Trouble authenticating against samba 4 DC

Hugo Thebas thebashugo at gmail.com
Thu Aug 3 21:51:30 CEST 2017 

Hello, I've just set up a DC controller using samba 4 on Debian 9 and 
FreeRADIUS 3

root at dc:~# samba -V
Version 4.5.8-Debian

root at dc:~# uname -a
Linux dc 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64 
GNU/Linux

root at dc:~# freeradius -v
radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built 
on May 30 2017 at 15:18:34

Samba DC is running OK, i can authenticate against it using ntlm_auth

root at dc:~# ntlm_auth --request-nt-key --domain=CCBPINHAIS 
--username=teste-login --password=Thebas at 1234
NT_STATUS_OK: Success (0x0)

I've followed the setup tutorial at: 
http://deployingradius.com/documents/configuration/active_directory.html 
and everything works fine until the part that I setup mschap, the test 
using the config "DEFAULT     Auth-Type = ntlm_auth" at users file is 
OK, but when I remove the test config and setup mschap I cant 
authenticate, I'll post the debug log below and aprreciate if anyone can 
help me.

First the output using test config:

root at dc:~# radtest teste-login Thebas at 1234 localhost 0 testing123
Sent Access-Request Id 152 from 0.0.0.0:59761 to 127.0.0.1:1812 length 81
     User-Name = "teste-login"
     User-Password = "Thebas at 1234"
     NAS-IP-Address = 172.16.100.254
     NAS-Port = 0
     Message-Authenticator = 0x00
     Cleartext-Password = "Thebas at 1234"
Received Access-Accept Id 152 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

Now removing the test config and using mschap:

root at dc:~# radtest -t mschap teste-login Thebas at 1234 localhost 0 testing123
Sent Access-Request Id 41 from 0.0.0.0:41126 to 127.0.0.1:1812 length 137
     User-Name = "teste-login"
     MS-CHAP-Password = "Thebas at 1234"
     NAS-IP-Address = 172.16.100.254
     NAS-Port = 0
     Message-Authenticator = 0x00
     Cleartext-Password = "Thebas at 1234"
     MS-CHAP-Challenge = 0x5c2a896e7b319f2f
     MS-CHAP-Response = 
0x000100000000000000000000000000000000000000000000000073a248201d2f5611be653fd75e48b46b9e08d049cb60122d
Received Access-Reject Id 41 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
     MS-CHAP-Error = "\000E=691 R=1 C=81c1063947fe901b V=2"
(0) -: Expected Access-Accept got Access-Reject


Below is the debug log:

(0) Received Access-Request Id 41 from 127.0.0.1:41126 to 127.0.0.1:1812 
length 137
(0)   User-Name = "teste-login"
(0)   NAS-IP-Address = 172.16.100.254
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0x97d3daecfc41cd5c63cca87fcae738c8
(0)   MS-CHAP-Challenge = 0x5c2a896e7b319f2f
(0)   MS-CHAP-Response = 
0x000100000000000000000000000000000000000000000000000073a248201d2f5611be653fd75e48b46b9e08d049cb60122d
(0) # Executing section authorize from file 
/etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   
-> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "teste-login", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not 
setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" 
password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} 
--domain=%{%{mschap:NT-Domain}:-CCBPINHAIS} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(0) mschap: EXPAND --username=%{mschap:User-Name:-None}
(0) mschap:    --> --username=teste-login
(0) mschap: ERROR: No NT-Domain was found in the User-Name
(0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS}
(0) mschap:    --> --domain=CCBPINHAIS
(0) mschap: mschap1: 5c
(0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(0) mschap:    --> --challenge=5c2a896e7b319f2f
(0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(0) mschap:    --> 
--nt-response=73a248201d2f5611be653fd75e48b46b9e08d049cb60122d
(0) mschap: ERROR: Program returned code (1) and output 'Logon failure 
(0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> teste-login
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 41 from 127.0.0.1:1812 to 127.0.0.1:41126 
length 61
(0)   MS-CHAP-Error = "\000E=691 R=1 C=81c1063947fe901b V=2"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 41 with timestamp +4


Stripping the debug log, the error lines are:

(0) mschap: ERROR: No NT-Domain was found in the User-Name
...
0) mschap: ERROR: Program returned code (1) and output 'Logon failure 
(0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject

I think the problem has something about that last error about 
MS-CHAP2-Response, but I don't have a clue what it could it be, I also 
noticed that radtest sent a MS-CHAPv1 auth request, is it OK?

Thank you very much.




Best Reagrds,
Hugo Thebas

More information about the Freeradius-Users mailing list