Problems with Samba

Fri May 28 15:24:05 CEST 2021

Hi Klemen,

Have you tried to execute manually the ntlm_auth command? It could help you to see that the problem looks to be in the Samba authentication.

e.g:

>  /usr/bin/ntlm_auth --allow-mschapv2
> --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-THOR}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:

Of course, replace the %{variables} with the proper values.
--
Jorge Pereira
jpereira at freeradius.org

> On 28 May 2021, at 09:44, Klemen forneci <forneci at gmail.com> wrote:
> 
> Hello.
> I hope someone can shine a light on my problem with Freeradius 3 and
> mschap (running on centos7 with samba/winbind)
> So long story short, I notice that every ~5 minutes there is a problem
> with NTLM_AUTH. Even with testing with radtest -t mscahp at the same
> time, I get:
> 
> (10)   Auth-Type MS-CHAP {
> (10)     if (Realm == "um.si") {
> (10)     if (Realm == "um.si")  -> TRUE
> (10)     if (Realm == "um.si")  {
> (10) mschap_thor: Client is using MS-CHAPv1 with NT-Password
> (10) mschap_thor: Executing: /usr/bin/ntlm_auth --allow-mschapv2
> --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-THOR}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}:
> (10) mschap_thor: EXPAND
> --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> (10) mschap_thor:    --> --username=******
> (10) mschap_thor: ERROR: No NT-Domain was found in the User-Name
> (10) mschap_thor: EXPAND --domain=%{%{mschap:NT-Domain}:-THOR}
> (10) mschap_thor:    --> --domain=THOR
> (10) mschap_thor: mschap1: 31
> (10) mschap_thor: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> (10) mschap_thor:    --> --challenge=316c3b72847b74c7
> (10) mschap_thor: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> (10) mschap_thor:    -->
> --nt-response=273c482ad6ee3eeb8c21239368764a42d66c1b6ca8f0e98e
> Child PID 5238 is taking too much time: forcing failure and killing child.
> (10) mschap_thor: ERROR: Failed to read from child output
> (10) mschap_thor: External script failed
> (10) mschap_thor: ERROR: External script says:
> (10) mschap_thor: ERROR: MS-CHAP2-Response is incorrect
> 
> 
> I know this may not be a radius issue, beause of the fact that
> in-between the system works as expected and the line: Child PID 5238
> is taking too much time: forcing failure and killing child, but I have
> my hopes up someone can point me in the right direction.
> 
> On the backend there is a Windows AD, multiple DC (tried setting only
> 1 in samba, same issue), the server is domain joined.
> I have multiple servers with the same issue (in the same environment)
> 
> What allso puzzles me, are the logs:
> Server 1:
> Fri May 28 14:35:27 2021 : ERROR: (59476) mschap_thor: ERROR: Failed
> to read from child output
> Fri May 28 14:35:31 2021 : ERROR: (59508) mschap_loki: ERROR: Failed
> to read from child output
> Fri May 28 14:35:35 2021 : ERROR: (59534) mschap_loki: ERROR: Failed
> to read from child output
> Fri May 28 14:40:03 2021 : ERROR: (60960) mschap_loki: ERROR: Failed
> to read from child output
> Fri May 28 14:40:08 2021 : ERROR: (60993) mschap_loki: ERROR: Failed
> to read from child output
> Fri May 28 14:40:12 2021 : ERROR: (61017) mschap_loki: ERROR: Failed
> to read from child output
> Fri May 28 14:40:14 2021 : ERROR: (61030) mschap_loki: ERROR: Failed
> to read from child output
> Fri May 28 14:40:15 2021 : ERROR: (61040) mschap_loki: ERROR: Failed
> to read from child output
> 
> Server 2:
> Fri May 28 14:38:29 2021 : ERROR: (4) mschap_thor: ERROR: Failed to
> read from child output
> Fri May 28 14:38:44 2021 : ERROR: (5) mschap_thor: ERROR: Failed to
> read from child output
> 
> It's like a blinker. One works, the other doesnt.
> 
> Thank you for any tips.
> Klemen
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html