FreeRADIUS using Active Directory integration broken without any traces

Vinícius Ferrão ferrao at if.ufrj.br
Fri Sep 26 21:54:23 CEST 2014


Hello guys,

I've a FreeBSD 10.0 server running FreeRADIUS 3 and things got broken without any apparent reason.

I'm using Winbind from Samba4 to authenticate with ntlm_auth. I've done some debug to solve the problem, but I was unable to find where is the problem.

ntlm_auth is working:

# ntlm_auth --username=ferrao --request-nt-key
# Password: 
# NT_STATUS_OK: Success (0x0)

But RADIUS fails when doing EAP-PEAP authentication, and running FreeRADIUS in debug mode this is the error message:

# (9) mschap : Executing: /usr/local/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%#{mschap:NT-Response}:-00}
# (9) mschap : EXPAND --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
# (9) mschap :    --> --username=ferrao
# (9) mschap : Creating challenge hash with username: ferrao
# (9) mschap : EXPAND --challenge=%{%{mschap:Challenge}:-00}
# (9) mschap :    --> --challenge=082e8ba7b848aaae
# (9) mschap : EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
# (9) mschap :    --> --nt-response=27b40a6d1dba1b4acfd33aff5c710a43e70d050269087bf1
# (9) ERROR: mschap : Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
# (9) mschap : External script failed.
# (9) ERROR: mschap : External script says: Reading winbind reply failed! (0xc0000001)
# (9) ERROR: mschap : MS-CHAP2-Response is incorrect
# (9)   [mschap] = reject
# (9)  } # Auth-Type MS-CHAP = reject
# (9) eap : Freeing handler
# (9)   [eap] = reject
# (9)  } #  authenticate = reject
# (9) Failed to authenticate the user.
# (9) Login incorrect (mschap: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'): [ferrao/<via Auth-Type = EAP>] (from client 192.168.0.0/26 port 0 via TLS tunnel)

So something is wrong with Winbind and FreeRADIUS, and I don't know what.

Thanks in advance,


More information about the Freeradius-Users mailing list