Problem configuring freeradius with mschap / winbind
Brian C. Huffman
bhuffman at etinternational.com
Mon Feb 3 17:14:44 CET 2014
All,
I'm trying to configure freeradius to work with Samba winbind. Winbind
seems to be working, but I'm having issues when I try to integrate
freeradius.
I've got the following versions installed:
[root at auth01 raddb]# more /etc/redhat-release
CentOS release 6.5 (Final)
[root at auth01 raddb]# rpm -qa |grep winbind
samba-winbind-clients-3.6.9-167.el6_5.x86_64
samba-winbind-3.6.9-167.el6_5.x86_64
[root at auth01 raddb]# rpm -qa |grep freeradius
freeradius-2.1.12-4.el6_3.x86_64
freeradius-utils-2.1.12-4.el6_3.x86_64
wbinfo -u works.
This works as well:
[root at auth01 raddb]# ntlm_auth --request-nt-key --domain=ETI
--username=bhuffman --password=<pass_removed>
NT_STATUS_OK: Success (0x0)
I've followed this guide for configuring freeradius:
http://deployingradius.com/documents/configuration/active_directory.html
Running the test with basic ntlm_auth also works. But when I try to
use mschap, it fails:
rad_recv: Access-Request packet from host 127.0.0.1 port 36958, id=54,
length=134
User-Name = "bhuffman"
NAS-IP-Address = 192.168.12.13
NAS-Port = 0
Message-Authenticator = 0x5218e5194bf4c321ed41c29cd6d10690
MS-CHAP-Challenge = 0x1491f6269d04d59a
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000bdf10bf06b435645c7db6279bba9c4765c16c9fcd06dcd03
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "bhuffman", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} -> bhuffman
[mschap] expand: %{%{User-Name}:-None} -> bhuffman
[mschap] expand:
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
--username=bhuffman
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-ETI} -> --domain=ETI
[mschap] mschap1: 14
[mschap] expand: %{mschap:Challenge} -> 1491f6269d04d59a
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} ->
--challenge=1491f6269d04d59a
[mschap] expand: %{mschap:NT-Response} ->
bdf10bf06b435645c7db6279bba9c4765c16c9fcd06dcd03
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
--nt-response=bdf10bf06b435645c7db6279bba9c4765c16c9fcd06dcd03
Exec-Program output: Reading winbind reply failed! (0xc0000001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> bhuffman
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 54 to 127.0.0.1 port 36958
MS-CHAP-Error = "\000E=691 R=1"
Can anyone help me to troubleshoot this?
Thanks,
Brian
More information about the Freeradius-Users
mailing list