Computer/Machine Authentication almost working..

Alan DeKok aland at deployingradius.com
Mon Apr 3 14:43:21 UTC 2023 

On Apr 3, 2023, at 9:20 AM, Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote:
> I'm nearly there (I think) getting machine auth working via ntlm_auth, but after following the documentation from both FR and the Samba Wiki, ntlm_auth isn't authenticating and giving me an error:
> 
> (7) mschap: ERROR: Program returned code (1) and output 'The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)'

  That almost always means the password entered by the use is wrong.

> ntlm_auth is able to strip out the machine name correctly:
> ...
> wbinfo tells me it's connected OK:
> # wbinfo -t
> checking the trust secret for domain MYDOMAIN via RPC calls succeeded
> # wbinfo -p
> Ping to winbindd succeeded
> 
> The winbindd_privilege directory is correct:
> # ls -ld /var/lib/samba/winbindd_privileged/
> drwxr-x---+ 2 root radiusd 18 Apr  1 21:39 /var/lib/samba/winbindd_privileged/
> 
> Samba's config has this on the member (FR) server and all the DCs:
>         ntlm auth = mschapv2-and-ntlmv2-only

  That's all good.

> I understand ntlm_auth isn't supposed to be used on the CLI, so how can I test any further?

  To add to your list of checks above:

*  run ntlm_auth on the command line, it's fine.  Test it with a password.

  If that works, you know that the password is correct, and the entire "ntlm -> winbind -> AD" chain is working correctly.

*  Also read the top of sites-available/inner-tunnel and test it via radclient, using MS-CHAP.

  radclient will take a clear-text password, and send the MS-CHAP magic to FreeRADIUS.

  This test avoids all of the EAP overhead and setup.  i.e. it avoids any issues related to certificates, supplicant configurations, etc.

  If that test works, then you know that MSCHAP works from a RADIUS client to FreeRADIUS, through to ntlm_auth, etc.  Then if it doesn't work with a "real" supplicant, then you know that the supplicant is sending the wrong password.

  On the other hand, if the "radclient mschap" test fails, then you know that FreeRADIUS isn't configured correctly.

  The entire process really is about narrowing down the problem to exactly the part which is failing.  A methodical approach is the only thing that works.

  Alan DeKok.

More information about the Freeradius-Users mailing list