FR/AD integration
E Rossiter
phedup at gmail.com
Sat Feb 19 02:23:35 CET 2011
That ntlm_auth line should have read:
ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL
--username=sambatest --password=Thursday77
which is a test account. The other account and passwd has been promptly
nuked.
Sorry bout that folks.
E-
On Fri, Feb 18, 2011 at 6:11 PM, E Rossiter <phedup at gmail.com> wrote:
> Trying to use FR to query AD as an authentication oracle and set up per the
> docs at
> http://deployingradius.com/documents/configuration/active_directory.htmland several others pertaining to setting up Kerberos and winbind.
>
> smb/krb/winbind all run. The usual testing commands all produce the proper
> output. wbinfo, kbinit, kblist, net join, etc.
>
> FreeRADIUS Version 2.1.7,
> CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP
> Samba Version 3.3.8-0.52.el5_5.2
> KRB5
>
> I have been able to authenticate and authorize accounts using PAP via a
> Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and
> use ntlm_auth and eventually MSCHAP.
>
> Upon issuing the command:
>
> ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL
> --username=eric.rossiter --password=Cyt3w0rk5
>
> I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to
> an NT_KEY:
>
> I believe that's why the radtest command is failing:
>
> radtest sambatest somepass localhost 0 somesecret
> Sending Access-Request of id 225 to 127.0.0.1 port 1812
> User-Name = "sambatest"
> User-Password = "somepass"
> NAS-IP-Address = 64.126.127.208
> NAS-Port = 0
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225,
> length=20
>
> Been reading and researching and testing for 3 weeks, but I'm stuck now.
>
> radius -X output:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4,
> length=61
> User-Name = "sambatest"
> User-Password = "somepass"
> NAS-IP-Address = 64.126.127.208
> NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log] expand:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
> [auth_log] expand: %t -> Fri Feb 18 17:19:10 2011
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "sambatest", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 17
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = ntlm_auth
> +- entering group authenticate {...}
> [ntlm_auth] expand: --username=%{mschap:User-Name} ->
> --username=sambatest
> [ntlm_auth] expand: --password=%{User-Password} -> --password=somepass
> username must be specified! *# don't understand this... username is two
> lines up* If I shut down winbind, a winbind error preceeds "username must
> be specified! " don't understand # why samba is puking a help screen?
>
> Usage: [OPTION...]
> --helper-protocol=helper protocol to use operate as a stdio-based
> helper
> --username=STRING username
> --domain=STRING domain name
> --workstation=STRING workstation
> --challenge=STRING challenge (HEX encoded)
> --lm-response=STRING LM Response to the challenge
> (HEX encoded)
> --nt-response=STRING NT or NTLMv2 Response to the
> challenge (HEX encoded)
> --password=STRING User's plaintext password
> --request-lm-key Retrieve LM session key
> --request-nt-key Retrieve User (NT) session
> key
> --use-cached-creds Use cached credentials if no
> password is given
> --diagnostics Perform diagnostics on the
> authentictaion chain
> --require-membership-of=STRING Require that a user be a
> member
> of this group (either name
> or
> SID) for authentication to
> succeed
>
> Help options:
> -?, --help Show this help message
> --usage Display brief usage message
>
> Common samba config:
> --configfile=CONFIGFILE Use alternate configuration
> file
>
> Common samba options:
> -V, --version Print version
> Exec-Program output:
> Exec-Program: returned: 1
> ++[ntlm_auth] returns reject
> Failed to authenticate the user.
> Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> sambatest
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 2 for 2 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Waking up in 0.9 seconds.
> Sending delayed reject for request 2
> Sending Access-Reject of id 4 to 127.0.0.1 port 39195
> Waking up in 4.9 seconds.
> Cleaning up request 2 ID 4 with timestamp +349
> Ready to process requests.
> wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210,
> id=225, length=61
> User-Name = "sambatest"
> User-Password = "somepass"
> NAS-IP-Address = 64.126.127.208
> NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log] expand:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
> [auth_log] expand: %t -> Fri Feb 18 17:32:09 2011
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "sambatest", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 17
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = ntlm_auth
> +- entering group authenticate {...}
> [ntlm_auth] expand: --username=%{mschap:User-Name} ->
> --username=sambatest
> [ntlm_auth] expand: --password=%{User-Password} ->
> --password=Thursday77
> username must be specified!
>
> Usage: [OPTION...]
> --helper-protocol=helper protocol to use operate as a stdio-based
> helper
> --username=STRING username
> --domain=STRING domain name
> --workstation=STRING workstation
> --challenge=STRING challenge (HEX encoded)
> --lm-response=STRING LM Response to the challenge
> (HEX encoded)
> --nt-response=STRING NT or NTLMv2 Response to the
> challenge (HEX encoded)
> --password=STRING User's plaintext password
> --request-lm-key Retrieve LM session key
> --request-nt-key Retrieve User (NT) session
> key
> --use-cached-creds Use cached credentials if no
> password is given
> --diagnostics Perform diagnostics on the
> authentictaion chain
> --require-membership-of=STRING Require that a user be a
> member
> of this group (either name
> or
> SID) for authentication to
> succeed
>
> Help options:
> -?, --help Show this help message
> --usage Display brief usage message
>
> Common samba config:
> --configfile=CONFIGFILE Use alternate configuration
> file
>
> Common samba options:
> -V, --version Print version
> Exec-Program output:
> Exec-Program: returned: 1
> ++[ntlm_auth] returns reject
> Failed to authenticate the user.
> Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject] expand: %{User-Name} -> sambatest
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 3 for 2 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Waking up in 0.9 seconds.
> Sending delayed reject for request 3
> Sending Access-Reject of id 225 to 127.0.0.1 port 57210
> Waking up in 4.9 seconds.
> Cleaning up request 3 ID 225 with timestamp +1128
> Ready to process requests.
>
> /etc/krb.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = ADMIN.CYTEWORKS.LOCAL
> # dns_lookup_realm = false # all of these entries have been used for
> testing and are commented out now
> # dns_lookup_kdc = true
> # ticket_lifetime = 24h
> # forwardable = yes
> # default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> # default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> # preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
>
>
> [realms]
> ADMIN.CYTEWORKS.LOCAL = {
> kdc = cyteworks.admin.cyteworks.local
> admin_server = cyteworks.admin.cyteworks.local
> default_domain = ADMIN.CYTEWORKS.LOCAL
> }
>
> [domain_realm]
> .cyteworks.local = ADMIN.CYTEWORKS.LOCAL
> cyteworks.local = ADMIN.CYTEWORKS.LOCAL
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> /etc/samba/smb.conf
>
> #======================= Global Settings
> =====================================
>
> [global]
>
> idmap uid = 200000 - 300000
> idmap gid = 200000 - 300000
> workgroup = ADMIN
> ; netbios name = cyteworks
>
> realm = ADMIN.CYTEWORKS.LOCAL
> server string = Samba Server Version %v
> security = ads
> local master = no
> domain master = no
> preferred master = no
>
> winbind separator = +
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
>
> ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
> hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3.
> 10.12.4 10.88.8
>
> # --------------------------- Logging Options -----------------------------
> #
> # Log File let you specify where to put logs and how to split them up.
> #
> # Max Log Size let you specify the max size log files should reach
>
> # logs split per machine
> log file = /var/log/samba/log.%m
> # max 50KB per log file, then rotate
> max log size = 50
>
> # ----------------------- Domain Members Options ------------------------
>
> ; password server = *
>
>
> security = ads
> ; passdb backend = tdbsam
> realm = ADMIN.CYTEWORKS.LOCAL
>
> ; password server = 10.12.1.40
>
>
> Everything else is commented out in smb.conf. Don't need any printers, no
> shares, etc.
>
> /etc/raddb/radius.conf:
>
> # -*- text -*-
> ##
> #
>
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = /usr/sbin
> logdir = ${localstatedir}/log/radius
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
>
> name = radiusd
>
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/${name}
>
> db_dir = ${raddbdir}
>
> libdir = /usr/lib/freeradius
>
> pidfile = ${run_dir}/${name}.pid
>
> user = radiusd
> group = radiusd
>
> max_request_time = 30
>
> cleanup_delay = 5
>
> max_requests = 1024
>
> listen {
> type = auth
>
> ipaddr = *
>
> port = 0
>
> clients = per_socket_clients
> }
>
> listen {
> ipaddr = *
> port = 0
> type = acct
> clients = per_socket_clients
> }
>
> hostname_lookups = no
>
> allow_core_dumps = no
>
> regular_expressions = yes
> extended_expressions = yes
>
> log {
> destination = files
>
> file = ${logdir}/radius.log
>
> syslog_facility = daemon
>
> stripped_names = yes
>
> auth = yes
>
> auth_badpass = yes
> auth_goodpass = yes
>
> }
>
> checkrad = ${sbindir}/checkrad
>
> security {
> max_attributes = 200
>
> reject_delay = 2
>
> status_server = yes
> }
>
>
> proxy_requests = no
>
> $INCLUDE clients.conf
>
> thread pool {
> start_servers = 5
>
> max_servers = 32
>
> min_spare_servers = 3
> max_spare_servers = 10
>
> max_requests_per_server = 0
> }
>
> modules {
> $INCLUDE ${confdir}/modules/
>
> $INCLUDE eap.conf
> }
>
> instantiate {
> exec
>
> expr
>
> expiration
> logintime
> }
>
> $INCLUDE policy.conf
>
> $INCLUDE sites-enabled/
>
> /etc/raddb/clients.conf:
>
> # -*- text -*-
> ##
> ## clients.conf -- client configuration directives
> ##
>
> client localhost {
> ipaddr = 127.0.0.1
>
> secret = somesecret
>
> require_message_authenticator = yes
>
> shortname = localhost
>
> nastype = other # localhost isn't usually a NAS...
>
> }
>
> clients per_socket_clients {
>
>
> client 127.0.0.1 {
> secret = somesecret
> }
>
> # Juniper - ESR - 01.24.11
>
> client 192.168.20.254 {
> secret = somesecret
> shortname = juniper
> nastype = netscreen
> }
>
> # Dell PowerConnect 3448 - ESR - 02.01.11
>
> client 10.12.1.11 {
> secret = somesecret
> shortname = dpc3448
> nastype = other
> }
> }
>
> /etc/raddb/users
>
> # -*- text -*-
> #
> # Copyright (C) 2009 Deploying RADIUS Partnerships
> # All rights reserved.
> #
> # Save this file as "raddb/users", after first backing up
> # the copy that you have there.
> #
> # http://deployingradius.com/documents/configuration/pap.html
> #
> # Window 1: radiusd -X
> # Window 2: radtest bob hello localhost 0 testing123
> #
>
> # ntlm_auth testing ESR 02.17.11
>
> DEFAULT Auth-Type = ntlm_auth
>
>
>
> #************************ Juniper conf
> # - ESR - 01.24.11
>
> #some.user Cleartext-Password := "somepass"
> # NS-Admin-Privilege := 4,
> # NS-VSYS-Name := "Read-Only-Admin"
>
> #some.user Cleartext-Password := "somepass
> # NS-Admin-Privilege := 2,
> # NS-VSYS-Name := "ROOT"
>
>
> # End of the file
>
> I commented out the PAP entries in the users file because one of the users
> has the same user.name in AD but a different password, and that was
> causing me some conflict.
>
> So, can anyone tell me why I'm not getting an *NT_KEY* reply when I issue
> the *ntml_auth* command?
>
> Is the missing key the reason the *radtest* command is failing? See any
> other glaring errors?
>
> Thanks for your time.
>
> E Rossiter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110218/4fb6eb34/attachment.html>
More information about the Freeradius-Users
mailing list