Problems with Samba

Klemen forneci forneci at gmail.com
Fri May 28 14:44:59 CEST 2021


Hello.
I hope someone can shine a light on my problem with Freeradius 3 and
mschap (running on centos7 with samba/winbind)
So long story short, I notice that every ~5 minutes there is a problem
with NTLM_AUTH. Even with testing with radtest -t mscahp at the same
time, I get:

(10)   Auth-Type MS-CHAP {
(10)     if (Realm == "um.si") {
(10)     if (Realm == "um.si")  -> TRUE
(10)     if (Realm == "um.si")  {
(10) mschap_thor: Client is using MS-CHAPv1 with NT-Password
(10) mschap_thor: Executing: /usr/bin/ntlm_auth --allow-mschapv2
--request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-THOR}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}:
(10) mschap_thor: EXPAND
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(10) mschap_thor:    --> --username=******
(10) mschap_thor: ERROR: No NT-Domain was found in the User-Name
(10) mschap_thor: EXPAND --domain=%{%{mschap:NT-Domain}:-THOR}
(10) mschap_thor:    --> --domain=THOR
(10) mschap_thor: mschap1: 31
(10) mschap_thor: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(10) mschap_thor:    --> --challenge=316c3b72847b74c7
(10) mschap_thor: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(10) mschap_thor:    -->
--nt-response=273c482ad6ee3eeb8c21239368764a42d66c1b6ca8f0e98e
Child PID 5238 is taking too much time: forcing failure and killing child.
(10) mschap_thor: ERROR: Failed to read from child output
(10) mschap_thor: External script failed
(10) mschap_thor: ERROR: External script says:
(10) mschap_thor: ERROR: MS-CHAP2-Response is incorrect


I know this may not be a radius issue, beause of the fact that
in-between the system works as expected and the line: Child PID 5238
is taking too much time: forcing failure and killing child, but I have
my hopes up someone can point me in the right direction.

On the backend there is a Windows AD, multiple DC (tried setting only
1 in samba, same issue), the server is domain joined.
I have multiple servers with the same issue (in the same environment)

What allso puzzles me, are the logs:
Server 1:
Fri May 28 14:35:27 2021 : ERROR: (59476) mschap_thor: ERROR: Failed
to read from child output
Fri May 28 14:35:31 2021 : ERROR: (59508) mschap_loki: ERROR: Failed
to read from child output
Fri May 28 14:35:35 2021 : ERROR: (59534) mschap_loki: ERROR: Failed
to read from child output
Fri May 28 14:40:03 2021 : ERROR: (60960) mschap_loki: ERROR: Failed
to read from child output
Fri May 28 14:40:08 2021 : ERROR: (60993) mschap_loki: ERROR: Failed
to read from child output
Fri May 28 14:40:12 2021 : ERROR: (61017) mschap_loki: ERROR: Failed
to read from child output
Fri May 28 14:40:14 2021 : ERROR: (61030) mschap_loki: ERROR: Failed
to read from child output
Fri May 28 14:40:15 2021 : ERROR: (61040) mschap_loki: ERROR: Failed
to read from child output

Server 2:
Fri May 28 14:38:29 2021 : ERROR: (4) mschap_thor: ERROR: Failed to
read from child output
Fri May 28 14:38:44 2021 : ERROR: (5) mschap_thor: ERROR: Failed to
read from child output

It's like a blinker. One works, the other doesnt.

Thank you for any tips.
Klemen


More information about the Freeradius-Users mailing list