Trouble authenticating against samba 4 DC

Alan DeKok aland at deployingradius.com
Thu Aug 3 22:04:21 CEST 2017


On Aug 3, 2017, at 9:51 PM, Hugo Thebas <thebashugo at gmail.com> wrote:
> 
> I've followed the setup tutorial at: http://deployingradius.com/documents/configuration/active_directory.html and everything works fine until the part that I setup mschap, the test using the config "DEFAULT     Auth-Type = ntlm_auth" at users file is OK, but when I remove the test config and setup mschap I cant authenticate, I'll post the debug log below and aprreciate if anyone can help me.
> 
> First the output using test config:
> 
> root at dc:~# radtest teste-login Thebas at 1234 localhost 0 testing123

  That's good.

> Now removing the test config and using mschap:
> 
> root at dc:~# radtest -t mschap teste-login Thebas at 1234 localhost 0 testing123
> Sent Access-Request Id 41 from 0.0.0.0:41126 to 127.0.0.1:1812 length 137
>    User-Name = "testa-login"

  Is that a value username / domain at the AD server?
...
> (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
> (0) mschap: EXPAND --username=%{mschap:User-Name:-None}
> (0) mschap:    --> --username=teste-login
> (0) mschap: ERROR: No NT-Domain was found in the User-Name
> (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-CCBPINHAIS}
> (0) mschap:    --> --domain=CCBPINHAIS
> (0) mschap: mschap1: 5c
> (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
> (0) mschap:    --> --challenge=5c2a896e7b319f2f
> (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
> (0) mschap:    --> --nt-response=73a248201d2f5611be653fd75e48b46b9e08d049cb60122d
> (0) mschap: ERROR: Program returned code (1) and output 'Logon failure (0xc000006d)'
> (0) mschap: External script failed

  You can run the ntlm_auth program manually to see what parameters are required.  In this case, it looks like either the username doesn't exist at that domain, or the password is wrong.

  We can'y help you fix those errors.  The purpose of the guide is to take you step by step through the process, so that you can see exactly when it goes form "working" to "not working".  The thing that changes is the source of the problem.

  In this case, AD is returning "logon failure".  That means the user is unknown, or the user is known but the password is wrong.  You need to send FreeRADIUS the correct name / domain / password for it to work.

  Alan DeKok.




More information about the Freeradius-Users mailing list