AW: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication

Torsten Wilms torsten at wilms-ac.de
Fri Oct 9 18:03:43 CEST 2015


I use the default configuration. I did all the defaults 


~ # radtest test password localhost 0 testing123                                                root at aaa
Sent Access-Request Id 183 from 0.0.0.0:41926 to 127.0.0.1:1812 length 74
	User-Name = "test"
	User-Password = "password"
	NAS-IP-Address = 192.168.8.27
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "password"
Received Access-Accept Id 183 from 127.0.0.1:1812 to 0.0.0.0:0 length 20


Ready to process requests
(0) Received Access-Request Id 183 from 127.0.0.1:41926 to 127.0.0.1:1812 length 74
(0)   User-Name = "test"
(0)   User-Password = "password"
(0)   NAS-IP-Address = 192.168.8.27
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x49c0aa6a8ab735b2268e1d6daaa09044
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(0)   authorize {
(0)     policy filter_username {
(0)       if (!&User-Name) {
(0)       if (!&User-Name)  -> FALSE
(0)       if (&User-Name =~ / /) {
(0)       if (&User-Name =~ / /)  -> FALSE
(0)       if (&User-Name =~ /@.*@/ ) {
(0)       if (&User-Name =~ /@.*@/ )  -> FALSE
(0)       if (&User-Name =~ /\.\./ ) {
(0)       if (&User-Name =~ /\.\./ )  -> FALSE
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)       if (&User-Name =~ /\.$/)  {
(0)       if (&User-Name =~ /\.$/)   -> FALSE
(0)       if (&User-Name =~ /@\./)  {
(0)       if (&User-Name =~ /@\./)   -> FALSE
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "test", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth:    --> --username=test
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth:    --> --password=password
(0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)'
(0) ntlm_auth: Program executed successfully
(0)     [ntlm_auth] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 48
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = NTLM
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(0)   Auth-Type NTLM {
(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(0) ntlm_auth:    --> --username=test
(0) ntlm_auth: EXPAND --password=%{User-Password}
(0) ntlm_auth:    --> --password=password
(0) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: Success (0x0)'
(0) ntlm_auth: Program executed successfully
(0)     [ntlm_auth] = ok
(0)   } # Auth-Type NTLM = ok
(0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/domain
(0)   post-auth {
(0)     update {
(0)       No attributes updated
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 183 from 127.0.0.1:1812 to 127.0.0.1:41926 length 0
(0) Finished request
Waking up in 4.9 seconds.
(0) Cleaning up request packet ID 183 with timestamp +2






~ # radtest -t mschap test password localhost 0 testing123                                      root at aaa
Sent Access-Request Id 194 from 0.0.0.0:47270 to 127.0.0.1:1812 length 130
	User-Name = "test"
	MS-CHAP-Password = "password"
	NAS-IP-Address = 192.168.8.27
	NAS-Port = 0
	Message-Authenticator = 0x00
	Cleartext-Password = "password"
	MS-CHAP-Challenge = 0x64ffcaca1fad8737
	MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000044766b9a12bb4776e8e15e6b668e76003626fa2f448bf29a
Received Access-Reject Id 194 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject


(1) Received Access-Request Id 194 from 127.0.0.1:47270 to 127.0.0.1:1812 length 130
(1)   User-Name = "test"
(1)   NAS-IP-Address = 192.168.8.27
(1)   NAS-Port = 0
(1)   Message-Authenticator = 0xcae2002abb356fe5d79e1fc00a12c253
(1)   MS-CHAP-Challenge = 0x64ffcaca1fad8737
(1)   MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000044766b9a12bb4776e8e15e6b668e76003626fa2f448bf29a
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/domain
(1)   authorize {
(1)     policy filter_username {
(1)       if (!&User-Name) {
(1)       if (!&User-Name)  -> FALSE
(1)       if (&User-Name =~ / /) {
(1)       if (&User-Name =~ / /)  -> FALSE
(1)       if (&User-Name =~ /@.*@/ ) {
(1)       if (&User-Name =~ /@.*@/ )  -> FALSE
(1)       if (&User-Name =~ /\.\./ ) {
(1)       if (&User-Name =~ /\.\./ )  -> FALSE
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)       if (&User-Name =~ /\.$/)  {
(1)       if (&User-Name =~ /\.$/)   -> FALSE
(1)       if (&User-Name =~ /@\./)  {
(1)       if (&User-Name =~ /@\./)   -> FALSE
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(1)     [mschap] = ok
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
(1) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(1) ntlm_auth:    --> --username=test
(1) ntlm_auth: EXPAND --password=%{User-Password}
(1) ntlm_auth:    --> --password=
(1) ntlm_auth: ERROR: Program returned code (1) and output 'NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)'
(1)     [ntlm_auth] = reject
(1)   } # authorize = reject
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /usr/local/etc/raddb/sites-enabled/domain
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> test
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     [eap] = noop
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 194 from 127.0.0.1:1812 to 127.0.0.1:47270 length 20
Waking up in 3.9 seconds.
(1) Cleaning up request packet ID 194 with timestamp +45
Ready to process requests



This is very confused.


/usr/local/etc/raddb # cat mods-enabled/ntlm_auth                                                                                                    root at aaa
#
#  For testing ntlm_auth authentication with PAP.
#
#  If you have problems with authentication failing, even when the
#  password is good, it may be a bug in Samba:
#
#	https://bugzilla.samba.org/show_bug.cgi?id=6563
#
exec ntlm_auth {
	wait = yes
	program = "/usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}"
}


/usr/local/etc/raddb # cat mods-enabled/mschap
# -*- text -*-
#
#  $Id: 4673fa7f9fd1d9931fcf1e4e1cdd9bb656b1d434 $

# Microsoft CHAP authentication
#
#  This module supports MS-CHAP and MS-CHAPv2 authentication.
#  It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
	#
	#  If you are using /etc/smbpasswd, see the 'passwd'
	#  module for an example of how to use /etc/smbpasswd

	# if use_mppe is not set to no mschap will
	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
	#
#	use_mppe = no

	# if mppe is enabled require_encryption makes
	# encryption moderate
	#
#	require_encryption = yes

	# require_strong always requires 128 bit key
	# encryption
	#
#	require_strong = yes

	# The module can perform authentication itself, OR
	# use a Windows Domain Controller.  This configuration
	# directive tells the module to call the ntlm_auth
	# program, which will do the authentication, and return
	# the NT-Key.  Note that you MUST have "winbindd" and
	# "nmbd" running on the local machine for ntlm_auth
	# to work.  See the ntlm_auth program documentation
	# for details.
	#
	# If ntlm_auth is configured below, then the mschap
	# module will call ntlm_auth for every MS-CHAP
	# authentication request.  If there is a cleartext
	# or NT hashed password available, you can set
	# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
	# and the mschap module will do the authentication itself,
	# without calling ntlm_auth.
	#
	# Be VERY careful when editing the following line!
	#
	# You can also try setting the user name as:
	#
	#	... --username=%{mschap:User-Name} ...
	#
	# In that case, the mschap module will look at the User-Name
	# attribute, and do prefix/suffix checks in order to obtain
	# the "best" user name for the request.
	#
	#ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

	ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"

	# The default is to wait 10 seconds for ntlm_auth to
	# complete.  This is a long time, and if it's taking that
	# long then you likely have other problems in your domain.
	# The length of time can be decreased with the following
	# option, which can save clients waiting if your ntlm_auth
	# usually finishes quicker. Range 1 to 10 seconds.
	#
#	ntlm_auth_timeout = 10

	# An alternative to using ntlm_auth is to connect to the
	# winbind daemon directly for authentication. This option
	# is likely to be faster and may be useful on busy systems,
	# but is less well tested.
	#
	# Using this option requires libwbclient from Samba 4.2.1
	# or later to be installed. Make sure that ntlm_auth above is
	# commented out.
	#
#	winbind_username = "%{mschap:User-Name}"
#	winbind_domain = "%{mschap:NT-Domain}"

	#
	#  Information for the winbind connection pool.  The configuration
	#  items below are the same for all modules which use the new
	#  connection pool.
	#
	pool {
		#  Connections to create during module instantiation.
		#  If the server cannot create specified number of
		#  connections during instantiation it will exit.
		#  Set to 0 to allow the server to start without the
		#  winbind daemon being available.
		start = ${thread[pool].start_servers}

		#  Minimum number of connections to keep open
		min = ${thread[pool].min_spare_servers}

		#  Maximum number of connections
		#
		#  If these connections are all in use and a new one
		#  is requested, the request will NOT get a connection.
		#
		#  Setting 'max' to LESS than the number of threads means
		#  that some threads may starve, and you will see errors
		#  like 'No connections available and at max connection limit'
		#
		#  Setting 'max' to MORE than the number of threads means
		#  that there are more connections than necessary.
		max = ${thread[pool].max_servers}

		#  Spare connections to be left idle
		#
		#  NOTE: Idle connections WILL be closed if "idle_timeout"
		#  is set.  This should be less than or equal to "max" above.
		spare = ${thread[pool].max_spare_servers}

		#  Number of uses before the connection is closed
		#
		#  0 means "infinite"
		uses = 0

		#  The number of seconds to wait after the server tries
		#  to open a connection, and fails.  During this time,
		#  no new connections will be opened.
		retry_delay = 30

		#  The lifetime (in seconds) of the connection
		#
		#  NOTE: A setting of 0 means infinite (no limit).
		lifetime = 86400

		#  The pool is checked for free connections every
		#  "cleanup_interval".  If there are free connections,
		#  then one of them is closed.
		cleanup_interval = 300

		#  The idle timeout (in seconds).  A connection which is
		#  unused for this length of time will be closed.
		#
		#  NOTE: A setting of 0 means infinite (no timeout).
		idle_timeout = 600

		#  NOTE: All configuration settings are enforced.  If a
		#  connection is closed because of "idle_timeout",
		#  "uses", or "lifetime", then the total number of
		#  connections MAY fall below "min".  When that
		#  happens, it will open a new connection.  It will
		#  also log a WARNING message.
		#
		#  The solution is to either lower the "min" connections,
		#  or increase lifetime/idle_timeout.
	}

	passchange {
		# This support MS-CHAPv2 (not v1) password change
		# requests.  See doc/mschap.rst for more IMPORTANT
		# information.
		#
		# Samba/ntlm_auth - if you are using ntlm_auth to
		# validate passwords, you will need to use ntlm_auth
		# to change passwords.  Uncomment the three lines
		# below, and change the path to ntlm_auth.
		#
#		ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
#		ntlm_auth_username = "username: %{mschap:User-Name}"
#		ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"

		# To implement a local password change, you need to
		# supply a string which is then expanded, so that the
		# password can be placed somewhere.  e.g. passed to a
		# script (exec), or written to SQL (UPDATE/INSERT).
		# We give both examples here, but only one will be
		# used.
		#
#		local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
		#
#		local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
	}

	# For Apple Server, when running on the same machine as
	# Open Directory.  It has no effect on other systems.
	#
#	use_open_directory = yes

	# On failure, set (or not) the MS-CHAP error code saying
	# "retries allowed".
#	allow_retry = yes

	# An optional retry message.
#	retry_msg = "Re-enter (or reset) the password"
}


-----Urspr√ľngliche Nachricht-----
Von: Freeradius-Users [mailto:freeradius-users-bounces+torsten=wilms-ac.de at lists.freeradius.org] Im Auftrag von Alan DeKok
Gesendet: Freitag, 9. Oktober 2015 17:56
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication

On Oct 9, 2015, at 11:37 AM, Torsten Wilms <torsten at wilms-ac.de> wrote:
> 
> So now i changed the configuration to default, installed samba, added the system in the AD and tried the following:

 ...
> (0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key --domain=domain --username=%{mschap:User-Name} --password=%{User-Password}:
> (0) ntlm_auth: EXPAND --username=%{mschap:User-Name}
> (0) ntlm_auth:    --> --username=test
> (0) ntlm_auth: EXPAND --password=%{User-Password}

  That is the wrong configuration.

  Start off with the default configuration, and follow the instructions at:

http://deployingradius.com/

  It *will work*.  Whatever you're doing now is wrong and confused.  So it doesn't work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list