ntlm_auth with ms-chap

Alan DeKok aland at deployingradius.com
Fri Aug 31 20:08:28 CEST 2018


> On Aug 31, 2018, at 1:36 PM, J├╝rgen Obermeyer <om at oegym.de> wrote:
> 
> I installed (for the very first time) freeradius on an Ubuntu 18.04 box.
> The version is 3.0.16. I would like to use freeradius to authenticate my
> users against Samba passwords using ntlm_auth. I followed EXACTLY the
> instructions on the website deployingradius.com, beginning from the
> initial setup to the last step, "Configuring FreeRADIUS to use ntlm_auth
> for MS-CHAP". Only this last step fails, and I have no idea why. This is
> an excerpt of the debug output:
> 
> ***
> 
> (2) Found Auth-Type = mschap
> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> (2)   authenticate {
> (2) mschap: Client is using MS-CHAPv1 with NT-Password
> (2) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-OEGNET}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (2) mschap: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (2) mschap:    --> --username=om
> (2) mschap: ERROR: No NT-Domain was found in the User-Name
> (2) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-OEGNET}
> (2) mschap:    --> --domain=OEGNET
> (2) mschap: mschap1: 12
> (2) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (2) mschap:    --> --challenge=12473d849ab42a45
> (2) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (2) mschap:    -->
> --nt-response=7cba13f9a4b65406feb11d25441a189c18b2389b0fe6e922
> (2) mschap: ERROR: Program returned code (1) and output 'The attempted
> logon is invalid. This is either due to a bad username or authentication
> information. (0xc000006d)'

  That error comes from Samba.  FreeRADIUS is just sending the MS-CHAP information over.  And Samba is saying that it's wrong.

> I tried with 'radtest -t mschap ...' getting the following answer:
> 
> ***
> 
> root at hermes:/etc/freeradius.old# radtest -t mschap om topsecret
> localhost 0 testing123
> Sent Access-Request Id 18 from 0.0.0.0:37196 to 127.0.0.1:1812 length 128
> 	User-Name = "om"
> 	MS-CHAP-Password = "topsecret"
> 	NAS-IP-Address = 192.168.6.1
> 	NAS-Port = 0
> 	Message-Authenticator = 0x00
> 	Cleartext-Password = "topsecret"
> 	MS-CHAP-Challenge = 0x6d7f7ccb15612a8a
> 	MS-CHAP-Response =
> 0x0001000000000000000000000000000000000000000000000000db860e0276efb23bc02d3a0f2f5d0977ae73f0b6ea6f3937
> Received Access-Reject Id 18 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
> 	MS-CHAP-Error = "\000E=691 R=1 C=9c9615bf2537c293 V=2"
> (0) -: Expected Access-Accept got Access-Reject

  Well, radclient implements MS-CHAP correctly.  And again, FreeRADIUS is just handing the MS-CHAP data to Samba, and having Samba authenticate it.

  Maybe there's a Samba debug output you could look at to see what it's doing.

  Or, is Samba going to Active Directory?  If so, then maybe Samba hasn't properly joined the Active Directory domain.

  Alan DeKok.




More information about the Freeradius-Users mailing list