FR/AD integration

E Rossiter phedup at gmail.com
Sat Feb 19 01:11:57 CET 2011


Trying to use FR to query AD as an authentication oracle and set up per the
docs at
http://deployingradius.com/documents/configuration/active_directory.html and
several others pertaining to setting up Kerberos and winbind.

smb/krb/winbind all run.  The usual testing commands all produce the proper
output.  wbinfo, kbinit, kblist, net join, etc.

FreeRADIUS Version 2.1.7,
CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP
Samba Version 3.3.8-0.52.el5_5.2
KRB5

I have been able to authenticate and authorize accounts using PAP via a
Juniper device and a Dell PC 3448.  Am now trying to expand beyond PAP and
use ntlm_auth and eventually MSCHAP.

Upon issuing the command:

ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL
--username=eric.rossiter --password=Cyt3w0rk5

I receive : NT_STATUS_OK: Success (0x0)  but I do not see any reference to
an NT_KEY:

I believe that's why the radtest command is failing:

 radtest sambatest somepass localhost 0 somesecret
Sending Access-Request of id 225 to 127.0.0.1 port 1812
        User-Name = "sambatest"
        User-Password = "somepass"
        NAS-IP-Address = 64.126.127.208
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225,
length=20

Been reading and researching and testing for 3 weeks, but I'm stuck now.

radius -X output:

rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4,
length=61
        User-Name = "sambatest"
        User-Password = "somepass"
        NAS-IP-Address = 64.126.127.208
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log]      expand: %t -> Fri Feb 18 17:19:10 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sambatest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 17
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} ->
--username=sambatest
[ntlm_auth]     expand: --password=%{User-Password} -> --password=somepass
username must be specified! *# don't understand this...  username is two
lines up*  If I shut down winbind, a winbind error preceeds "username must
be specified! " don't understand  # why samba is puking a help screen?

Usage: [OPTION...]
  --helper-protocol=helper protocol to use     operate as a stdio-based
helper
  --username=STRING                            username
  --domain=STRING                              domain name
  --workstation=STRING                         workstation
  --challenge=STRING                           challenge (HEX encoded)
  --lm-response=STRING                         LM Response to the challenge
                                               (HEX encoded)
  --nt-response=STRING                         NT or NTLMv2 Response to the
                                               challenge (HEX encoded)
  --password=STRING                            User's plaintext password
  --request-lm-key                             Retrieve LM session key
  --request-nt-key                             Retrieve User (NT) session
key
  --use-cached-creds                           Use cached credentials if no
                                               password is given
  --diagnostics                                Perform diagnostics on the
                                               authentictaion chain
  --require-membership-of=STRING               Require that a user be a
member
                                               of this group (either name or
                                               SID) for authentication to
                                               succeed

Help options:
  -?, --help                                   Show this help message
  --usage                                      Display brief usage message

Common samba config:
  --configfile=CONFIGFILE                      Use alternate configuration
file

Common samba options:
  -V, --version                                Print version
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> sambatest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 4 to 127.0.0.1 port 39195
Waking up in 4.9 seconds.
Cleaning up request 2 ID 4 with timestamp +349
Ready to process requests.
wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210,
id=225, length=61
        User-Name = "sambatest"
        User-Password = "somepass"
        NAS-IP-Address = 64.126.127.208
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log]      expand: %t -> Fri Feb 18 17:32:09 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sambatest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 17
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} ->
--username=sambatest
[ntlm_auth]     expand: --password=%{User-Password} -> --password=Thursday77
username must be specified!

Usage: [OPTION...]
  --helper-protocol=helper protocol to use     operate as a stdio-based
helper
  --username=STRING                            username
  --domain=STRING                              domain name
  --workstation=STRING                         workstation
  --challenge=STRING                           challenge (HEX encoded)
  --lm-response=STRING                         LM Response to the challenge
                                               (HEX encoded)
  --nt-response=STRING                         NT or NTLMv2 Response to the
                                               challenge (HEX encoded)
  --password=STRING                            User's plaintext password
  --request-lm-key                             Retrieve LM session key
  --request-nt-key                             Retrieve User (NT) session
key
  --use-cached-creds                           Use cached credentials if no
                                               password is given
  --diagnostics                                Perform diagnostics on the
                                               authentictaion chain
  --require-membership-of=STRING               Require that a user be a
member
                                               of this group (either name or
                                               SID) for authentication to
                                               succeed

Help options:
  -?, --help                                   Show this help message
  --usage                                      Display brief usage message

Common samba config:
  --configfile=CONFIGFILE                      Use alternate configuration
file

Common samba options:
  -V, --version                                Print version
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> sambatest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 225 to 127.0.0.1 port 57210
Waking up in 4.9 seconds.
Cleaning up request 3 ID 225 with timestamp +1128
Ready to process requests.

/etc/krb.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ADMIN.CYTEWORKS.LOCAL
# dns_lookup_realm = false    # all of these entries have been used for
testing and are commented out now
# dns_lookup_kdc = true
# ticket_lifetime = 24h
# forwardable = yes
# default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
# default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
# preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC


[realms]
ADMIN.CYTEWORKS.LOCAL = {
  kdc = cyteworks.admin.cyteworks.local
  admin_server = cyteworks.admin.cyteworks.local
  default_domain = ADMIN.CYTEWORKS.LOCAL
 }

[domain_realm]
 .cyteworks.local = ADMIN.CYTEWORKS.LOCAL
 cyteworks.local = ADMIN.CYTEWORKS.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/etc/samba/smb.conf

#======================= Global Settings
=====================================

[global]

        idmap uid = 200000 - 300000
        idmap gid = 200000 - 300000
        workgroup = ADMIN
;       netbios name = cyteworks

        realm = ADMIN.CYTEWORKS.LOCAL
        server string = Samba Server Version %v
        security = ads
        local master = no
        domain master = no
        preferred master = no

        winbind separator = +
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
        hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3.
10.12.4 10.88.8

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

        # logs split per machine
        log file = /var/log/samba/log.%m
        # max 50KB per log file, then rotate
        max log size = 50

# ----------------------- Domain Members Options ------------------------

;       password server = *


        security = ads
;       passdb backend = tdbsam
        realm = ADMIN.CYTEWORKS.LOCAL

;       password server = 10.12.1.40


Everything else is commented out in smb.conf.  Don't need any printers, no
shares, etc.

/etc/raddb/radius.conf:

# -*- text -*-
##
#

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

name = radiusd

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

db_dir = ${raddbdir}

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/${name}.pid

user = radiusd
group = radiusd

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

listen {
        type = auth

        ipaddr = *

        port = 0

        clients = per_socket_clients
}

listen {
        ipaddr = *
        port = 0
        type = acct
        clients = per_socket_clients
}

hostname_lookups = no

allow_core_dumps = no

regular_expressions     = yes
extended_expressions    = yes

log {
        destination = files

        file = ${logdir}/radius.log

        syslog_facility = daemon

        stripped_names = yes

        auth = yes

        auth_badpass = yes
        auth_goodpass = yes

}

checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200

        reject_delay = 2

        status_server = yes
}


proxy_requests  = no

$INCLUDE clients.conf

thread pool {
        start_servers = 5

        max_servers = 32

        min_spare_servers = 3
        max_spare_servers = 10

        max_requests_per_server = 0
}

modules {
        $INCLUDE ${confdir}/modules/

        $INCLUDE eap.conf
}

instantiate {
        exec

        expr

        expiration
        logintime
}

$INCLUDE policy.conf

$INCLUDE sites-enabled/

/etc/raddb/clients.conf:

# -*- text -*-
##
## clients.conf -- client configuration directives
##

client localhost {
        ipaddr = 127.0.0.1

        secret          = somesecret

        require_message_authenticator = yes

        shortname       = localhost

        nastype     = other     # localhost isn't usually a NAS...

}

clients per_socket_clients {


        client 127.0.0.1 {
                secret = somesecret
        }

# Juniper - ESR - 01.24.11

        client 192.168.20.254 {
                secret = somesecret
                shortname = juniper
                nastype = netscreen
        }

# Dell PowerConnect 3448 - ESR - 02.01.11

        client 10.12.1.11 {
                secret = somesecret
                shortname = dpc3448
                nastype = other
        }
}

/etc/raddb/users

# -*- text -*-
#
#       Copyright (C) 2009 Deploying RADIUS Partnerships
#       All rights reserved.
#
#       Save this file as "raddb/users", after first backing up
#       the copy that you have there.
#
#       http://deployingradius.com/documents/configuration/pap.html
#
#  Window 1: radiusd -X
#  Window 2: radtest bob hello localhost 0 testing123
#

# ntlm_auth testing ESR 02.17.11

DEFAULT     Auth-Type = ntlm_auth



#************************ Juniper conf
# - ESR - 01.24.11

#some.user Cleartext-Password := "somepass"
#       NS-Admin-Privilege := 4,
#       NS-VSYS-Name := "Read-Only-Admin"

#some.user Cleartext-Password := "somepass
#       NS-Admin-Privilege := 2,
#       NS-VSYS-Name := "ROOT"


# End of the file

I commented out the PAP entries in the users file because one of the users
has the same user.name in AD but a different password, and that was causing
me some conflict.

So, can anyone tell me why I'm not getting an *NT_KEY* reply when I issue
the *ntml_auth* command?

Is the missing key the reason the *radtest* command is failing?  See any
other glaring errors?

Thanks for your time.

E Rossiter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110218/031e8c1e/attachment.html>


More information about the Freeradius-Users mailing list