ntlm_auth and MSCHAP issues
L.P.H. van Belle
belle at bazuin.nl
Thu Feb 20 09:33:40 CET 2020
If you followed it exactly it should work.
Which samba version is used?
Did you set this on the ad-dc and member (the proxy). : ntlm auth = mschapv2-and-ntlmv2-only
Run also: adduser proxy winbindd_priv
And also if you have apparmor enabled, you need to adjust that also a bit.
Syslog tells what.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Freeradius-Users
> [mailto:freeradius-users-bounces+belle=bazuin.nl at lists.freerad
ius.org] Namens Adam McPartlan
> Verzonden: woensdag 19 februari 2020 17:57
> Aan: freeradius-users at lists.freeradius.org
> Onderwerp: ntlm_auth and MSCHAP issues
>
> Howdy,
>
> I am experiencing problems with an existing working install of
> FreeRADIUS to get it to use AD to part authenticate users.
>
> Following the instructions found here:
> http://deployingradius.com/documents/configuration/active_dire
> ctory.html
>
>
> I can sucessfully get FreeRADUS to authenticate using ntlm_auth.
>
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [ntlm_auth] expand: --username=%{mschap:User-Name} -> --
> username=mcpartlana
> [ntlm_auth] expand: --password=%{User-Password} -> --
> password=redactedpassword
> Exec output: NT_STATUS_OK: Success (0x0)
> Exec plaintext: NT_STATUS_OK: Success (0x0)
>
> However, making the switch to MSCHAP as per the instructions i get the
> following outcome:
>
> radtest -t mschap mcpartlana redactedpassword localhost 0
> redactedsecret
>
> Sending Access-Request of id 8 to 127.0.0.1 port 1812
> User-Name = "mcpartlana"
> NAS-IP-Address = 192.168.172.45
> NAS-Port = 0
> Message-Authenticator = 0x00000000000000000000000000000000
> MS-CHAP-Challenge = 0x58b0f84e08b68e46
> MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000003c312cfc
> 3724df41c
> 5adb769615849f47a081cbb22c73c45
> rad_recv: Access-Request packet from host 127.0.0.1 port 48263, id=8,
> length=136
> User-Name = "mcpartlana"
> NAS-IP-Address = 192.168.172.45
> NAS-Port = 0
> Message-Authenticator = 0x0651b559ed7f1e615e14b10e56fed797
> MS-CHAP-Challenge = 0x58b0f84e08b68e46
> MS-CHAP-Response =
> 0x00010000000000000000000000000000000000000000000000003c312cfc
> 3724df41c
> 5adb769615849f47a081cbb22c73c45
>
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [ntlm_auth] expand: --username=%{mschap:User-Name} -> --
> username=mcpartlana
> [ntlm_auth] expand: --password=%{User-Password} -> --password=
> Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
> Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
> [ntlm_auth] Exec: program returned: 1
> ++[ntlm_auth] = reject
>
>
> Sending Access-Reject of id 8 to 127.0.0.1 port 48263
> Waking up in 4.9 seconds.
> rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=8,
> length=20
>
>
>
> To me this looks like the password is not being sent to the
> AD server -
> hence the "WRONG_PASSWORD" message - It could just be hidden which is
> ok. I can only pressume I have messed something up in my
> configuration.
>
> Many thanks
>
> Adam
>
>
>
>
>
>
>
>
>
>
>
>
>
> CONFIDENTIALITY WARNING: This email has been sent from NYnet
> Ltd, a UK limited company controlled by North Yorkshire
> County Council. The information in this email (and any
> document(s) attached to it) is confidential or legally
> privileged, and is intended solely for the use of the person
> named above. If you are not the intended recipient, please be
> aware that any disclosure, copying, distribution or use of
> the contents of this E-mail is strictly prohibited. An
> individual with the title of director does not necessarily
> mean they are a statutory director. A full list of statutory
> directors is available for inspection at our registered office.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list