AD/Samba and machine account auth...

Alan DeKok aland at deployingradius.com
Mon Jul 19 17:16:27 CEST 2021 

On Jul 19, 2021, at 11:02 AM, Marco Gaiarin <gaio at sv.lnf.it> wrote:
> Debian stretch, freeradius 3.0.12+dfsg-5+deb9u1 and samba
> 2:4.10.18+dfsg-0.1stretch1, using the bultin winbind library.

  Use the updated packages from http://packages.networkadius.com

  3.0.12 is many years old.

> I've setup freeradius to use PEAP/MSCHAPv2 auth aginst my AD domain,
> using samba as AD DC, following i suppose pretty standard info like:
> 
> 	https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
> 	https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

  That should work.

> All works as expected for users, but i've tried also to enable 'machine
> auth' (eg, authentication of PC with the machine account stored in
> AD), and does not work.
> 
> Following the docs, i've setup in 'mschap' module:
> 
> 	winbind_username = "%{%{mschap:User-Name}:-None}"
> 	winbind_domain = "%{%{mschap:NT-Domain}:-LNFFVG}"
> 
> in this way i get in log (full log available):
> 
> (0) Received Access-Request Id 63 from 10.5.1.180:38380 to 10.5.1.3:1812 length 259
> (0)   User-Name = "host/AFTERSHOCK.ad.fvg.lnf.it"
> (0)   NAS-Identifier = "f29fc27da970"
> (0)   Called-Station-Id = "F2-9F-C2-7D-A9-70:LNFFVG"
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Service-Type = Framed-User
> (0)   Calling-Station-Id = "00-C2-C6-24-2D-63"
> [...]
> (9) eap: Calling submodule eap_mschapv2 to process data
> (9) eap_mschapv2: # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
> (9) eap_mschapv2:   authenticate {
> (9) mschap: Creating challenge hash with username: host/AFTERSHOCK.ad.fvg.lnf.it
> (9) mschap: Client is using MS-CHAPv2
> (9) mschap: EXPAND %{%{mschap:User-Name}:-None}
> (9) mschap:    --> AFTERSHOCK$

  That seems wrong. 
> 
> (9) mschap: ERROR: The specified account does not exist. [0xC0000064]

  That seems pretty clear.

> So, seems to me that (and only for machine account! As stated users
> works as expected!) mschap{} module 'misinterpret' the domain (seems to
> strip the first dotted part from the long/kerberos domain, and use it a
> short/netbios domain).

  Use 3.0.23.  We've fixed a bunch of issues.  That may help.

  Alan DEKok.

More information about the Freeradius-Users mailing list