New User and AD Question

Phil Mayers p.mayers at imperial.ac.uk
Wed Mar 2 13:31:18 CET 2011 

On 02/03/11 12:09, McNutt, Justin M. wrote:
>> These look like MS-CHAP machine-auth usernames; have you considered
>> using:
>>
>> %{mschap:User-Name} %{mschap:NT-Domain}
>>
>> The mschap module has special handling for host/ names, and these
>> will expand:
>>
>> host/name.domain.com
>>
>> to:
>>
>> name$ domain.com
>>
>> The trailing dollar sign on the hostname is intentional; SAM
>> account names for machines conventionally end in $ in windows.
>
> I'm aware of all of this.  The problem is, it doesn't seem to be
> actually working.  Here's the ntlm_auth command I'm using:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> Note use of "%{mschap:User-Name}" and "%{mschap:NT-Domain}".  Despite
> this, "host/computer.domain" login attempts always fail.  Hence,
> trying to do the translation manually via a regex and update
> clauses.

In the most recent debug I see you posted (16:36 yesterday) it's failing 
because:

[eap] Request is supposed to be proxied to Realm $2.  Not doing EAP.
++[eap] returns noop

...then later:

WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! 
Cancelling invalid proxy request.
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.

You tried to use a regexp to parse the username (usually a mistake IMHO) 
and put the "domain" bit into the "Proxy-To-Realm" attribute but 
Proxy-To-Realm instructs the server to do just that - which cancels 
local authentiction.


Reading back through the thread, it seems like there is some confusion 
between "domain" in the Windows NT/Active Directory sense, and "domain" 
as a "Realm", which is a concept used in Radius proxying.

I'm going to take a guess and assume you don't really need to do 
proxying, and were just trying to use the "realm" module to strip off 
the "host/...domain.com" bits, and have gotten a bit tangled.


Don't set "Realm" or "Proxy-To-Realm" unless you want the radius packet 
to be sent to a different radius server.

Make sure you're using "%{mschap:User-Name}" everywhere that NT domain 
usernames might exist - in the "ldap" module filter, for starters.

At this point, you may find it easier to revert to the default configs 
and start from scratch, one change at a time and keeping the configs in 
version control.

More information about the Freeradius-Users mailing list