Debian 9 - Samba 4.5.12 - Freeradius 3.02 ntlm_auth not working

Kacper Wirski kacper.wirski at gmail.com
Wed Jan 31 08:54:17 CET 2018


Hello,

Looking at your smb.conf You're missing few parameters, You have to 
enable ntlmv1 in order for ntlm_auth to work correctly. In samba 4.5 
release notes You can read:

NTLMv1 authentication disabled by default
-----------------------------------------

In order to improve security we have changed
the default value for the "ntlm auth" option from
"yes" to "no". This may have impact on very old
clients which doesn't support NTLMv2 yet.

The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.

By default, Samba will only allow NTLMv2 via NTLMSSP now,
as we have the following default "lanman auth = no",
"ntlm auth = no" and "raw NTLMv2 auth = no".



W dniu 31.01.2018 o 00:14, Alan Buxey pisze:
> What is it that you are trying to achieve? You'll be better off using eg
> eapol_test if you are working on having eg an 802.1X wireless
> authentication environment
>
> alan
>
> On 30 Jan 2018 11:06 pm, "Kasandra Padisha via Freeradius-Users" <
> freeradius-users at lists.freeradius.org> wrote:
>
>> Hi
>>
>> I have tried everything possible. I have read every publication available
>> and I am about to give up !!!  I could not make it work:
>>
>> Radius using ntlm_auth to autenthicate.
>>
>>
>> Details ..:  a bit long .  apologies :-)
>>
>> ---------------------------------   SAMBA ------------------------------
>> ---
>>
>> I have samba 4.5.12 working OK
>>
>> -------------------  smb.conf
>>
>> # Global parameters
>> [global]
>>      netbios name = GALAPA
>>      realm = MINUT.EDU.CO
>>      workgroup = MINUT-EXT
>>      dns forwarder = 192.168.32.1
>>      server role = active directory domain controller
>>      # Autenticaion sin dominio
>>       winbind use default domain = no
>>
>> [netlogon]
>>      path = /var/lib/samba/sysvol/minut.edu.co/scripts
>>      read only = No
>>
>> [sysvol]
>>      path = /var/lib/samba/sysvol
>>      read only = No
>>
>> -------------------
>>
>> All tests of samba working OK
>>
>> -------------------
>>
>> #>> smbclient -L localhost -U%
>>
>> Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>>      Sharename       Type      Comment
>>      ---------       ----      -------
>>      netlogon        Disk
>>      sysvol          Disk
>>      IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
>> Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian
>>      Server               Comment
>>      ---------            -------
>>      Workgroup            Master
>>      ---------            -------
>>      WORKGROUP            GALAPA
>>
>> -------------------
>>
>> #>> root at galapa:/etc/freeradius/3.0# smbclient //localhost/netlogon
>> -Uskina%'Nio4LasOo' -c 'ls'
>> Domain=[MINUT-EXT] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>>    .                                   D        0  Tue Jan 30 11:11:29 2018
>>    ..                                  D        0  Tue Jan 30 11:11:48 2018
>>
>>          65799648 blocks of size 1024. 61762632 blocks available
>>
>> #>> ntlm_auth --request-nt-key --domain=MINUT-EXT --username=skina
>> --password='Nio4LasOo'
>> NT_STATUS_OK: Success (0x0)
>>
>> #>> wbinfo --ntlmv2 -a 'skina'%'Nio4LasOo'
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>>
>> # wbinfo  -a 'skina'%'Nio4LasOo'
>> plaintext password authentication succeeded
>> challenge/response password authentication failed
>> wbcAuthenticateUserEx(MINUT-EXT\skina): error code was
>> NT_STATUS_WRONG_PASSWORD (0xc000006a)
>> error message was: Wrong Password
>> Could not authenticate user skina with challenge/response
>>
>> -------------------
>>
>> ****  This last message is my only clue.
>>
>> ---------------------------------   FREERADIUS
>> ---------------------------------
>>
>> I have installed y configured freeradius following every manual ..
>>
>> First .. the basic configuration .. and working OK
>> http://wiki.freeradius.org/guide/Basic-configuration-HOWTO
>>
>> -------------------
>>
>> #>> radtest  bob hello localhost 0 testing123
>> Sent Access-Request Id 70 from 0.0.0.0:37544 to 127.0.0.1:1812 length 73
>>      User-Name = "bob"
>>      User-Password = "hello"
>>      NAS-IP-Address = 127.0.1.1
>>      NAS-Port = 0
>>      Message-Authenticator = 0x00
>>      Cleartext-Password = "hello"
>> Received Access-Accept Id 70 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>>      Reply-Message = "Hello, bob"
>>
>> -------------------
>>
>> Second .. configure OK freeradius with ntlm_auth and PAP
>> http://wiki.freeradius.org/guide/NTLM%20Auth%20with%20PAP%20HOWTO
>>
>> -------------------
>>
>> #>> radtest  'skina' 'Nio4LasOo' localhost 0 testing123
>> Sent Access-Request Id 14 from 0.0.0.0:34004 to 127.0.0.1:1812 length 75
>>      User-Name = "skina"
>>      User-Password = "Nio4Las2Oo"
>>      NAS-IP-Address = 127.0.1.1
>>      NAS-Port = 0
>>      Message-Authenticator = 0x00
>>      Cleartext-Password = "Nio4LasOo"
>> Received Access-Accept Id 14 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
>>
>> -------------------
>>
>> Third .. tryied to configure freeradius ntlm_auth and MSCHAP
>> http://deployingradius.com/documents/configuration/active_directory.html
>>
>> I have already set all the permissions to user freerad to winbindd_private
>> directory so that not the issue.
>>
>> It does not matter what I do .. I always get the same error ..
>>
>> -------------------
>>
>> #>> radtest -t mschap 'skina' 'Nio4LasOo' localhost 0 testing123
>> Sent Access-Request Id 158 from 0.0.0.0:33353 to 127.0.0.1:1812 length 131
>>      User-Name = "skina"
>>      MS-CHAP-Password = "Nio4LasOo"
>>      NAS-IP-Address = 127.0.1.1
>>      NAS-Port = 0
>>      Message-Authenticator = 0x00
>>      Cleartext-Password = "Nio4LasOo"
>>      MS-CHAP-Challenge = 0x59e2a1e585ad94e6
>>      MS-CHAP-Response = 0x0001000000000000000000000000
>> 0000000000000000000000001eacb1bfed243034f718b74d89b6b11b84af50869ab40b06
>> Received Access-Reject Id 158 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
>>      MS-CHAP-Error = "\000E=691 R=1 C=c3f65e6f825239e4 V=2"
>> (0) -: Expected Access-Accept got Access-Reject
>>
>> -------------------
>>
>> And the output of "freeradius -X"
>>
>> -------------------
>>
>> (2) Received Access-Request Id 57 from 127.0.0.1:34102 to 127.0.0.1:1812
>> length 131
>> (2)   User-Name = "skina"
>> (2)   NAS-IP-Address = 127.0.1.1
>> (2)   NAS-Port = 0
>> (2)   Message-Authenticator = 0xe88750a3ffc2bc75b90b872caf81f7e5
>> (2)   MS-CHAP-Challenge = 0x1fa8d5c8e307ea3f
>> (2)   MS-CHAP-Response = 0x0001000000000000000000000000
>> 00000000000000000000000074102cb712031d37dcb5bda4745b7e918794c4168fa1e5f5
>> (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enab
>> led/default
>> (2)   authorize {
>> (2)     policy ntlm_auth.authorize {
>> (2)       if (!control:Auth-Type && User-Password) {
>> (2)       if (!control:Auth-Type && User-Password)  -> FALSE
>> (2)     } # policy ntlm_auth.authorize = notfound
>> (2)     policy filter_username {
>> (2)       if (&User-Name) {
>> (2)       if (&User-Name)  -> TRUE
>> (2)       if (&User-Name)  {
>> (2)         if (&User-Name =~ / /) {
>> (2)         if (&User-Name =~ / /)  -> FALSE
>> (2)         if (&User-Name =~ /@[^@]*@/ ) {
>> (2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
>> (2)         if (&User-Name =~ /\.\./ ) {
>> (2)         if (&User-Name =~ /\.\./ )  -> FALSE
>> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
>> (2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
>>   -> FALSE
>> (2)         if (&User-Name =~ /\.$/)  {
>> (2)         if (&User-Name =~ /\.$/)   -> FALSE
>> (2)         if (&User-Name =~ /@\./)  {
>> (2)         if (&User-Name =~ /@\./)   -> FALSE
>> (2)       } # if (&User-Name)  = notfound
>> (2)     } # policy filter_username = notfound
>> (2)     [preprocess] = ok
>> (2)     [chap] = noop
>> (2) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
>> (2)     [mschap] = ok
>> (2)     [digest] = noop
>> (2) suffix: Checking for suffix after "@"
>> (2) suffix: No '@' in User-Name = "skina", looking up realm NULL
>> (2) suffix: No such realm "NULL"
>> (2)     [suffix] = noop
>> (2) eap: No EAP-Message, not doing EAP
>> (2)     [eap] = noop
>> (2)     [files] = noop
>> (2)     [sql] = notfound
>> (2)     [expiration] = noop
>> (2)     [logintime] = noop
>> (2)   } # authorize = ok
>> (2) Found Auth-Type = mschap
>> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (2)   authenticate {
>> (2) mschap: Client is using MS-CHAPv1 with NT-Password
>> (2) mschap: Executing: /usr/bin/ntlm_auth --allow-mschapv2 --ntlmv2
>> --request-nt-key --username=%{mschap:User-Name:-None} --domain=MINUT-EXT
>> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Resp
>> onse:-00}:
>> (2) mschap: EXPAND --username=%{mschap:User-Name:-None}
>> (2) mschap:    --> --username=skina
>> (2) mschap: mschap1: 1f
>> (2) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
>> (2) mschap:    --> --challenge=1fa8d5c8e307ea3f
>> (2) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
>> (2) mschap:    --> --nt-response=74102cb712031d37
>> dcb5bda4745b7e918794c4168fa1e5f5
>> (2) mschap: ERROR: Program returned code (1) and output 'Logon failure
>> (0xc000006d)'
>> (2) mschap: External script failed
>> (2) mschap: ERROR: External script says: Logon failure (0xc000006d)
>> (2) mschap: ERROR: MS-CHAP2-Response is incorrect
>> (2)     [mschap] = reject
>> (2)   } # authenticate = reject
>> (2) Failed to authenticate the user
>> (2) Using Post-Auth-Type Reject
>> (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
>> (2)   Post-Auth-Type REJECT {
>> (2)     [sql] = ok
>> (2) attr_filter.access_reject: EXPAND %{User-Name}
>> (2) attr_filter.access_reject:    --> skina
>> (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
>> (2)     [attr_filter.access_reject] = updated
>> (2)     [eap] = noop
>> (2)     policy remove_reply_message_if_eap {
>> (2)       if (&reply:EAP-Message && &reply:Reply-Message) {
>> (2)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
>> (2)       else {
>> (2)         [noop] = noop
>> (2)       } # else = noop
>> (2)     } # policy remove_reply_message_if_eap = noop
>> (2)   } # Post-Auth-Type REJECT = updated
>> (2) Delaying response for 1.000000 seconds
>> Waking up in 0.2 seconds.
>> Waking up in 0.7 seconds.
>> (2) Sending delayed response
>> (2) Sent Access-Reject Id 57 from 127.0.0.1:1812 to 127.0.0.1:34102
>> length 61
>> (2)   MS-CHAP-Error = "\000E=691 R=1 C=be58a2cfd7660c37 V=2"
>> Waking up in 3.9 seconds.
>> (2) Cleaning up request packet ID 57 with timestamp +161
>> Ready to process requests
>>
>> -------------------
>>
>> This is the same error when I used wbinfo without --ntlmv2  ... ( might be
>> a clue)
>>
>> In mods_enabled/mschap I have tried many parameters in ntlm_auth command
>> .. including hardcoding a known user ..
>>
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MINUT-EXT
>> --username=skina --password='Nio4LasOo'"
>>
>> It returned NT OK . .. but when I added the other to parameters .. i came
>> back to the same error.
>>
>> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Resp
>> onse:-00}"
>>
>> -----------
>>
>> I was wondering if it is a kind of incompatibility concerning the version
>> of MSCHAP or NTLM ..
>>
>>
>> I appreciate any help you can give me. I have four days trying every
>> option, reading every post, .. without success.
>>
>>
>> Kasandra
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list
>> /users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list