Trouble running ntlm_auth with mschap

Dirk Bonenkamp - ProActive dirk at proactive.nl
Fri Aug 18 15:35:18 CEST 2017 

Hi All,

I'm running Ubuntu 16.04 LTS, Samba 4.3.11 and Freeradius 3.0.15.

I'm having trouble using mschap when authenticating against my AD using 
ntlm_auth. Testing with wbinfo or ntlm_auth from the command line works. 
Running NTLM_AUTH trough freeradius (configured by myself, which just 
calls ntlm_auth staight), works fine:

radtest dirk MyPaSsWord localhost 0 testing123

Ouput:

(2) Found Auth-Type = NTLM_AUTH
(2) # Executing group from file /etc/freeradius/sites-enabled/default
(2)   Auth-Type NTLM_AUTH {
(2) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key 
--domain=PROACTIVE --username=%{mschap:User-Name} 
--password=%{User-Password}:
(2) ntlm_auth: EXPAND --username=%{mschap:User-Name}
(2) ntlm_auth:    --> --username=dirk
(2) ntlm_auth: EXPAND --password=%{User-Password}
(2) ntlm_auth:    --> --password=MyPaSsWord
(2) ntlm_auth: Program returned code (0) and output 'NT_STATUS_OK: 
Success (0x0)'
(2) ntlm_auth: Program executed successfully
(2)     [ntlm_auth] = ok
(2)   } # Auth-Type NTLM_AUTH = ok

But when running:

radtest -t mschap dirk MyPaSsWord localhost 0 testing123

I get:

(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key 
--domain=PROACTIVE --username=%{mschap:User-Name} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}:
(0) mschap: EXPAND --username=%{mschap:User-Name}
(0) mschap:    --> --username=dirk
(0) mschap: mschap1: a2
(0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(0) mschap:    --> --challenge=a2ecd01e5bdf0ef6
(0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(0) mschap:    --> 
--nt-response=28c30e8ce6d1a2ecd6877be94a654d6336afa03527aace03
(0) mschap: ERROR: Program returned code (1) and output 'Logon failure 
(0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: Logon failure (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject

I'm really puzzled here... I had this working on an Ubuntu 12.04 / 
freeradius 2.x setup, but I'm really stuck now.

Any help or hints are highly appreciated. Thank you in advance, kind 
regards,

Dirk

More information about the Freeradius-Users mailing list