freeradius.org] On Behalf Of
> > Johnson, Neil M
> > Sent: Thursday, October 28, 2010 10:58 AM
> > To: FreeRadius users mailing list
> > Subject: RE: Authenticating agains AD issues
> >
> > Okay, I made those changes, but it still isn't working..
> >
> > New log output:
> >
> > Found Auth-Type = EAP
> > +- entering group authenticate {...}
> > [eap] Request found, released from the list
> > [eap] EAP/mschapv2
> > [eap] processing type mschapv2
> > [mschapv2] +- entering group MS-CHAP {...}
> > [mschap] Told to do MS-CHAPv2 for nmjoo with NT-Password
> > [mschap]        expand: --username=%{mschap:User-Name:-None} -> --
> > username=nmjoo
> > [mschap]        expand: %{mschap:NT-Domain} -> IOWA
> > [mschap]        expand: --domain=%{%{mschap:NT-Domain}:-IOWA} -> --
> > domain=IOWA
> > [mschap]  mschap2: f7
> > [mschap]        expand: --challenge=%{mschap:Challenge:-00} -> --
> > challenge=7ec345e462e886cc
> > [mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> --
> > nt-response=a702419f587f109f326572c6e275dde4c144ccf18a11cc1d
> > Exec-Program output: NT_KEY: 0FD5C0593F3B79F0478DB821B51BCB38
> > Exec-Program-Wait: plaintext: NT_KEY:
> 0FD5C0593F3B79F0478DB821B51BCB38
> > Exec-Program: returned: 0
> > [mschap] adding MS-CHAPv2 MPPE keys
> > ++[mschap] returns ok
> > MSCHAP Success
> > ++[eap] returns handled
> > } # server inner-tunnel
> > [peap] Got tunneled reply code 11
> >         EAP-Message =
> >
> 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413
> > 335313237463630414239443345323741
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         State = 0x685b4a666951502b3811a806682630a9
> > [peap] Got tunneled reply RADIUS code 11
> >         EAP-Message =
> >
> 0x010a00331a0309002e533d37304443454534424441463830433945444643443943413
> > 335313237463630414239443345323741
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         State = 0x685b4a666951502b3811a806682630a9
> > [peap] Got tunneled Access-Challenge
> > ++[eap] returns handled
> > Sending Access-Challenge of id 0 to 128.255.11.74 port 32768
> >         EAP-Message =
> >
> 0x010a005b19001703010050a8e7120ce3206005ece77b52e24df05d1ea02d75ff36206
> >
> 97699ee570a8b6a06d08cc95c2d4f4985bd9d8754d8a895ca8758dddd2ba6f7973a78d1
> > 6d781735fb1e7274f297ef87971da17a0f708d6d0d
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         State = 0x122499391a2e80cc44ec4cdf9c13104c
> > Finished request 17.
> > Going to the next request
> > Waking up in 3.2 seconds.
> > C
> >
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > 319 384-0938
> > neil-johnson at uiowa.edu
> >
> >
> > > -----Original Message-----
> > > From: freeradius-users-bounces+neil-
> > > johnson=uiowa.edu at lists.freeradius.org [mailto:freeradius-users-
> > > bounces+neil-johnson=uiowa.edu at lists.freeradius.org] On Behalf Of
> > Phil
> > > Mayers
> > > Sent: Thursday, October 28, 2010 10:44 AM
> > > To: freeradius-users at lists.freeradius.org
> > > Subject: Re: Authenticating agains AD issues
> > >
> > > On 28/10/10 16:22, Johnson, Neil M wrote:
> > > > Yes, I did.
> > >
> > > Ah. However, the debug output says:
> > >
> > > >
> > > > [mschap] expand: %{Stripped-User-Name} ->
> > > > [mschap] ... expanding second conditional
> > > > [mschap] WARNING: Deprecated conditional expansion ":-". See "man
> > > > unlang" for details
> > > > [mschap] expand: %{User-Name:-None} -> IOWA\nmjoo
> > > > [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-
> Name:-
> > > None}}
> > > > -> --username=IOWA\nmjoo
> > >
> > > i.e. the username still contains a "DOMAIN\". You need to change
> the
> > > "ntlm_auth" command in /etc/raddb/modules/mschap to have:
> > >
> > >     ntlm_auth = "... --username=%{mschap:User-Name} ..."
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list