ntlm_auth not respected

Chris Parker cparkervt at me.com
Thu Aug 22 18:18:20 CEST 2013 

Sorry for the individual emails, but I got things working with MSCHAP (w/ ntlm_auth) and WPA-EAP.
My issue was that when I got the two winbind errors, I did some more searching and there's the potential that the freerad user did not have access to pipe named: /var/run/samba/winbindd
That pipe is owned as follows:

drwxr-x---  2 root winbindd_priv     60 Aug 22 11:15 winbindd_privileged/

That being the case, you need to add the user freerad to that group, so it can execute with the right privileges.

Sending Access-Request of id 52 to 127.0.0.1 port 1812
	User-Name = "wyse1"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1812
	MS-CHAP-Challenge = 0xf38d9f1a3dcb27e9
	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000941d3ff95601f8f335e7eff7c97e1abf28df15abd28b7fda
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=52, length=84
	MS-CHAP-MPPE-Keys = 0x0000000000000000d22b3a1df401aa61a721c8a31ba910820000000000000000
	MS-MPPE-Encryption-Policy = 0x00000001
	MS-MPPE-Encryption-Types = 0x00000006

Now, is it safe to disable modules (by commenting them out of the sites-enabled files) that aren't related to the MSCHAP process? This is just in passing curiosity.


On Aug 22, 2013, at 10:14 AM, Chris Parker <cparkervt at me.com> wrote:

> Thank you for setting me on the right track; I have followed the directions on http://deployingradius.com/documents/configuration/active_directory.html (the bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per those directions.
> When I run the ntlm_auth command manually, it works find / as does running wbinfo -a
> 
> root at leopard:/etc/freeradius# wbinfo -a wyse1%K503D
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> 
> 
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 60046, id=111, length=113
> 	User-Name = "wyse1"
> 	NAS-IP-Address = 127.0.1.1
> 	NAS-Port = 1812
> 	MS-CHAP-Challenge = 0xe07a375bed09f1f7
> 	MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000065b157b183b4d29d455414b184c57af4912b1d74f4ed726
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "wyse1", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv1 with NT-Password
> [mschap] 	expand: %{Stripped-User-Name} -> 
> [mschap] 	... expanding second conditional
> [mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
> [mschap] 	expand: %{User-Name:-None} -> wyse1
> [mschap] 	expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=wyse1
> [mschap]  mschap1: e0
> [mschap] 	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e07a375bed09f1f7
> [mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=065b157b183b4d29d455414b184c57af4912b1d74f4ed726
> Exec-Program output: Reading winbind reply failed! (0xc0000001) 
> Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001) 
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] MS-CHAP-Response is incorrect.
> ++[mschap] returns reject
> Failed to authenticate the user.
> Login incorrect (mschap: External script says Reading winbind reply failed! (0xc0000001)): [wyse1/<via Auth-Type = mschap>] (from client localhost port 1812)
> Using Post-Auth-Type Reject
> # Executing group from file /etc/freeradius/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject] 	expand: %{User-Name} -> wyse1
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 111 to 127.0.0.1 port 60046
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 111 with timestamp +15
> Ready to process requests.
> 
> On Aug 22, 2013, at 5:50 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> 
>> On 21/08/13 23:44, Chris Parker wrote:
>>> Okay, pardon my confusion then. I had been following a howto online
>>> and it reported that the command when run manually will produce the
>>> key.
>>> 
>>> Either way, I'm still having a failure in MSCHAP with radtest that
>>> I'm not quite grasping.
>> 
>> Well, as I explained in my other email, mschap == challenge/response, "modules/ntlm_auth" != challenge/response.
>> 
>> To reiterate, "modules/ntlm_auth" is almost certainly not what you want, and is not intended to be used as-is. I would unconfigure it and concentrate on getting "modules/mschap" working.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list