Authenticating against Active Directory using winbind

Paolo Barbato paolo.barbato at igi.cnr.it
Fri Sep 14 16:21:58 CEST 2018 

Christoffer,

have you recently make modification or upgraded your ADs ?

Have you disabled for security reasons NTLMv1 ?

https://support.microsoft.com/en-us/help/2811487/lt2p-ipsec-ras-vpn-connections-fail-when-using-ms-chapv2

Regards,
Paolo.


> On 14 Sep 2018, at 13:43, Christoffer Jönsson <chrjsn at imap.cc> wrote:
> 
> Thanks for the response! But it' still not working.
> I'm attaching all of the outputs.
> I also tried using debian 8, 9 and centos 7 as the AD/DC with same errors.
> 
> Thanks!
>> 
>>> On 11 Sep 2018, at 16:57, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>> 
>>> When I first tried to use freeradius on centos it did not work, but the compile it-yourself-tutorial did :).
>>> 
>>> Also, trying to enable pure winbind from repos results in error: "/etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time"
>>> 
>>> Anyway, I just installed samba + fr from the repos, joined the AD and ran setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged.
>>> 
>>> Tried both of these:
>>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=auth.chrjsn.se --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=auth.chrjsn.se --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>>> 
>>> But they both fail with error:
>>> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
>>> (0) mschap: External script failed
>>> (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
>>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>>> 
>>> when this works ntlm_auth --username=adtest --domain=auth.chrjsn.se
>>> Password:
>>> NT_STATUS_OK: The operation completed successfully. (0x0)
>>> 
>> Does it work also
>> ntlm_auth --request-nt-key --domain=auth.chrjsn.se --username=adtest
>> 
>> 
>> In mods-enabled/mschap
>> 
>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>> 
>> use_mppe = yes
>> require_encryption = yes
>> require_strong = yes
>> authtype = MS-CHAP
>> with_ntdomain_hack = yes
>> 
>> I think you've also test
>> 
>> kinit adtest
>> 
>> and do
>> 
>> net ads join -U administrator
>> 
>> and nmb winbind and smb are all running
>> 
>> and dns resolve  auth.chrjsn.se
>> 
>> 
>> Regards,
>> Paolo.
>> 
>> 
>> 
>>> So now I'm really confused.
>>>> Curious to know why you aren't using samba coming with centos...anyway I've just installed for a new deployment a centos 7.5 + samba 4.7 + freeradius 3.0.13 + winbind against AD: it works !
>>>> 
>>>> The suggested command to set in the proper way the privileges of winbindd_privileged directory is setfacl
>>>> 
>>>> setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged
>>>> 
>>>> 
>>>> ...radiusd need also x.
>>>> 
>>>> Regards,
>>>> Paolo.
>>>> 
>>>> 
>>>>> On 11 Sep 2018, at 15:54, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>>>> 
>>>>> So I created the radiusd user since there was none created on install and changed the disabled variables to "user = radius group = radius" in radiusd.conf.
>>>>> 
>>>>> If I did not run "chgrp radiusd /opt/samba4.2/var/locks/winbindd_privileged" freeradius could not connect to winbind.
>>>>> 
>>>>> But when I did chgrp, I still get the same error.  There was also no winbind group/user created by default and I don't know which config to set the group/user.
>>>>> 
>>>>> I am running CentOS 7.
>>>>> 
>>>>> Thanks!
>>>>> 
>>>>> 
>>>>>> hi,
>>>>>> 
>>>>>> check the permissions of the winbindd_privileged directory - might have
>>>>>> been changed when samba patched.  (ideally you add radiusd to the winbind
>>>>>> group)
>>>>>> 
>>>>>> alan
>>>>>> 
>>>>>> On Tue, 11 Sep 2018 at 12:42, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>>>>> 
>>>>>>> Hello! I used this guide a year ago to enable 802.1x on my switches and
>>>>>>> APs and it worked without any problems to authenticate to my Samba4 AD/DC:
>>>>>>> 
>>>>>>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind.
>>>>>>> 
>>>>>>> Today I am having trouble getting it to work because it wont accept the
>>>>>>> password when running this command or connecting from switches:
>>>>>>> 
>>>>>>> "radtest -t mschap adtest Password1 127.0.0.1 0 testing123". And winbind
>>>>>>> returns this result:
>>>>>>> 
>>>>>>> "NTLM CRAP authentication for user [auth.chrjsn.se]\[adtest] returned
>>>>>>> NT_STATUS_WRONG_PASSWORD".
>>>>>>> 
>>>>>>> But running this command, it authenticates with this result:
>>>>>>> 
>>>>>>> ntlm_auth --username=adtest --domain=auth.chrjsn.se
>>>>>>> Password:
>>>>>>> NT_STATUS_OK: Success (0x0):
>>>>>>> 
>>>>>>> "Plain-text authentication for user AUTH.CHRJSN.SE\adtest returned
>>>>>>> NT_STATUS_OK (PAM: 0)"
>>>>>>> 
>>>>>>> Radiusd reports that password has expired, when it has not. I have reset
>>>>>>> the password for adtest and administrator with same results.
>>>>>>> 
>>>>>>> I don't know if there's any new settings or something and I'm really
>>>>>>> stuck here.
>>>>>>> 
>>>>>>> It also doesn't matter which version of samba/freeradius I'm using.
>>>>>>> 
>>>>>>> Thanks!
>>>>>>> 
>>>>>>> -
>>>>>>> List info/subscribe/unsubscribe? See
>>>>>>> http://www.freeradius.org/list/users.html
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>> ------------------------------------------------------------------------------------------------
>>>> Paolo Barbato
>>>> 
>>>> Consorzio RFX
>>>> corso Stati Uniti,4
>>>> 35127 Padova - Italy                     	
>>>> Network Administrator
>>>> phone: +39 049 8295097 fax: +39 049 8700718
>>>> ------------------------------------------------------------------------------------------------
>>>> 
>>>> 
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> <debugfile.txt>-
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> ------------------------------------------------------------------------------------------------
>> Paolo Barbato
>> 
>> Consorzio RFX
>>  <https://www.igi.cnr.it/>corso Stati Uniti,4
>> 35127 Padova - Italy                     	
>> Network Administrator
>> phone: +39 049 8295097 fax: +39 049 8700718
>> ------------------------------------------------------------------------------------------------
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> <mschap.txt><radius-debugfile.txt><terminal-output.txt><winbind-debugfile.txt>-
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

------------------------------------------------------------------------------------------------
Paolo Barbato

Consorzio RFX
 <https://www.igi.cnr.it/>corso Stati Uniti,4                                  
35127 Padova - Italy                     	                 
Network Administrator 
phone: +39 049 8295097 fax: +39 049 8700718
------------------------------------------------------------------------------------------------

More information about the Freeradius-Users mailing list