AD/Samba and machine account auth...

Marco Gaiarin gaio at sv.lnf.it
Mon Jul 19 17:02:29 CEST 2021


Debian stretch, freeradius 3.0.12+dfsg-5+deb9u1 and samba
2:4.10.18+dfsg-0.1stretch1, using the bultin winbind library.


I've setup freeradius to use PEAP/MSCHAPv2 auth aginst my AD domain,
using samba as AD DC, following i suppose pretty standard info like:

	https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
	https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

All works as expected for users, but i've tried also to enable 'machine
auth' (eg, authentication of PC with the machine account stored in
AD), and does not work.


Following the docs, i've setup in 'mschap' module:

	winbind_username = "%{%{mschap:User-Name}:-None}"
	winbind_domain = "%{%{mschap:NT-Domain}:-LNFFVG}"

in this way i get in log (full log available):

 (0) Received Access-Request Id 63 from 10.5.1.180:38380 to 10.5.1.3:1812 length 259
 (0)   User-Name = "host/AFTERSHOCK.ad.fvg.lnf.it"
 (0)   NAS-Identifier = "f29fc27da970"
 (0)   Called-Station-Id = "F2-9F-C2-7D-A9-70:LNFFVG"
 (0)   NAS-Port-Type = Wireless-802.11
 (0)   Service-Type = Framed-User
 (0)   Calling-Station-Id = "00-C2-C6-24-2D-63"
 [...]
 (9) eap: Calling submodule eap_mschapv2 to process data
 (9) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
 (9) eap_mschapv2:   authenticate {
 (9) mschap: Creating challenge hash with username: host/AFTERSHOCK.ad.fvg.lnf.it
 (9) mschap: Client is using MS-CHAPv2
 (9) mschap: EXPAND %{%{mschap:User-Name}:-None}
 (9) mschap:    --> AFTERSHOCK$
 (9) mschap: EXPAND %{%{mschap:NT-Domain}:-LNFFVG}
 (9) mschap:    --> ad
 rlm_mschap (mschap): Reserved connection (0)
 (9) mschap: sending authentication request user='AFTERSHOCK$' domain='ad'
 rlm_mschap (mschap): Released connection (0)
 rlm_mschap (mschap): Need 5 more connections to reach 10 spares
 rlm_mschap (mschap): Opening additional connection (5), 1 of 27 pending slots used
 (9) mschap: ERROR: The specified account does not exist. [0xC0000064]
 (9) mschap: ERROR: Password has expired.  User should retry authentication
 (9)     [mschap] = reject
 (9)   } # authenticate = reject
 (9) MSCHAP-Error: ?E=648 R=0 C=6ed38d69682eb836de8e7078f3952b66 V=3 M=Password expired
 (9) Found new challenge from MS-CHAP-Error: err=648 retry=0 challenge=6ed38d69682eb836de8e7078f3952b66
 (9) ERROR: MSCHAP Failure

Clearly, 'ad.fvg.lnf.it' is my Kerberos/'long' domain, while
'LNFFVG' is my NetBIOS 'short' domain.


So, seems to me that (and only for machine account! As stated users
works as expected!) mschap{} module 'misinterpret' the domain (seems to
strip the first dotted part from the long/kerberos domain, and use it a
short/netbios domain).


I'm not in a multidomain forest, so i've simply fix with an:

	winbind_username = "%{%{mschap:User-Name}:-None}"
	winbind_domain = "LNFFVG"

And in this way machne and user account works as expected; but i
think/hope that there's a better fix.


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)


More information about the Freeradius-Users mailing list