Problem with ntlm_auth between freeradius 3.0 and Samba 4 AD

Benjamin DUPALUT benjamin.dupalut at esiee.fr
Wed Jul 4 10:29:38 CEST 2018 

​Hi,

Thank you for your answer.​

Now i got an other issue :

#radtest user at esiee.fr password localhost 0 testing123

#freeradius -X

(0) Received Access-Request Id 174 from 127.0.0.1:58869 to 127.0.0.1:1812
length 87
(0)   User-Name = "user at esiee.fr"
(0)   User-Password = "password"
(0)   NAS-IP-Address = 127.0.1.1
(0)   NAS-Port = 0
(0)   Message-Authenticator = 0xf6bf2c5fbe1b23a895a81494fbfbd709
(0) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/eduroam
(0)   authorize {
(0)     if (!(User-Name =~ /@/)){
(0)     if (!(User-Name =~ /@/)) -> FALSE
(0)     if (User-Name =~ /@$/){
(0)     if (User-Name =~ /@$/) -> FALSE
(0)     if (User-Name =~ /@.+?@/){
(0)     if (User-Name =~ /@.+?@/) -> FALSE
(0)     if (User-Name =~ /@.+?[^[:alnum:]\\.-]/){
(0)     if (User-Name =~ /@.+?[^[:alnum:]\\.-]/) -> FALSE
(0)     if (User-Name =~ /@[\\.-]/){
(0)     if (User-Name =~ /@[\\.-]/) -> FALSE
(0)     if (User-Name =~ /@.+?[\\.-]$/){
(0)     if (User-Name =~ /@.+?[\\.-]$/) -> FALSE
(0)     if (User-Name =~ /@[^\\.]+$/){
(0)     if (User-Name =~ /@[^\\.]+$/) -> FALSE
(0)     if (User-Name =~ /@.+?\\.\\./){
(0)     if (User-Name =~ /@.+?\\.\\./) -> FALSE
(0)     if (User-Name =~ /@myabc\\.com$/i){
(0)     if (User-Name =~ /@myabc\\.com$/i) -> FALSE
(0)     if (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i){
(0)     if (User-Name =~
/@wlan\\.[[:alnum:]]+\\.[[:alnum:]]+\\.3gppnetwork\\.org$/i) -> FALSE
(0)     if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(0)     if (User-Name =~ /@gmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(0)     if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(0)     if (User-Name =~ /@yahoo\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(0)     if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i){
(0)     if (User-Name =~ /@hotmail\\.co(m|\\.[[:alnum:]][[:alnum:]])$/i) ->
FALSE
(0)     if (User-Name =~ /@\\.?ac\\.uk$/i){
(0)     if (User-Name =~ /@\\.?ac\\.uk$/i) -> FALSE
(0)     if (User-Name =~ /@.+?\\.ax\\.uk$/i){
(0)     if (User-Name =~ /@.+?\\.ax\\.uk$/i) -> FALSE
(0)     [preprocess] = ok
(0) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log:    --> /var/log/freeradius/radacct/
127.0.0.1/auth-detail-20180704
(0) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20180704
(0) auth_log: EXPAND %t
(0) auth_log:    --> Wed Jul  4 10:19:14 2018
(0)     [auth_log] = ok
(0)     policy operator-name.authorize {
(0)       if ("%{client:Operator-Name}") {
(0)       EXPAND %{client:Operator-Name}
(0)          -->
(0)       if ("%{client:Operator-Name}")  -> FALSE
(0)     } # policy operator-name.authorize = ok
(0)     policy cui.authorize {
(0)       if ("%{client:add_cui}" == 'yes') {
(0)       EXPAND %{client:add_cui}
(0)          -->
(0)       if ("%{client:add_cui}" == 'yes')  -> FALSE
(0)     } # policy cui.authorize = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "esiee.fr" for User-Name = "user at esiee.fr"
(0) suffix: Found realm "esiee.fr"
(0) suffix: Adding Stripped-User-Name = "user"
(0) suffix: Adding Realm = "esiee.fr"
(0) suffix: Authentication realm is LOCAL
(0)     [suffix] = ok
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry DEFAULT at line 1
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting
Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password
is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = ntlm_auth
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
(0)   authenticate {






*(0) ntlm_auth: Executing: /usr/bin/ntlm_auth --request-nt-key
--domain=lan.esiee.fr <http://lan.esiee.fr> --username=%{mschap:User-Name}
--password=%{User-Password}:(0) ntlm_auth: EXPAND
--username=%{mschap:User-Name}(0) ntlm_auth:    -->
--username=user at esiee.fr <user at esiee.fr>(0) ntlm_auth: EXPAND
--password=%{User-Password}(0) ntlm_auth:    --> --password=password(0)
ntlm_auth: ERROR: Program returned code (1) and output
'NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)'(0)     [ntlm_auth] =
reject*
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/eduroam
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> user at esiee.fr
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 174 from 127.0.0.1:1812 to 127.0.0.1:58869 length
20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 174 with timestamp +6

The lines in bold shows that it try to authenticate via ntlm_auth by
sending "user at esiee.fr" instead of "user". I try to use the "strip" option
in the "esiee.fr" realm of proxy.conf but i still got the same error
message :



*realm esiee.fr <http://esiee.fr> {        strip}*

Thanks in advance for your suggestions.

​Regards,

*Benjamin Dupalut*
Administrateur système et réseau
Service des Moyens Informatiques Généraux (SMIG)
ESIEE Paris
2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex
T : +33 1 45 92 66 17
benjamin.dupalut at esiee.fr
www.esiee.fr / www.cci-paris-idf.fr


Le mar. 3 juil. 2018 à 18:34, Alan DeKok <aland at deployingradius.com> a
écrit :

>
> > On Jul 3, 2018, at 11:49 AM, Benjamin DUPALUT <benjamin.dupalut at esiee.fr>
> wrote:,
> >
> > First of all, sorry for my english if there is some mistakes.
>
>   It's fine.
>
> > I'm trying to set up an authentication between a freeradius 3.0 server
> and
> > a Samba 4 AD using ntlm_auth.
> >
> > I apply the configuration from
> > deployingradius.com/documents/configuration/active_directory.html
>
>   See the section titles "Configuring FreeRADIUS to use ntlm_auth"
>
> > but i got
> > an error when testing with the "radtest -t mschap  user passwd
> 127.0.0.1 0
> > testing123" command.
> >
> > Here is the issue of the freeradius -X debug :
> >
> > (11) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> NT-Password
> > (11) mschap: WARNING: No Cleartext-Password configured.  Cannot create
> LM-Password
> >
> > (11) mschap: Client is using MS-CHAPv1 with NT-Password
> > (11) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform
> > authentication
> > (11) mschap: ERROR: MS-CHAP2-Response is incorrect
>
>   It's still trying to use Cleartext-Password.  You need to configure it
> to use ntlm_auth.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list