Getting NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) when using ntlm_auth

Angelica Delgado angelicadel230 at gmail.com
Fri Dec 2 00:31:32 CET 2011


 I follow
http://deployingradius.com/documents/configuration/active_directory.html to
configure freeradius with Active Directory.  Samba and Kerberos works.
When running
"ntlm_auth --request-nt-key" command and it works but through Freeradius,
it gives NT_STATUS_WRONG_PASSWORD.  Following is the output of radiusd -X.
Can you please help me find out what can be wrong?

Output of radiusd -X:

FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Dec 30
2009 at 13:47:58
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License v2.

Starting - reading configuration files ...

including configuration file /etc/raddb/radiusd.conf

including configuration file /etc/raddb/proxy.conf

including configuration file /etc/raddb/clients.conf

including files in directory /etc/raddb/modules/

including configuration file /etc/raddb/modules/mschap

including configuration file /etc/raddb/modules/ntlm_auth

including configuration file /etc/raddb/modules/ldap

including configuration file /etc/raddb/modules/wimax

including configuration file /etc/raddb/modules/unix

including configuration file /etc/raddb/modules/sradutmp

including configuration file /etc/raddb/modules/sqlcounter_expire_on_login

including configuration file /etc/raddb/modules/sql_log

including configuration file /etc/raddb/modules/smsotp

including configuration file /etc/raddb/modules/smbpasswd

including configuration file /etc/raddb/modules/realm

including configuration file /etc/raddb/modules/radutmp

including configuration file /etc/raddb/modules/preprocess

including configuration file /etc/raddb/modules/policy

including configuration file /etc/raddb/modules/perl

including configuration file /etc/raddb/modules/passwd

including configuration file /etc/raddb/modules/pap

including configuration file /etc/raddb/modules/pam

including configuration file /etc/raddb/modules/otp

including configuration file /etc/raddb/modules/mac2vlan

including configuration file /etc/raddb/modules/mac2ip

including configuration file /etc/raddb/modules/logintime

including configuration file /etc/raddb/modules/linelog

including configuration file /etc/raddb/modules/ippool

including configuration file /etc/raddb/modules/inner-eap

including configuration file /etc/raddb/modules/files

including configuration file /etc/raddb/modules/expr

including configuration file /etc/raddb/modules/expiration

including configuration file /etc/raddb/modules/exec

including configuration file /etc/raddb/modules/etc_group

including configuration file /etc/raddb/modules/echo

including configuration file /etc/raddb/modules/digest

including configuration file /etc/raddb/modules/detail.log

including configuration file /etc/raddb/modules/detail.example.com

including configuration file /etc/raddb/modules/detail

including configuration file /etc/raddb/modules/cui

including configuration file /etc/raddb/modules/counter

including configuration file /etc/raddb/modules/checkval

including configuration file /etc/raddb/modules/chap

including configuration file /etc/raddb/modules/attr_rewrite

including configuration file /etc/raddb/modules/attr_filter

including configuration file /etc/raddb/modules/always

including configuration file /etc/raddb/modules/acct_unique

including configuration file /etc/raddb/modules/ldap.rpmsave

including configuration file /etc/raddb/modules/mschapBck

including configuration file /etc/raddb/modules/ldapBck

including configuration file /etc/raddb/eap.conf

including configuration file /etc/raddb/policy.conf

including files in directory /etc/raddb/sites-enabled/

including configuration file /etc/raddb/sites-enabled/inner-tunnel

including configuration file /etc/raddb/sites-enabled/default

including configuration file /etc/raddb/sites-enabled/control-socket

group = radiusd

user = radiusd

including dictionary file /etc/raddb/dictionary

main {

prefix = "/usr"

localstatedir = "/var"

logdir = "/var/log/radius"

libdir = "/usr/lib/freeradius"

radacctdir = "/var/log/radius/radacct"

hostname_lookups = no

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

allow_core_dumps = no

pidfile = "/var/run/radiusd/radiusd.pid"

checkrad = "/usr/sbin/checkrad"

debug_level = 0

proxy_requests = yes

log {

stripped_names = no

auth = no

auth_badpass = no

auth_goodpass = no

}

security {

max_attributes = 200

reject_delay = 1

status_server = yes

}

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

retry_delay = 5

retry_count = 3

default_fallback = no

dead_time = 120

wake_all_if_all_dead = no

}

home_server localhost {

ipaddr = 127.0.0.1

port = 1812

type = "auth"

secret = "testing123"

response_window = 20

max_outstanding = 65536

require_message_authenticator = no

zombie_period = 40

status_check = "status-server"

ping_interval = 30

check_interval = 30

num_answers_to_alive = 3

num_pings_to_alive = 3

revive_interval = 120

status_check_timeout = 4

irt = 2

mrt = 16

mrc = 5

mrd = 30

}

home_server_pool my_auth_failover {

type = fail-over

home_server = localhost

}

realm example.com {

auth_pool = my_auth_failover

}

realm LOCAL {

}

radiusd: #### Loading Clients ####

client 10.1.11.33 {

require_message_authenticator = no

secret = "testpwd"

shortname = "10.1.11.33"

nastype = "none"

}

client 10.1.1.1 {

require_message_authenticator = no

secret = "test123"

shortname = "localSystem"

nastype = "test"

}

client 10.1.0.33 {

require_message_authenticator = no

secret = "testpwd"

shortname = "10.1.0.33"

nastype = "none"

}

client localhost {

require_message_authenticator = no

secret = "test123"

nastype = "test"

}

radiusd: #### Instantiating modules ####

instantiate {

Module: Linked to module rlm_exec

Module: Instantiating exec

exec {

wait = no

input_pairs = "request"

shell_escape = yes

}

Module: Linked to module rlm_expr

Module: Instantiating expr

Module: Linked to module rlm_expiration

Module: Instantiating expiration

expiration {

reply-message = "Password Has Expired "

}

Module: Linked to module rlm_logintime

Module: Instantiating logintime

logintime {

reply-message = "You are calling outside your allowed timespan "

minimum-timeout = 60

}

}

radiusd: #### Loading Virtual Servers ####

server inner-tunnel {

modules {

Module: Checking authenticate {...} for more modules to load

Module: Linked to module rlm_pap

Module: Instantiating pap

pap {

encryption_scheme = "auto"

auto_header = no

}

Module: Linked to module rlm_chap

Module: Instantiating chap

Module: Linked to module rlm_mschap

Module: Instantiating mschap

mschap {

use_mppe = yes

require_encryption = yes

require_strong = no

with_ntdomain_hack = yes

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-
MYDOMAIN.COM} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"

}

Module: Instantiating ntlm_auth

exec ntlm_auth {

wait = yes

program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM--username=%{mschap:User-Name}
--password=%{User-Password}"

input_pairs = "request"

shell_escape = yes

}

Module: Checking authorize {...} for more modules to load

Module: Linked to module rlm_unix

Module: Instantiating unix

unix {

radwtmp = "/var/log/radius/radwtmp"

}

Module: Linked to module rlm_realm

Module: Instantiating suffix

realm suffix {

format = "suffix"

delimiter = "@"

ignore_default = no

ignore_null = no

}

Module: Linked to module rlm_eap

Module: Instantiating eap

eap {

default_eap_type = "ttls"

timer_expire = 60

ignore_unknown_eap_types = no

cisco_accounting_username_bug = no

max_sessions = 2048

}

Module: Linked to sub-module rlm_eap_md5

Module: Instantiating eap-md5

Module: Linked to sub-module rlm_eap_leap

Module: Instantiating eap-leap

Module: Linked to sub-module rlm_eap_gtc

Module: Instantiating eap-gtc

gtc {

challenge = "Password: "

auth_type = "PAP"

}

Module: Linked to sub-module rlm_eap_tls

Module: Instantiating eap-tls

tls {

rsa_key_exchange = no

dh_key_exchange = yes

rsa_key_length = 512

dh_key_length = 512

verify_depth = 0

pem_file_type = yes

private_key_file = "/etc/raddb/certs/server.pem"

certificate_file = "/etc/raddb/certs/server.pem"

CA_file = "/etc/raddb/certs/ca.pem"

private_key_password = "whatever"

dh_file = "/etc/raddb/certs/dh"

random_file = "/etc/raddb/certs/random"

fragment_size = 1024

include_length = yes

check_crl = no

cipher_list = "DEFAULT"

make_cert_command = "/etc/raddb/certs/bootstrap"

cache {

enable = no

lifetime = 24

max_entries = 255

}

}

Module: Linked to sub-module rlm_eap_ttls

Module: Instantiating eap-ttls

ttls {

default_eap_type = "mschapv2"

copy_request_to_tunnel = yes

use_tunneled_reply = yes

virtual_server = "inner-tunnel"

include_length = yes

}

Module: Linked to sub-module rlm_eap_peap

Module: Instantiating eap-peap

peap {

default_eap_type = "mschapv2"

copy_request_to_tunnel = yes

use_tunneled_reply = yes

proxy_tunneled_request_as_eap = yes

virtual_server = "inner-tunnel"

}

Module: Linked to sub-module rlm_eap_mschapv2

Module: Instantiating eap-mschapv2

mschapv2 {

with_ntdomain_hack = no

}

Module: Linked to module rlm_files

Module: Instantiating files

files {

usersfile = "/etc/raddb/users"

acctusersfile = "/etc/raddb/acct_users"

preproxy_usersfile = "/etc/raddb/preproxy_users"

compat = "no"

}

Module: Checking session {...} for more modules to load

Module: Linked to module rlm_radutmp

Module: Instantiating radutmp

radutmp {

filename = "/var/log/radius/radutmp"

username = "%{User-Name}"

case_sensitive = yes

check_with_nas = yes

perm = 384

callerid = yes

}

Module: Checking post-proxy {...} for more modules to load

Module: Checking post-auth {...} for more modules to load

Module: Linked to module rlm_attr_filter

Module: Instantiating attr_filter.access_reject

attr_filter attr_filter.access_reject {

attrsfile = "/etc/raddb/attrs.access_reject"

key = "%{User-Name}"

}

} # modules

} # server

server {

modules {

Module: Checking authenticate {...} for more modules to load

Module: Checking authorize {...} for more modules to load

Module: Linked to module rlm_preprocess

Module: Instantiating preprocess

preprocess {

huntgroups = "/etc/raddb/huntgroups"

hints = "/etc/raddb/hints"

with_ascend_hack = no

ascend_channels_per_line = 23

with_ntdomain_hack = no

with_specialix_jetstream_hack = no

with_cisco_vsa_hack = no

with_alvarion_vsa_hack = no

}

Module: Checking preacct {...} for more modules to load

Module: Linked to module rlm_acct_unique

Module: Instantiating acct_unique

acct_unique {

key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port"

}

Module: Checking accounting {...} for more modules to load

Module: Linked to module rlm_detail

Module: Instantiating detail

detail {

detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"

header = "%t"

detailperm = 384

dirperm = 493

locking = no

log_packet_header = no

}

Module: Instantiating attr_filter.accounting_response

attr_filter attr_filter.accounting_response {

attrsfile = "/etc/raddb/attrs.accounting_response"

key = "%{User-Name}"

}

Module: Checking session {...} for more modules to load

Module: Checking post-proxy {...} for more modules to load

Module: Checking post-auth {...} for more modules to load

} # modules

} # server

radiusd: #### Opening IP addresses and Ports ####

listen {

type = "auth"

ipaddr = *

port = 0

}

listen {

type = "acct"

ipaddr = *

port = 0

}

listen {

type = "control"

listen {

socket = "/var/run/radiusd/radiusd.sock"

}

}

Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on command file /var/run/radiusd/radiusd.sock

Listening on proxy address * port 1814

Ready to process requests.

rad_recv: Access-Request packet from host 10.1.0.33 port 1645, id=183,
length=141

User-Name = "testuser"

Framed-MTU = 1400

Called-Station-Id = "00-19-56-B0-90-18"

Calling-Station-Id = "00-1B-77-89-0E-6D"

Service-Type = Login-User

Message-Authenticator = 0xacce4dee9361babf8639ffeecac12bd2

EAP-Message = 0x0202000d01666c616d696e676f

NAS-Port-Type = Wireless-802.11

NAS-Port = 17098251

NAS-Port-Id = "17098251"

NAS-IP-Address = 10.1.0.33

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "testuser", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] EAP packet type response id 2 length 13

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

[files] users: Matched entry DEFAULT at line 4

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.

++[pap] returns noop

Found Auth-Type = ntlm_auth

+- entering group authenticate {...}

[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=testuser

[ntlm_auth] expand: --password=%{User-Password} -> --password=

Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc000006a)

Exec-Program: returned: 1

++[ntlm_auth] returns reject

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

[attr_filter.access_reject] expand: %{User-Name} -> testuser

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

Sending Access-Reject of id 183 to 10.1.0.33 port 1645

Waking up in 4.9 seconds.

Cleaning up request 0 ID 183 with timestamp +16
Ready to process requests.



Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111201/d2ce9e5e/attachment.html>


More information about the Freeradius-Users mailing list