Authenticating against Active Directory using winbind

Christoffer Jönsson chrjsn at imap.cc
Fri Sep 14 17:44:47 CEST 2018


We don't use Windows for AD. Every year we install from scratch to 
confirm our installation guides still work.
We still have our AD up and running, compiled from source on debian 8 
and FR on centos 7 with no troubles.

And now our instructions won't work for some magical reason and we are 
really stuck here.
Should I attach the installation guides?

Thanks!
> Christoffer,
>
> have you recently make modification or upgraded your ADs ?
>
> Have you disabled for security reasons NTLMv1 ?
>
> https://support.microsoft.com/en-us/help/2811487/lt2p-ipsec-ras-vpn-connections-fail-when-using-ms-chapv2
>
> Regards,
> Paolo.
>
>
>> On 14 Sep 2018, at 13:43, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>
>> Thanks for the response! But it' still not working.
>> I'm attaching all of the outputs.
>> I also tried using debian 8, 9 and centos 7 as the AD/DC with same errors.
>>
>> Thanks!
>>>> On 11 Sep 2018, at 16:57, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>>>
>>>> When I first tried to use freeradius on centos it did not work, but the compile it-yourself-tutorial did :).
>>>>
>>>> Also, trying to enable pure winbind from repos results in error: "/etc/raddb/mods-enabled/mschap[10]: 'winbind' auth not enabled at compiled time"
>>>>
>>>> Anyway, I just installed samba + fr from the repos, joined the AD and ran setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged.
>>>>
>>>> Tried both of these:
>>>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=auth.chrjsn.se --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>>>> ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --domain=auth.chrjsn.se --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>>>>
>>>> But they both fail with error:
>>>> (0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
>>>> (0) mschap: External script failed
>>>> (0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
>>>> (0) mschap: ERROR: MS-CHAP2-Response is incorrect
>>>>
>>>> when this works ntlm_auth --username=adtest --domain=auth.chrjsn.se
>>>> Password:
>>>> NT_STATUS_OK: The operation completed successfully. (0x0)
>>>>
>>> Does it work also
>>> ntlm_auth --request-nt-key --domain=auth.chrjsn.se --username=adtest
>>>
>>>
>>> In mods-enabled/mschap
>>>
>>> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
>>>
>>> use_mppe = yes
>>> require_encryption = yes
>>> require_strong = yes
>>> authtype = MS-CHAP
>>> with_ntdomain_hack = yes
>>>
>>> I think you've also test
>>>
>>> kinit adtest
>>>
>>> and do
>>>
>>> net ads join -U administrator
>>>
>>> and nmb winbind and smb are all running
>>>
>>> and dns resolve  auth.chrjsn.se
>>>
>>>
>>> Regards,
>>> Paolo.
>>>
>>>
>>>
>>>> So now I'm really confused.
>>>>> Curious to know why you aren't using samba coming with centos...anyway I've just installed for a new deployment a centos 7.5 + samba 4.7 + freeradius 3.0.13 + winbind against AD: it works !
>>>>>
>>>>> The suggested command to set in the proper way the privileges of winbindd_privileged directory is setfacl
>>>>>
>>>>> setfacl -m u:radiusd:rx /var/lib/samba/winbindd_privileged
>>>>>
>>>>>
>>>>> ...radiusd need also x.
>>>>>
>>>>> Regards,
>>>>> Paolo.
>>>>>
>>>>>
>>>>>> On 11 Sep 2018, at 15:54, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>>>>>
>>>>>> So I created the radiusd user since there was none created on install and changed the disabled variables to "user = radius group = radius" in radiusd.conf.
>>>>>>
>>>>>> If I did not run "chgrp radiusd /opt/samba4.2/var/locks/winbindd_privileged" freeradius could not connect to winbind.
>>>>>>
>>>>>> But when I did chgrp, I still get the same error.  There was also no winbind group/user created by default and I don't know which config to set the group/user.
>>>>>>
>>>>>> I am running CentOS 7.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>>
>>>>>>> hi,
>>>>>>>
>>>>>>> check the permissions of the winbindd_privileged directory - might have
>>>>>>> been changed when samba patched.  (ideally you add radiusd to the winbind
>>>>>>> group)
>>>>>>>
>>>>>>> alan
>>>>>>>
>>>>>>> On Tue, 11 Sep 2018 at 12:42, Christoffer Jönsson <chrjsn at imap.cc> wrote:
>>>>>>>
>>>>>>>> Hello! I used this guide a year ago to enable 802.1x on my switches and
>>>>>>>> APs and it worked without any problems to authenticate to my Samba4 AD/DC:
>>>>>>>>
>>>>>>>> https://wiki.freeradius.org/guide/Active-Directory-direct-via-winbind.
>>>>>>>>
>>>>>>>> Today I am having trouble getting it to work because it wont accept the
>>>>>>>> password when running this command or connecting from switches:
>>>>>>>>
>>>>>>>> "radtest -t mschap adtest Password1 127.0.0.1 0 testing123". And winbind
>>>>>>>> returns this result:
>>>>>>>>
>>>>>>>> "NTLM CRAP authentication for user [auth.chrjsn.se]\[adtest] returned
>>>>>>>> NT_STATUS_WRONG_PASSWORD".
>>>>>>>>
>>>>>>>> But running this command, it authenticates with this result:
>>>>>>>>
>>>>>>>> ntlm_auth --username=adtest --domain=auth.chrjsn.se
>>>>>>>> Password:
>>>>>>>> NT_STATUS_OK: Success (0x0):
>>>>>>>>
>>>>>>>> "Plain-text authentication for user AUTH.CHRJSN.SE\adtest returned
>>>>>>>> NT_STATUS_OK (PAM: 0)"
>>>>>>>>
>>>>>>>> Radiusd reports that password has expired, when it has not. I have reset
>>>>>>>> the password for adtest and administrator with same results.
>>>>>>>>
>>>>>>>> I don't know if there's any new settings or something and I'm really
>>>>>>>> stuck here.
>>>>>>>>
>>>>>>>> It also doesn't matter which version of samba/freeradius I'm using.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> -
>>>>>>>> List info/subscribe/unsubscribe? See
>>>>>>>> http://www.freeradius.org/list/users.html
>>>>>>> -
>>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>>> -
>>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>> ------------------------------------------------------------------------------------------------
>>>>> Paolo Barbato
>>>>>
>>>>> Consorzio RFX
>>>>> corso Stati Uniti,4
>>>>> 35127 Padova - Italy                     	
>>>>> Network Administrator
>>>>> phone: +39 049 8295097 fax: +39 049 8700718
>>>>> ------------------------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>> <debugfile.txt>-
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> ------------------------------------------------------------------------------------------------
>>> Paolo Barbato
>>>
>>> Consorzio RFX
>>>   <https://www.igi.cnr.it/>corso Stati Uniti,4
>>> 35127 Padova - Italy                     	
>>> Network Administrator
>>> phone: +39 049 8295097 fax: +39 049 8700718
>>> ------------------------------------------------------------------------------------------------
>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> <mschap.txt><radius-debugfile.txt><terminal-output.txt><winbind-debugfile.txt>-
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> ------------------------------------------------------------------------------------------------
> Paolo Barbato
>
> Consorzio RFX
>   <https://www.igi.cnr.it/>corso Stati Uniti,4
> 35127 Padova - Italy                     	
> Network Administrator
> phone: +39 049 8295097 fax: +39 049 8700718
> ------------------------------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list