problems getting ntlm_auth working.

L.P.H. van Belle belle at bazuin.nl
Thu Aug 29 15:00:33 CEST 2019 

Hai, 

Im new here, so please be nice if i missed a thing. 

Im having problem to get my ntlm_auth working with freeradius.

My Setup:
Debian Buster

Samba 4.10.7  ( running winbind only ) 
My winbind auth works fine, server is domain joined. 
Squid is also configured on this server which also uses winbind and kerberos for authentication.
SSH uses kerberos authentication, and im using nfsv4 kerberizes automounted homedirs for the users.
This all works fine. 

Now im adding freeradius. 
So i hope with a little bit of help, someone can point to me what i did wrong. 


Im following the site http://deployingradius.com
Steps 1-4 all done and all working. 
Only i use my own certificates here. 

This is the running samba config : 
[global]
    # Auth-Only setup with winbind. ( no Shares )
    workgroup = NTDOM
    security = ADS
    realm = MY.REALM.TLD
    netbios name = HOSTNAME
	
    preferred master = no
    domain master = no
    host msdfs = no
    dns proxy = yes

    interfaces = eth0 lo
    bind interfaces only = yes

    log level = 1

    #Add and Update TLS Key
    tls enabled = yes
    tls keyfile = /etc/ssl/private/my.key.pem
    tls certfile = /etc/ssl/certs/my.cert.pem
    tls cafile = /etc/ssl/certs/my-ca.cert.pem

    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-9999

    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM : backend = ad
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 10000-3999999

    #4.6+ ( get primary group from AD )
    idmap config NTDOM : unix_nss_info = yes
    #4.6+ ( get primary group from unix primary group )
    idmap config NTDOM : unix_primary_group = yes

    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes

    # We strip the domain (NTDOM\username) to username
    winbind use default domain = yes

    # use:  getent passwd username to check.
    # enabled slows down you samba.
    winbind enum users  = no
    winbind enum groups = no

    # enable offline logins
    # Not on a VPN server.
    #winbind offline logon = no

    # check depth of nested groups, ! slows down you samba, if to much groups depth
    # Not needed on the VPN server.
    #winbind expand groups = 4

    # Added for freeradius
    ntlm auth = mschapv2-and-ntlmv2-only

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping

    # disable usershares creating
    usershare path =

    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # For ACL support on member servers with shares
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

######## SHARE DEFINITIONS ################


I've proceded to : http://deployingradius.com/documents/configuration/active_directory.html
I've edited : /etc/freeradius/3.0/users and tested it. 
radtest user password localhost 0 testing123
This all works with : DEFAULT     Auth-Type = ntlm_auth   enabled. 

Im now at : Configuring FreeRADIUS to use ntlm_auth for MS-CHAP 

Now i remove DEFAULT     Auth-Type = ntlm_auth  from /etc/freeradius/3.0/users

I edited : /etc/freeradius/3.0/mods-available/mschap 
As suggested on the site, but that did not work. 

I used: 
 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 \
 --username=%{mschap:User-Name:-None} \
 --domain=%{%{mschap:NT-Domain}:-NTDOM} \
 --challenge=%{mschap:Challenge:-00} \
 --nt-response=%{mschap:NT-Response:-00}"

Tried with and without the --mschapv2 and/or the  --domain=%{%{mschap:NT-Domain}:-NTDOM}.
That did not work when testing with : 
radtest -t mschap bob hello localhost 0 testing123
Or with 
radtest -t mschap username password localhost 0 testing123
Where this username and password is 10000000000% sure correct.  ;-) 


I also noticed these : 
#       winbind_username = "%{mschap:User-Name}"
#       winbind_domain = "%{mschap:NT-Domain}"
# and i checked that lbwbclient is installed. libwbclient0:amd64             2:4.10.7-0.1~deb10
But also did not work. 
Note, 
# An alternative to using ntlm_auth is to connect to the
        # winbind daemon directly for authentication. This option
        # is likely to be faster and may be useful on busy systems,
        # but is less well tested.
This is one i like but first i need the basic ntlm_auth working. 
Or kerberos auth, i have not added the radius/SPN yet to the keytab file. 

When i now run radtest username ... .. This is the output. 
What im a doing wrong, or what did i miss. 

radtest -t mschap username password localhost 0 testing123
Ready to process requests
(0) Received Access-Request Id 126 from 127.0.0.1:60982 to 127.0.0.1:1812 length 131
(0)   User-Name = "username"
(0)   NAS-IP-Address = 192.168.xxx.xxx
(0)   NAS-Port = 10
(0)   Message-Authenticator = 0x18e47fd9598eba89c40254557077f7ff
(0)   MS-CHAP-Challenge = 0x08243010dec6eb38
(0)   MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000e386418de8527edff1949800324f8f34d4716529e6176b1c
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     [mschap] = ok
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "username", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = mschap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) mschap: Client is using MS-CHAPv1 with NT-Password
(0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-NTDOM} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(0) mschap: EXPAND --username=%{mschap:User-Name:-None}
(0) mschap:    --> --username=username
(0) mschap: ERROR: No NT-Domain was found in the User-Name
(0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-NTDOM}
(0) mschap:    --> --domain=NTDOM
(0) mschap: mschap1: 08
(0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(0) mschap:    --> --challenge=08243010dec6eb38
(0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(0) mschap:    --> --nt-response=e386418de8527edff1949800324f8f34d4716529e6176b1c
(0) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'
(0) mschap: External script failed
(0) mschap: ERROR: External script says: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)
(0) mschap: ERROR: MS-CHAP2-Response is incorrect
(0)     [mschap] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> username
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.7 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 126 from 127.0.0.1:1812 to 127.0.0.1:60982 length 61
(0)   MS-CHAP-Error = "\000E=691 R=1 C=0b9be1dfc950ab3e V=2"
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 126 with timestamp +4
Ready to process requests


If anyone has some suggestions what i did wrong or what did i miss, i would be greatfull. 
Im lost.. 


Greetz, 

Louis

More information about the Freeradius-Users mailing list