FR/AD integration

E Rossiter phedup at gmail.com
Sat Feb 19 02:23:35 CET 2011


That ntlm_auth line should have read:

ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL
--username=sambatest --password=Thursday77

which is a test account.  The other account and passwd has been promptly
nuked.

Sorry bout that folks.

E-

On Fri, Feb 18, 2011 at 6:11 PM, E Rossiter <phedup at gmail.com> wrote:

> Trying to use FR to query AD as an authentication oracle and set up per the
> docs at
> http://deployingradius.com/documents/configuration/active_directory.htmland several others pertaining to setting up Kerberos and winbind.
>
> smb/krb/winbind all run.  The usual testing commands all produce the proper
> output.  wbinfo, kbinit, kblist, net join, etc.
>
> FreeRADIUS Version 2.1.7,
> CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP
> Samba Version 3.3.8-0.52.el5_5.2
> KRB5
>
> I have been able to authenticate and authorize accounts using PAP via a
> Juniper device and a Dell PC 3448.  Am now trying to expand beyond PAP and
> use ntlm_auth and eventually MSCHAP.
>
> Upon issuing the command:
>
> ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL
> --username=eric.rossiter --password=Cyt3w0rk5
>
> I receive : NT_STATUS_OK: Success (0x0)  but I do not see any reference to
> an NT_KEY:
>
> I believe that's why the radtest command is failing:
>
>  radtest sambatest somepass localhost 0 somesecret
> Sending Access-Request of id 225 to 127.0.0.1 port 1812
>         User-Name = "sambatest"
>         User-Password = "somepass"
>         NAS-IP-Address = 64.126.127.208
>         NAS-Port = 0
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225,
> length=20
>
> Been reading and researching and testing for 3 weeks, but I'm stuck now.
>
> radius -X output:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4,
> length=61
>         User-Name = "sambatest"
>         User-Password = "somepass"
>         NAS-IP-Address = 64.126.127.208
>         NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log]      expand:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
> [auth_log]      expand: %t -> Fri Feb 18 17:19:10 2011
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "sambatest", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 17
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = ntlm_auth
> +- entering group authenticate {...}
> [ntlm_auth]     expand: --username=%{mschap:User-Name} ->
> --username=sambatest
> [ntlm_auth]     expand: --password=%{User-Password} -> --password=somepass
> username must be specified! *# don't understand this...  username is two
> lines up*  If I shut down winbind, a winbind error preceeds "username must
> be specified! " don't understand  # why samba is puking a help screen?
>
> Usage: [OPTION...]
>   --helper-protocol=helper protocol to use     operate as a stdio-based
> helper
>   --username=STRING                            username
>   --domain=STRING                              domain name
>   --workstation=STRING                         workstation
>   --challenge=STRING                           challenge (HEX encoded)
>   --lm-response=STRING                         LM Response to the challenge
>                                                (HEX encoded)
>   --nt-response=STRING                         NT or NTLMv2 Response to the
>                                                challenge (HEX encoded)
>   --password=STRING                            User's plaintext password
>   --request-lm-key                             Retrieve LM session key
>   --request-nt-key                             Retrieve User (NT) session
> key
>   --use-cached-creds                           Use cached credentials if no
>                                                password is given
>   --diagnostics                                Perform diagnostics on the
>                                                authentictaion chain
>   --require-membership-of=STRING               Require that a user be a
> member
>                                                of this group (either name
> or
>                                                SID) for authentication to
>                                                succeed
>
> Help options:
>   -?, --help                                   Show this help message
>   --usage                                      Display brief usage message
>
> Common samba config:
>   --configfile=CONFIGFILE                      Use alternate configuration
> file
>
> Common samba options:
>   -V, --version                                Print version
> Exec-Program output:
> Exec-Program: returned: 1
> ++[ntlm_auth] returns reject
> Failed to authenticate the user.
> Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0)
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> sambatest
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 2 for 2 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Waking up in 0.9 seconds.
> Sending delayed reject for request 2
> Sending Access-Reject of id 4 to 127.0.0.1 port 39195
> Waking up in 4.9 seconds.
> Cleaning up request 2 ID 4 with timestamp +349
> Ready to process requests.
> wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210,
> id=225, length=61
>         User-Name = "sambatest"
>         User-Password = "somepass"
>         NAS-IP-Address = 64.126.127.208
>         NAS-Port = 0
> +- entering group authorize {...}
> ++[preprocess] returns ok
> [auth_log]      expand:
> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
> expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218
> [auth_log]      expand: %t -> Fri Feb 18 17:32:09 2011
> ++[auth_log] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "sambatest", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 17
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = ntlm_auth
> +- entering group authenticate {...}
> [ntlm_auth]     expand: --username=%{mschap:User-Name} ->
> --username=sambatest
> [ntlm_auth]     expand: --password=%{User-Password} ->
> --password=Thursday77
> username must be specified!
>
> Usage: [OPTION...]
>   --helper-protocol=helper protocol to use     operate as a stdio-based
> helper
>   --username=STRING                            username
>   --domain=STRING                              domain name
>   --workstation=STRING                         workstation
>   --challenge=STRING                           challenge (HEX encoded)
>   --lm-response=STRING                         LM Response to the challenge
>                                                (HEX encoded)
>   --nt-response=STRING                         NT or NTLMv2 Response to the
>                                                challenge (HEX encoded)
>   --password=STRING                            User's plaintext password
>   --request-lm-key                             Retrieve LM session key
>   --request-nt-key                             Retrieve User (NT) session
> key
>   --use-cached-creds                           Use cached credentials if no
>                                                password is given
>   --diagnostics                                Perform diagnostics on the
>                                                authentictaion chain
>   --require-membership-of=STRING               Require that a user be a
> member
>                                                of this group (either name
> or
>                                                SID) for authentication to
>                                                succeed
>
> Help options:
>   -?, --help                                   Show this help message
>   --usage                                      Display brief usage message
>
> Common samba config:
>   --configfile=CONFIGFILE                      Use alternate configuration
> file
>
> Common samba options:
>   -V, --version                                Print version
> Exec-Program output:
> Exec-Program: returned: 1
> ++[ntlm_auth] returns reject
> Failed to authenticate the user.
> Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0)
> Using Post-Auth-Type Reject
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> sambatest
>  attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 3 for 2 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Waking up in 0.9 seconds.
> Sending delayed reject for request 3
> Sending Access-Reject of id 225 to 127.0.0.1 port 57210
> Waking up in 4.9 seconds.
> Cleaning up request 3 ID 225 with timestamp +1128
> Ready to process requests.
>
> /etc/krb.conf:
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = ADMIN.CYTEWORKS.LOCAL
> # dns_lookup_realm = false    # all of these entries have been used for
> testing and are commented out now
> # dns_lookup_kdc = true
> # ticket_lifetime = 24h
> # forwardable = yes
> # default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> # default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> # preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
>
>
> [realms]
> ADMIN.CYTEWORKS.LOCAL = {
>   kdc = cyteworks.admin.cyteworks.local
>   admin_server = cyteworks.admin.cyteworks.local
>   default_domain = ADMIN.CYTEWORKS.LOCAL
>  }
>
> [domain_realm]
>  .cyteworks.local = ADMIN.CYTEWORKS.LOCAL
>  cyteworks.local = ADMIN.CYTEWORKS.LOCAL
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
>
> /etc/samba/smb.conf
>
> #======================= Global Settings
> =====================================
>
> [global]
>
>         idmap uid = 200000 - 300000
>         idmap gid = 200000 - 300000
>         workgroup = ADMIN
> ;       netbios name = cyteworks
>
>         realm = ADMIN.CYTEWORKS.LOCAL
>         server string = Samba Server Version %v
>         security = ads
>         local master = no
>         domain master = no
>         preferred master = no
>
>         winbind separator = +
>         winbind uid = 10000-20000
>         winbind gid = 10000-20000
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>
> ;       interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
>         hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3.
> 10.12.4 10.88.8
>
> # --------------------------- Logging Options -----------------------------
> #
> # Log File let you specify where to put logs and how to split them up.
> #
> # Max Log Size let you specify the max size log files should reach
>
>         # logs split per machine
>         log file = /var/log/samba/log.%m
>         # max 50KB per log file, then rotate
>         max log size = 50
>
> # ----------------------- Domain Members Options ------------------------
>
> ;       password server = *
>
>
>         security = ads
> ;       passdb backend = tdbsam
>         realm = ADMIN.CYTEWORKS.LOCAL
>
> ;       password server = 10.12.1.40
>
>
> Everything else is commented out in smb.conf.  Don't need any printers, no
> shares, etc.
>
> /etc/raddb/radius.conf:
>
> # -*- text -*-
> ##
> #
>
> prefix = /usr
> exec_prefix = /usr
> sysconfdir = /etc
> localstatedir = /var
> sbindir = /usr/sbin
> logdir = ${localstatedir}/log/radius
> raddbdir = ${sysconfdir}/raddb
> radacctdir = ${logdir}/radacct
>
> name = radiusd
>
> confdir = ${raddbdir}
> run_dir = ${localstatedir}/run/${name}
>
> db_dir = ${raddbdir}
>
> libdir = /usr/lib/freeradius
>
> pidfile = ${run_dir}/${name}.pid
>
> user = radiusd
> group = radiusd
>
> max_request_time = 30
>
> cleanup_delay = 5
>
> max_requests = 1024
>
> listen {
>         type = auth
>
>         ipaddr = *
>
>         port = 0
>
>         clients = per_socket_clients
> }
>
> listen {
>         ipaddr = *
>         port = 0
>         type = acct
>         clients = per_socket_clients
> }
>
> hostname_lookups = no
>
> allow_core_dumps = no
>
> regular_expressions     = yes
> extended_expressions    = yes
>
> log {
>         destination = files
>
>         file = ${logdir}/radius.log
>
>         syslog_facility = daemon
>
>         stripped_names = yes
>
>         auth = yes
>
>         auth_badpass = yes
>         auth_goodpass = yes
>
> }
>
> checkrad = ${sbindir}/checkrad
>
> security {
>         max_attributes = 200
>
>         reject_delay = 2
>
>         status_server = yes
> }
>
>
> proxy_requests  = no
>
> $INCLUDE clients.conf
>
> thread pool {
>         start_servers = 5
>
>         max_servers = 32
>
>         min_spare_servers = 3
>         max_spare_servers = 10
>
>         max_requests_per_server = 0
> }
>
> modules {
>         $INCLUDE ${confdir}/modules/
>
>         $INCLUDE eap.conf
> }
>
> instantiate {
>         exec
>
>         expr
>
>         expiration
>         logintime
> }
>
> $INCLUDE policy.conf
>
> $INCLUDE sites-enabled/
>
> /etc/raddb/clients.conf:
>
> # -*- text -*-
> ##
> ## clients.conf -- client configuration directives
> ##
>
> client localhost {
>         ipaddr = 127.0.0.1
>
>         secret          = somesecret
>
>         require_message_authenticator = yes
>
>         shortname       = localhost
>
>         nastype     = other     # localhost isn't usually a NAS...
>
> }
>
> clients per_socket_clients {
>
>
>         client 127.0.0.1 {
>                 secret = somesecret
>         }
>
> # Juniper - ESR - 01.24.11
>
>         client 192.168.20.254 {
>                 secret = somesecret
>                 shortname = juniper
>                 nastype = netscreen
>         }
>
> # Dell PowerConnect 3448 - ESR - 02.01.11
>
>         client 10.12.1.11 {
>                 secret = somesecret
>                 shortname = dpc3448
>                 nastype = other
>         }
> }
>
> /etc/raddb/users
>
> # -*- text -*-
> #
> #       Copyright (C) 2009 Deploying RADIUS Partnerships
> #       All rights reserved.
> #
> #       Save this file as "raddb/users", after first backing up
> #       the copy that you have there.
> #
> #       http://deployingradius.com/documents/configuration/pap.html
> #
> #  Window 1: radiusd -X
> #  Window 2: radtest bob hello localhost 0 testing123
> #
>
> # ntlm_auth testing ESR 02.17.11
>
> DEFAULT     Auth-Type = ntlm_auth
>
>
>
> #************************ Juniper conf
> # - ESR - 01.24.11
>
> #some.user Cleartext-Password := "somepass"
> #       NS-Admin-Privilege := 4,
> #       NS-VSYS-Name := "Read-Only-Admin"
>
> #some.user Cleartext-Password := "somepass
> #       NS-Admin-Privilege := 2,
> #       NS-VSYS-Name := "ROOT"
>
>
> # End of the file
>
> I commented out the PAP entries in the users file because one of the users
> has the same user.name in AD but a different password, and that was
> causing me some conflict.
>
> So, can anyone tell me why I'm not getting an *NT_KEY* reply when I issue
> the *ntml_auth* command?
>
> Is the missing key the reason the *radtest* command is failing?  See any
> other glaring errors?
>
> Thanks for your time.
>
> E Rossiter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110218/4fb6eb34/attachment.html>


More information about the Freeradius-Users mailing list