Can't get FreeRADIUS to work with a Samba DC (MSCHAP)

Wed Nov 6 17:15:25 CET 2019

Hi there,

I've solved it.

Adding --allow-mschapv2 to /etc/freeradius/3.0/mods-enabled/mschap got 
the job done and now it's all working as it should.

If anyone has the same problem in the future:

ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}"

All the best

Oleg

On 2019-08-23 13:41, Oleg Blyahher wrote:
> Hi Alan,
>
> Thank you so much for pointing that out.
>
> I guess migrating to a new DC it is...
>
> All the best!
>
> On 2019-08-23 13:22, Alan DeKok wrote:
>> On Aug 23, 2019, at 4:16 AM, Oleg Blyahher via Freeradius-Users 
>> <freeradius-users at lists.freeradius.org> wrote:
>>> I understand my issue is not unique. I have a Samba DC running samba 
>>> 4.6.7 on Ubuntu 16.04. I'm now trying to set up FreeRADIUS 3 
>>> (3.0.16) with SMB 4.7.6 on Ubuntu 18.04 to authenticate against the 
>>> Samba DC.
>>    That's good.
>>
>>> Running "radtest aduser password localhost:18120 0 testing123" works.
>>>
>>> Running "radtest -t mschap aduser password localhost:18120 0 
>>> testing123" does not work. I have added this into the smb.conf on 
>>> both servers:
>>>
>>>     ntlm auth = yes
>>    That's bad.
>>
>>> I have been basically following these tutorials:
>>> * https://blog.svedr.in/posts/freeradius-peapv0+mschapv2-howto/
>>    Which looks to be mostly copied from my site.
>>
>>    How do you even find those pages?  My site has been up for 15 
>> years, and is pointed to from pretty much everywhere as the 
>> definitive guide.
>>
>>> * 
>>> http://deployingradius.com/documents/configuration/active_directory.html 
>>>
>>>
>>> * 
>>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory
>>>
>>> I would also like to add a comment on the fact that I cannot restart 
>>> smbd on the DC if I put the following line (nothing in the Samba log 
>>> nor syslog):
>>>
>>>     ntlm auth = mschapv2-and-ntlmv2-only
>>    See the Samba documentation for how their software works.
>>
>>> I have also tried to set up a Microsoft Radius server (join it to 
>>> the same domain), but got the same results ("wrong password"), so I 
>>> actually suspect there might be something wrong with the Samba DC. 
>>> Unfortunately, I couldn't find so much information on how the DC 
>>> should be.
>>>
>>> Here's my full debug:
>>> ...
>>> (1) mschap: ERROR: Program returned code (1) and output 'The 
>>> attempted logon is invalid. This is either due to a bad username or 
>>> authentication information. (0xc000006d)'
>>> (1) mschap: External script failed
>>> (1) mschap: ERROR: External script says: The attempted logon is 
>>> invalid. This is either due to a bad username or authentication 
>>> information. (0xc000006d)
>>> (1) mschap: ERROR: MS-CHAP2-Response is incorrect
>>    That's pretty definitive.  The ntlm_auth program is returning an 
>> error from Samba.  No amount of poking FreeRADIUS will fix the problem.
>>
>>    Unfortunately there is very little we can do here.  If Samba is 
>> refusing to do ntlm, then you have to fix Samba.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html