ntlm_auth with ms-chap, me too :-(

Tornóci László torlasz at xenia.sote.hu
Sun Sep 2 22:23:03 CEST 2018 

Hi,

recently there was a thread about a seemingly correct ntlm_auth setup 
that didn't work. Unfortunately, I have the same experience. I want to 
set up machine authentication using ntlm_auth against a samba4 AD.

The AD was set up on a Fedora 27 machine using samba 4.7.9 rpms. I used 
this guide: 
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Everything worked as described in the guide.

Freeradius 3.0.13 is on RHEL7 using samba 4.7.1 rpms. I was following 
this guide: 
http://deployingradius.com/documents/configuration/active_directory.html
except for the following:
1. I didn't set password server in smb.conf (samba documents warned 
against that, and the config checker also didn't like it)
2. joining the domain was successful except for the DNS update in AD 
(but I think that's totally irrelevant to ntlm_auth)

All checks were done as suggested in the guide and they were all 
successful until the very last step.
While I got:
ntlm_auth --request-nt-key --domain=EDUROAM-DOM --username=testuser 
--password=Testing123
NT_STATUS_OK: The operation completed successfully. (0x0)

and radtest was also successful using DEFAULT Auth-Type = ntlm_auth, the 
ms-chap test failed:

radtest -t mschap testuser Testing123 localhost 0 testing123
Sent Access-Request Id 11 from 0.0.0.0:52051 to 127.0.0.1:1812 length 134
         User-Name = "testuser"
         MS-CHAP-Password = "Testing123"
         NAS-IP-Address = 193.6.210.36
         NAS-Port = 0
         Message-Authenticator = 0x00
         Cleartext-Password = "Testing123"
         MS-CHAP-Challenge = 0x16329f3a12ce9d71
         MS-CHAP-Response = 
0x000100000000000000000000000000000000000000000000000097234aac0a958f53d2558adb390fa1c548f725f293a8ae6e
Received Access-Reject Id 11 from 127.0.0.1:1812 to 0.0.0.0:0 length 61
         MS-CHAP-Error = "\000E=691 R=1 C=4a991b631c3542b4 V=2"
(0) -: Expected Access-Accept got Access-Reject

I checked the link for the samba bug at the end of the guide, but that 
bug had been fixed a long time ago, it should not be present in the 
samba version I use (and the problem with that was the NT-hash returned, 
not the success of ntlm_auth itself).

Here is the debug log:
(53638) Sun Sep  2 21:18:15 2018: Debug: Received Access-Request Id 11 
from 127.0.0.1:52051 to 127.0.0.1:1812 length 134
(53638) Sun Sep  2 21:18:15 2018: Debug:   User-Name = "testuser"
(53638) Sun Sep  2 21:18:15 2018: Debug:   NAS-IP-Address = 193.6.210.36
(53638) Sun Sep  2 21:18:15 2018: Debug:   NAS-Port = 0
(53638) Sun Sep  2 21:18:15 2018: Debug:   Message-Authenticator = 
0x4ea9ec357718adf6fb51f6edc1b69663
(53638) Sun Sep  2 21:18:15 2018: Debug:   MS-CHAP-Challenge = 
0x16329f3a12ce9d71
(53638) Sun Sep  2 21:18:15 2018: Debug:   MS-CHAP-Response = 
0x000100000000000000000000000000000000000000000000000097234aac0a958f53d2558adb390fa1c548f725f293a8ae6e
(53638) Sun Sep  2 21:18:15 2018: Debug: # Executing section authorize 
from file /etc/raddb/sites-enabled/default
(53638) Sun Sep  2 21:18:15 2018: Debug:   authorize {
(53638) Sun Sep  2 21:18:15 2018: Debug:     [preprocess] = ok
(53638) Sun Sep  2 21:18:15 2018: Debug:     [chap] = noop
(53638) Sun Sep  2 21:18:15 2018: Debug: mschap: Found MS-CHAP 
attributes.  Setting 'Auth-Type  = mschap'
(53638) Sun Sep  2 21:18:15 2018: Debug:     [mschap] = ok
(53638) Sun Sep  2 21:18:15 2018: Debug:     [digest] = noop
(53638) Sun Sep  2 21:18:15 2018: Debug: suffix: Checking for suffix 
after "@"
(53638) Sun Sep  2 21:18:15 2018: Debug: suffix: No '@' in User-Name = 
"testuser", looking up realm NULL
(53638) Sun Sep  2 21:18:15 2018: Debug: suffix: Found realm "NULL"
(53638) Sun Sep  2 21:18:15 2018: Debug: suffix: Adding 
Stripped-User-Name = "testuser"
(53638) Sun Sep  2 21:18:15 2018: Debug: suffix: Adding Realm = "NULL"
(53638) Sun Sep  2 21:18:15 2018: Debug: suffix: Authentication realm is 
LOCAL
(53638) Sun Sep  2 21:18:15 2018: Debug:     [suffix] = ok
(53638) Sun Sep  2 21:18:15 2018: Debug: eap: No EAP-Message, not doing EAP
(53638) Sun Sep  2 21:18:15 2018: Debug:     [eap] = noop
(53638) Sun Sep  2 21:18:15 2018: Debug:     [files] = noop
(53638) Sun Sep  2 21:18:15 2018: Debug: sql: EXPAND 
%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(53638) Sun Sep  2 21:18:15 2018: Debug: sql:    --> testuser
(53638) Sun Sep  2 21:18:15 2018: Debug: sql: SQL-User-Name set to 
'testuser'
(53638) Sun Sep  2 21:18:15 2018: Debug: sql: EXPAND SELECT id, 
username, attribute, value, op FROM radcheck WHERE username = 
'%{SQL-User-Name}' ORDER BY id
(53638) Sun Sep  2 21:18:15 2018: Debug: sql:    --> SELECT id, 
username, attribute, value, op FROM radcheck WHERE username = 'testuser' 
ORDER BY id
(53638) Sun Sep  2 21:18:15 2018: Debug: sql: Executing select query: 
SELECT id, username, attribute, value, op FROM radcheck WHERE username = 
'testuser' ORDER BY id
(53638) Sun Sep  2 21:18:16 2018: Debug: sql: EXPAND SELECT groupname 
FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(53638) Sun Sep  2 21:18:16 2018: Debug: sql:    --> SELECT groupname 
FROM radusergroup WHERE username = 'testuser' ORDER BY priority
(53638) Sun Sep  2 21:18:16 2018: Debug: sql: Executing select query: 
SELECT groupname FROM radusergroup WHERE username = 'testuser' ORDER BY 
priority
(53638) Sun Sep  2 21:18:16 2018: Debug: sql: User not found in any groups
(53638) Sun Sep  2 21:18:16 2018: Debug:     [sql] = notfound
(53638) Sun Sep  2 21:18:16 2018: Debug: ldap: EXPAND 
(uid=%{%{Stripped-User-Name}:-%{User-Name}})
(53638) Sun Sep  2 21:18:16 2018: Debug: ldap:    --> (uid=testuser)
(53638) Sun Sep  2 21:18:16 2018: Debug: ldap: Performing search in 
"dc=semmelweis-univ,dc=hu" with filter "(uid=testuser)", scope "sub"
(53638) Sun Sep  2 21:18:16 2018: Debug: ldap: Waiting for search result...
(53638) Sun Sep  2 21:18:16 2018: Debug: ldap: Search returned no results
(53638) Sun Sep  2 21:18:16 2018: Debug:     [ldap] = notfound
(53638) Sun Sep  2 21:18:16 2018: Debug:     [expiration] = noop
(53638) Sun Sep  2 21:18:16 2018: Debug:     [logintime] = noop
(53638) Sun Sep  2 21:18:16 2018: WARNING: pap: No "known good" password 
found for the user.  Not setting Auth-Type
(53638) Sun Sep  2 21:18:16 2018: WARNING: pap: Authentication will fail 
unless a "known good" password is available
(53638) Sun Sep  2 21:18:16 2018: Debug:     [pap] = noop
(53638) Sun Sep  2 21:18:16 2018: Debug:   } # authorize = ok
(53638) Sun Sep  2 21:18:16 2018: Debug: Found Auth-Type = MS-CHAP
(53638) Sun Sep  2 21:18:16 2018: Debug: # Executing group from file 
/etc/raddb/sites-enabled/default
(53638) Sun Sep  2 21:18:16 2018: Debug:   Auth-Type MS-CHAP {
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap: Client is using 
MS-CHAPv1 with NT-Password
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap: Executing: 
/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} 
--domain=%{%{mschap:NT-Domain}:-EDUROAM-DOM} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap: EXPAND 
--username=%{mschap:User-Name:-None}
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap:    --> --username=testuser
(53638) Sun Sep  2 21:18:16 2018: ERROR: mschap: No NT-Domain was found 
in the User-Name
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap: EXPAND 
--domain=%{%{mschap:NT-Domain}:-EDUROAM-DOM}
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap:    --> --domain=EDUROAM-DOM
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap: mschap1: 16
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap: EXPAND 
--challenge=%{mschap:Challenge:-00}
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap:    --> 
--challenge=16329f3a12ce9d71
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap: EXPAND 
--nt-response=%{mschap:NT-Response:-00}
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap:    --> 
--nt-response=97234aac0a958f53d2558adb390fa1c548f725f293a8ae6e
(53638) Sun Sep  2 21:18:16 2018: ERROR: mschap: Program returned code 
(1) and output 'The attempted logon is invalid. This is either due to a 
bad username or authentication information. (0xc000006d)'
(53638) Sun Sep  2 21:18:16 2018: Debug: mschap: External script failed
(53638) Sun Sep  2 21:18:16 2018: ERROR: mschap: External script says: 
The attempted logon is invalid. This is either due to a bad username or 
authentication information. (0xc000006d)
(53638) Sun Sep  2 21:18:16 2018: ERROR: mschap: MS-CHAP2-Response is 
incorrect
(53638) Sun Sep  2 21:18:16 2018: Debug:     [mschap] = reject
(53638) Sun Sep  2 21:18:16 2018: Debug:   } # Auth-Type MS-CHAP = reject
(53638) Sun Sep  2 21:18:16 2018: Debug: Failed to authenticate the user

Using ntlm-auth with the challenge and nt-response directly gives me the 
same:
ntlm_auth --request-nt-key --domain=EDUROAM-DOM --username=testuser 
--nt=response=788a7e8e654c2d6758ef489ac0e24d87ebf3cd6f6f7bd8e3 
--challenge=420dc315ee05355a
The attempted logon is invalid. This is either due to a bad username or 
authentication information. (0xc000006d)

no matter if I type that on the freeradius machine or the AD, so I don't 
think it is a problem with joining the domain.

I really don't see what am I doing wrong, but I'd like to solve this 
problem. If any of you successfully implemented ntlm_auth with ms-chap 
in RHEL, please tell me how you did it. Or tell me what linux distro and 
which recent samba version actually worked for you.
I think even a samba3 style domain controller would suffice instead of 
an AD for doing machine auth, is this correct?

I know this is not really a freeradius problem, but I am sure some of 
the list members know a lot more about samba then me, so perhaps you can 
help me out.

Thank you: Laszlo

More information about the Freeradius-Users mailing list