Problem configuring freeradius with mschap / winbind

Brian C. Huffman bhuffman at etinternational.com
Mon Feb 3 17:22:39 CET 2014


I just figured it out.  I had to add radiusd to the wbpriv group.

-b

On 02/03/2014 11:14 AM, Brian C. Huffman wrote:
> All,
>
> I'm trying to configure freeradius to work with Samba winbind. Winbind 
> seems to be working, but I'm having issues when I try to integrate 
> freeradius.
>
> I've got the following versions installed:
> [root at auth01 raddb]# more /etc/redhat-release
> CentOS release 6.5 (Final)
> [root at auth01 raddb]# rpm -qa |grep winbind
> samba-winbind-clients-3.6.9-167.el6_5.x86_64
> samba-winbind-3.6.9-167.el6_5.x86_64
> [root at auth01 raddb]# rpm -qa |grep freeradius
> freeradius-2.1.12-4.el6_3.x86_64
> freeradius-utils-2.1.12-4.el6_3.x86_64
>
> wbinfo -u works.
>
> This works as well:
> [root at auth01 raddb]# ntlm_auth --request-nt-key --domain=ETI 
> --username=bhuffman --password=<pass_removed>
> NT_STATUS_OK: Success (0x0)
>
> I've followed this guide for configuring freeradius:
> http://deployingradius.com/documents/configuration/active_directory.html
>
> Running the test with basic ntlm_auth also works.   But when I try to 
> use mschap, it fails:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 36958, id=54, 
> length=134
>     User-Name = "bhuffman"
>     NAS-IP-Address = 192.168.12.13
>     NAS-Port = 0
>     Message-Authenticator = 0x5218e5194bf4c321ed41c29cd6d10690
>     MS-CHAP-Challenge = 0x1491f6269d04d59a
>     MS-CHAP-Response = 
> 0x0001000000000000000000000000000000000000000000000000bdf10bf06b435645c7db6279bba9c4765c16c9fcd06dcd03
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> [mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
> ++[mschap] returns ok
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "bhuffman", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user. 
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = MSCHAP
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group MS-CHAP {...}
> [mschap] Told to do MS-CHAPv1 with NT-Password
> [mschap]     expand: %{Stripped-User-Name} ->
> [mschap]     ... expanding second conditional
> [mschap]     expand: %{User-Name} -> bhuffman
> [mschap]     expand: %{%{User-Name}:-None} -> bhuffman
> [mschap]     expand: 
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> 
> --username=bhuffman
> [mschap] No NT-Domain was found in the User-Name.
> [mschap]     expand: %{mschap:NT-Domain} ->
> [mschap]     ... expanding second conditional
> [mschap]     expand: --domain=%{%{mschap:NT-Domain}:-ETI} -> --domain=ETI
> [mschap]  mschap1: 14
> [mschap]     expand: %{mschap:Challenge} -> 1491f6269d04d59a
> [mschap]     expand: --challenge=%{%{mschap:Challenge}:-00} -> 
> --challenge=1491f6269d04d59a
> [mschap]     expand: %{mschap:NT-Response} -> 
> bdf10bf06b435645c7db6279bba9c4765c16c9fcd06dcd03
> [mschap]     expand: --nt-response=%{%{mschap:NT-Response}:-00} -> 
> --nt-response=bdf10bf06b435645c7db6279bba9c4765c16c9fcd06dcd03
> Exec-Program output: Reading winbind reply failed! (0xc0000001)
> Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] MS-CHAP-Response is incorrect.
> ++[mschap] returns reject
> Failed to authenticate the user.
> Using Post-Auth-Type Reject
> # Executing group from file /etc/raddb/sites-enabled/default
> +- entering group REJECT {...}
> [attr_filter.access_reject]     expand: %{User-Name} -> bhuffman
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 54 to 127.0.0.1 port 36958
>     MS-CHAP-Error = "\000E=691 R=1"
>
>
> Can anyone help me to troubleshoot this?
>
> Thanks,
> Brian
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list