Can't get FreeRADIUS to work with a Samba DC (MSCHAP)
aland at deployingradius.com
Fri Aug 23 13:22:19 CEST 2019
On Aug 23, 2019, at 4:16 AM, Oleg Blyahher via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I understand my issue is not unique. I have a Samba DC running samba 4.6.7 on Ubuntu 16.04. I'm now trying to set up FreeRADIUS 3 (3.0.16) with SMB 4.7.6 on Ubuntu 18.04 to authenticate against the Samba DC.
> Running "radtest aduser password localhost:18120 0 testing123" works.
> Running "radtest -t mschap aduser password localhost:18120 0 testing123" does not work. I have added this into the smb.conf on both servers:
> ntlm auth = yes
> I have been basically following these tutorials:
> * https://blog.svedr.in/posts/freeradius-peapv0+mschapv2-howto/
Which looks to be mostly copied from my site.
How do you even find those pages? My site has been up for 15 years, and is pointed to from pretty much everywhere as the definitive guide.
> * http://deployingradius.com/documents/configuration/active_directory.html
> * https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
> I would also like to add a comment on the fact that I cannot restart smbd on the DC if I put the following line (nothing in the Samba log nor syslog):
> ntlm auth = mschapv2-and-ntlmv2-only
See the Samba documentation for how their software works.
> I have also tried to set up a Microsoft Radius server (join it to the same domain), but got the same results ("wrong password"), so I actually suspect there might be something wrong with the Samba DC. Unfortunately, I couldn't find so much information on how the DC should be.
> Here's my full debug:
> (1) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
> (1) mschap: External script failed
> (1) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
> (1) mschap: ERROR: MS-CHAP2-Response is incorrect
That's pretty definitive. The ntlm_auth program is returning an error from Samba. No amount of poking FreeRADIUS will fix the problem.
Unfortunately there is very little we can do here. If Samba is refusing to do ntlm, then you have to fix Samba.
More information about the Freeradius-Users