FR/AD integration

Gary Gatten Ggatten at waddell.com
Sat Feb 19 01:40:23 CET 2011


If no one else pipes in I'll try to help, but I'm gone for the night.

From: E Rossiter [mailto:phedup at gmail.com]
Sent: Friday, February 18, 2011 06:11 PM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: FR/AD integration

Trying to use FR to query AD as an authentication oracle and set up per the docs at http://deployingradius.com/documents/configuration/active_directory.html and several others pertaining to setting up Kerberos and winbind.

smb/krb/winbind all run.  The usual testing commands all produce the proper output.  wbinfo, kbinit, kblist, net join, etc.

FreeRADIUS Version 2.1.7,
CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP
Samba Version 3.3.8-0.52.el5_5.2
KRB5

I have been able to authenticate and authorize accounts using PAP via a Juniper device and a Dell PC 3448.  Am now trying to expand beyond PAP and use ntlm_auth and eventually MSCHAP.

Upon issuing the command:

ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=eric.rossiter --password=Cyt3w0rk5

I receive : NT_STATUS_OK: Success (0x0)  but I do not see any reference to an NT_KEY:

I believe that's why the radtest command is failing:

 radtest sambatest somepass localhost 0 somesecret
Sending Access-Request of id 225 to 127.0.0.1 port 1812
        User-Name = "sambatest"
        User-Password = "somepass"
        NAS-IP-Address = 64.126.127.208
        NAS-Port = 0
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20

Been reading and researching and testing for 3 weeks, but I'm stuck now.

radius -X output:

rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, length=61
        User-Name = "sambatest"
        User-Password = "somepass"
        NAS-IP-Address = 64.126.127.208
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218>
[auth_log]      expand: %t -> Fri Feb 18 17:19:10 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sambatest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 17
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=sambatest
[ntlm_auth]     expand: --password=%{User-Password} -> --password=somepass
username must be specified! # don't understand this...  username is two lines up  If I shut down winbind, a winbind error preceeds "username must be specified! " don't understand  # why samba is puking a help screen?

Usage: [OPTION...]
  --helper-protocol=helper protocol to use     operate as a stdio-based helper
  --username=STRING                            username
  --domain=STRING                              domain name
  --workstation=STRING                         workstation
  --challenge=STRING                           challenge (HEX encoded)
  --lm-response=STRING                         LM Response to the challenge
                                               (HEX encoded)
  --nt-response=STRING                         NT or NTLMv2 Response to the
                                               challenge (HEX encoded)
  --password=STRING                            User's plaintext password
  --request-lm-key                             Retrieve LM session key
  --request-nt-key                             Retrieve User (NT) session key
  --use-cached-creds                           Use cached credentials if no
                                               password is given
  --diagnostics                                Perform diagnostics on the
                                               authentictaion chain
  --require-membership-of=STRING               Require that a user be a member
                                               of this group (either name or
                                               SID) for authentication to
                                               succeed

Help options:
  -?, --help                                   Show this help message
  --usage                                      Display brief usage message

Common samba config:
  --configfile=CONFIGFILE                      Use alternate configuration file

Common samba options:
  -V, --version                                Print version
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> sambatest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 4 to 127.0.0.1 port 39195
Waking up in 4.9 seconds.
Cleaning up request 2 ID 4 with timestamp +349
Ready to process requests.
wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, id=225, length=61
        User-Name = "sambatest"
        User-Password = "somepass"
        NAS-IP-Address = 64.126.127.208
        NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218>
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218>
[auth_log]      expand: %t -> Fri Feb 18 17:32:09 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "sambatest", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 17
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth]     expand: --username=%{mschap:User-Name} -> --username=sambatest
[ntlm_auth]     expand: --password=%{User-Password} -> --password=Thursday77
username must be specified!

Usage: [OPTION...]
  --helper-protocol=helper protocol to use     operate as a stdio-based helper
  --username=STRING                            username
  --domain=STRING                              domain name
  --workstation=STRING                         workstation
  --challenge=STRING                           challenge (HEX encoded)
  --lm-response=STRING                         LM Response to the challenge
                                               (HEX encoded)
  --nt-response=STRING                         NT or NTLMv2 Response to the
                                               challenge (HEX encoded)
  --password=STRING                            User's plaintext password
  --request-lm-key                             Retrieve LM session key
  --request-nt-key                             Retrieve User (NT) session key
  --use-cached-creds                           Use cached credentials if no
                                               password is given
  --diagnostics                                Perform diagnostics on the
                                               authentictaion chain
  --require-membership-of=STRING               Require that a user be a member
                                               of this group (either name or
                                               SID) for authentication to
                                               succeed

Help options:
  -?, --help                                   Show this help message
  --usage                                      Display brief usage message

Common samba config:
  --configfile=CONFIGFILE                      Use alternate configuration file

Common samba options:
  -V, --version                                Print version
Exec-Program output:
Exec-Program: returned: 1
++[ntlm_auth] returns reject
Failed to authenticate the user.
Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> sambatest
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 225 to 127.0.0.1 port 57210
Waking up in 4.9 seconds.
Cleaning up request 3 ID 225 with timestamp +1128
Ready to process requests.

/etc/krb.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ADMIN.CYTEWORKS.LOCAL
# dns_lookup_realm = false    # all of these entries have been used for testing and are commented out now
# dns_lookup_kdc = true
# ticket_lifetime = 24h
# forwardable = yes
# default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
# default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
# preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC


[realms]
ADMIN.CYTEWORKS.LOCAL = {
  kdc = cyteworks.admin.cyteworks.local
  admin_server = cyteworks.admin.cyteworks.local
  default_domain = ADMIN.CYTEWORKS.LOCAL
 }

[domain_realm]
 .cyteworks.local = ADMIN.CYTEWORKS.LOCAL
 cyteworks.local = ADMIN.CYTEWORKS.LOCAL

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/etc/samba/smb.conf

#======================= Global Settings =====================================

[global]

        idmap uid = 200000 - 300000
        idmap gid = 200000 - 300000
        workgroup = ADMIN
;       netbios name = cyteworks

        realm = ADMIN.CYTEWORKS.LOCAL
        server string = Samba Server Version %v
        security = ads
        local master = no
        domain master = no
        preferred master = no

        winbind separator = +
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

;       interfaces = lo eth0 192.168.12.2/24<http://192.168.12.2/24> 192.168.13.2/24<http://192.168.13.2/24>
        hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. 10.12.4 10.88.8

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

        # logs split per machine
        log file = /var/log/samba/log.%m
        # max 50KB per log file, then rotate
        max log size = 50

# ----------------------- Domain Members Options ------------------------

;       password server = *


        security = ads
;       passdb backend = tdbsam
        realm = ADMIN.CYTEWORKS.LOCAL

;       password server = 10.12.1.40


Everything else is commented out in smb.conf.  Don't need any printers, no shares, etc.

/etc/raddb/radius.conf:

# -*- text -*-
##
#

prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

name = radiusd

confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}

db_dir = ${raddbdir}

libdir = /usr/lib/freeradius

pidfile = ${run_dir}/${name}.pid

user = radiusd
group = radiusd

max_request_time = 30

cleanup_delay = 5

max_requests = 1024

listen {
        type = auth

        ipaddr = *

        port = 0

        clients = per_socket_clients
}

listen {
        ipaddr = *
        port = 0
        type = acct
        clients = per_socket_clients
}

hostname_lookups = no

allow_core_dumps = no

regular_expressions     = yes
extended_expressions    = yes

log {
        destination = files

        file = ${logdir}/radius.log

        syslog_facility = daemon

        stripped_names = yes

        auth = yes

        auth_badpass = yes
        auth_goodpass = yes

}

checkrad = ${sbindir}/checkrad

security {
        max_attributes = 200

        reject_delay = 2

        status_server = yes
}


proxy_requests  = no

$INCLUDE clients.conf

thread pool {
        start_servers = 5

        max_servers = 32

        min_spare_servers = 3
        max_spare_servers = 10

        max_requests_per_server = 0
}

modules {
        $INCLUDE ${confdir}/modules/

        $INCLUDE eap.conf
}

instantiate {
        exec

        expr

        expiration
        logintime
}

$INCLUDE policy.conf

$INCLUDE sites-enabled/

/etc/raddb/clients.conf:

# -*- text -*-
##
## clients.conf -- client configuration directives
##

client localhost {
        ipaddr = 127.0.0.1

        secret          = somesecret

        require_message_authenticator = yes

        shortname       = localhost

        nastype     = other     # localhost isn't usually a NAS...

}

clients per_socket_clients {


        client 127.0.0.1 {
                secret = somesecret
        }

# Juniper - ESR - 01.24.11

        client 192.168.20.254 {
                secret = somesecret
                shortname = juniper
                nastype = netscreen
        }

# Dell PowerConnect 3448 - ESR - 02.01.11

        client 10.12.1.11 {
                secret = somesecret
                shortname = dpc3448
                nastype = other
        }
}

/etc/raddb/users

# -*- text -*-
#
#       Copyright (C) 2009 Deploying RADIUS Partnerships
#       All rights reserved.
#
#       Save this file as "raddb/users", after first backing up
#       the copy that you have there.
#
#       http://deployingradius.com/documents/configuration/pap.html
#
#  Window 1: radiusd -X
#  Window 2: radtest bob hello localhost 0 testing123
#

# ntlm_auth testing ESR 02.17.11

DEFAULT     Auth-Type = ntlm_auth



#************************ Juniper conf
# - ESR - 01.24.11

#some.user Cleartext-Password := "somepass"
#       NS-Admin-Privilege := 4,
#       NS-VSYS-Name := "Read-Only-Admin"

#some.user Cleartext-Password := "somepass
#       NS-Admin-Privilege := 2,
#       NS-VSYS-Name := "ROOT"


# End of the file

I commented out the PAP entries in the users file because one of the users has the same user.name<http://user.name> in AD but a different password, and that was causing me some conflict.

So, can anyone tell me why I'm not getting an NT_KEY reply when I issue the ntml_auth command?

Is the missing key the reason the radtest command is failing?  See any other glaring errors?

Thanks for your time.

E Rossiter





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110218/450feeb1/attachment.html>


More information about the Freeradius-Users mailing list