ntlm_auth works but not radtest

Scott McLane Gardner sgardne at uark.edu
Mon Mar 5 22:13:38 CET 2012 

I'm attempting to follow the guide at http://deployingradius.com/ Things
were going very well until I tried to set up Active Directory
authentication. Testing with ntlm_auth, I get a success:

$ ntlm_auth --request-nt-key --domain=MYDOMAIN --username=myuname
--password=mypass
NT_STATUS_OK: Success (0x0)


But when I test with radtest it fails. I'm not sure I understand all of
the debug output, but I thnk maybe it has to do with it thinking the realm
is NULL. I have set it up in both smb.conf and krb5.conf as well as in the
mschap module of freeradius. I am using freeradius version 2.1.10 on
Ubuntu 11.10. Here's the output from the command line as well as the debug
output:

$ radtest -t mschap myuname mypass localhost 0 testing123
Sending Access-Request of id 99 to 127.0.0.1 port 1812
	User-Name = "myuname"
	NAS-IP-Address = <mynasip>
	NAS-Port = 0
	MS-CHAP-Challenge = 0xb89b59d41385c67c
	MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003edd0cff110926a15d402
f5204078f2d78d908e773c3a9c6
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=99,
length=20







rad_recv: Access-Request packet from host 127.0.0.1 port 42379, id=209,
length=115
	User-Name = "myuname"
	NAS-IP-Address = <mynasip>
	NAS-Port = 0
	MS-CHAP-Challenge = 0x09d5dfb63fba5357
	MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000000704b6897326b27adb243
658c300fcd922f008014ee7e25b
Mon Mar  5 14:45:54 2012 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Mon Mar  5 14:45:54 2012 : Info: +- entering group authorize {...}
Mon Mar  5 14:45:54 2012 : Info: ++[preprocess] returns ok
Mon Mar  5 14:45:54 2012 : Info: ++[chap] returns noop
Mon Mar  5 14:45:54 2012 : Info: [mschap] Found MS-CHAP attributes.
Setting 'Auth-Type  = mschap'
Mon Mar  5 14:45:54 2012 : Info: ++[mschap] returns ok
Mon Mar  5 14:45:54 2012 : Info: ++[digest] returns noop
Mon Mar  5 14:45:54 2012 : Info: [suffix] No '@' in User-Name = "myuname",
looking up realm NULL
Mon Mar  5 14:45:54 2012 : Info: [suffix] No such realm "NULL"
Mon Mar  5 14:45:54 2012 : Info: ++[suffix] returns noop
Mon Mar  5 14:45:54 2012 : Info: [eap] No EAP-Message, not doing EAP
Mon Mar  5 14:45:54 2012 : Info: ++[eap] returns noop
Mon Mar  5 14:45:54 2012 : Info: ++[files] returns noop
Mon Mar  5 14:45:54 2012 : Info: ++[expiration] returns noop
Mon Mar  5 14:45:54 2012 : Info: ++[logintime] returns noop
Mon Mar  5 14:45:54 2012 : Info: [pap] WARNING! No "known good" password
found for the user.  Authentication may fail because of this.
Mon Mar  5 14:45:54 2012 : Info: ++[pap] returns noop
Mon Mar  5 14:45:54 2012 : Info: Found Auth-Type = MSCHAP
Mon Mar  5 14:45:54 2012 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Mon Mar  5 14:45:54 2012 : Info: +- entering group MS-CHAP {...}
Mon Mar  5 14:45:54 2012 : Info: [mschap] Told to do MS-CHAPv1 with
NT-Password
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	expand: %{Stripped-User-Name}
-> 
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	... expanding second conditional
Mon Mar  5 14:45:54 2012 : Info: [mschap] WARNING: Deprecated conditional
expansion ":-".  See "man unlang" for details
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	expand: %{User-Name:-None} ->
myuname
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=myuname
Mon Mar  5 14:45:54 2012 : Info: [mschap] No NT-Domain was found in the
User-Name.
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	expand: %{mschap:NT-DOMAIN} ->
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	... expanding second conditional
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	expand:
--domain=%{%{mschap:NT-DOMAIN}:-MYDOMAIN} -> --domain=MYDOMAIN
Mon Mar  5 14:45:54 2012 : Info: [mschap]  mschap1: 09
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	expand:
--challenge=%{mschap:Challenge:-00} -> --challenge=09d5dfb63fba5357
Mon Mar  5 14:45:54 2012 : Info: [mschap] 	expand:
--nt-response=%{mschap:NT-Response:-00} ->
--nt-response=0704b6897326b27adb243658c300fcd922f008014ee7e25b
Mon Mar  5 14:45:55 2012 : Debug: Exec-Program output: winbind client not
authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/run/samba/winbindd_privileged are set correctly. (0xc0000022)
Mon Mar  5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/run/samba/winbindd_privileged are set correctly. (0xc0000022)
Mon Mar  5 14:45:55 2012 : Debug: Exec-Program: returned: 1
Mon Mar  5 14:45:55 2012 : Info: [mschap] External script failed.
Mon Mar  5 14:45:55 2012 : Info: [mschap] MS-CHAP-Response is incorrect.
Mon Mar  5 14:45:55 2012 : Info: ++[mschap] returns reject
Mon Mar  5 14:45:55 2012 : Info: Failed to authenticate the user.
Mon Mar  5 14:45:55 2012 : Info: Using Post-Auth-Type Reject
Mon Mar  5 14:45:55 2012 : Info: # Executing group from file
/etc/freeradius/sites-enabled/default
Mon Mar  5 14:45:55 2012 : Info: +- entering group REJECT {...}
Mon Mar  5 14:45:55 2012 : Info: [attr_filter.access_reject] 	expand:
%{User-Name} -> myuname
Mon Mar  5 14:45:55 2012 : Debug:  attr_filter: Matched entry DEFAULT at
line 11
Mon Mar  5 14:45:55 2012 : Info: ++[attr_filter.access_reject] returns
updated
Mon Mar  5 14:45:55 2012 : Info: Delaying reject of request 0 for 1 seconds
Mon Mar  5 14:45:55 2012 : Debug: Going to the next request
Mon Mar  5 14:45:55 2012 : Debug: Waking up in 0.9 seconds.
Mon Mar  5 14:45:55 2012 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 209 to 127.0.0.1 port 42379
Mon Mar  5 14:45:55 2012 : Debug: Waking up in 4.9 seconds.
Mon Mar  5 14:46:01 2012 : Info: Cleaning up request 0 ID 209 with
timestamp +10
Mon Mar  5 14:46:01 2012 : Info: Ready to process requests.

More information about the Freeradius-Users mailing list