problem with radtest and freeradius 3.0.26

Dean Guenther deanrguenther at gmail.com
Mon Jan 29 18:33:14 UTC 2024 

Hi Alan,
The "TESTDOMAIN" is the workgroup specification in the Samba smb.conf. And "
TESTDOMAIN.COM" is the realm in the smb.conf.

If I use TESTDOMAIN in the mschap file's ntlm_auth specification then run
radtest it fails. And using TESTDOMAIN while running ntlm_auth from the
command line succeeds.

And if I use TESTDOMAIN.COM in the mschap file's ntlm_auth
specification then  radtest still fails. And using TESTDOMAIN.COM while
running ntlm_auth from the command line succeeds.

What else should I be looking at? - Dean

On Sun, Jan 28, 2024 at 5:43 AM Alan Buxey <alan.buxey at gmail.com> wrote:

> Hi
>
> Your workung command line was TESTDOMAIN but your FreeRADIUS configuration
> has TESTDOMAIN.COM
>
> On Sun, 28 Jan 2024, 01:32 Dean Guenther, <deanrguenther at gmail.com> wrote:
>
> > I'm in the process of replacing my old radiusd 3.0.0 server with a newer
> > version of freeradius 3.0.26.
> >
> > I'm having trouble getting radtest to work properly. My environment is:
> >
> > I have an ubuntu 22.04 container running Samba 4.15.13-Ubuntu which is my
> > DC
> > The domain is TESTDOMAIN.COM (TESTDOMAIN)
> >
> > I have an ubuntu 22.04 client running freeradius 3.0.26
> > It has the Samba 4.15.13-Ubuntu client installed
> > winbind is running on the freeradius server:
> >
> > # ps -ef|grep win
> > root         259       1  0 Jan25 ?        00:00:04 /usr/sbin/winbindd
> > --foreground --no-process-group
> > root         313     259  0 Jan25 ?        00:00:00 winbindd: domain
> child
> > [RADIUS3-TEST]
> > root         315     259  0 Jan25 ?        00:00:00 winbindd: domain
> child
> > [TESTDOMAIN]
> > root         327     259  0 Jan25 ?        00:00:00 winbindd: idmap child
> >
> > In mods-available/mschap I have defined:
> >
> >         ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --
> > challenge=%{%{mschap:Challenge}:-00}
> > --nt-response=%{%{mschap:NT-Response}:-00}
> > --domain=%{%{mschap:NT-Domain}:-TESTDO
> > MAIN.COM}"
> >
> > I can successfully run an ntlm_auth authentication from the freeradius
> > server to the Samba domain:
> >
> > # ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=deang
> > Password: mypassword
> > NT_STATUS_OK: The operation completed successfully. (0x0)
> >
> > However, I'm unable to get radtest to authenticate successfully:
> >
> > # radtest -t mschap deang "mypassword" localhost 0 localsecret
> > Sent Access-Request Id 20 from 0.0.0.0:59459 to 127.0.0.1:1812 length
> 131
> >     User-Name = "deang"
> >     MS-CHAP-Password = "mypassword"
> >     NAS-IP-Address = 192.168.5.160
> >     NAS-Port = 0
> >     Message-Authenticator = 0x00
> >     Cleartext-Password = "mypassword"
> >     MS-CHAP-Challenge = 0xf550d266d7fbdad0
> >     MS-CHAP-Response =
> >
> >
> 0x0001000000000000000000000000000000000000000000000000545a7cd05f7ad1c88fad7aaf36963c6480f007bd04421261
> > Received Access-Reject Id 20 from 127.0.0.1:1812 to 127.0.0.1:59459
> length
> > 61
> >     MS-CHAP-Error = "\000E=691 R=1 C=0ca03ab284c45180 V=2"
> > (0) -: Expected Access-Accept got Access-Reject
> >
> > Part of the debug log from freeradius -X shows (full log attached):
> >
> > (0) Found Auth-Type = mschap
> > (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> > (0)   authenticate {
> > (0) mschap: Client is using MS-CHAPv1 with NT-Password
> > (0) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > --challenge=%{%{mschap:Challenge}:-00}
> > --nt-response=%{%{mschap:NT-Response}:-00}
> --domain=%{%{mschap:NT-Domain}:-
> > TESTDOMAIN.COM}:
> > (0) mschap: EXPAND
> > --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
> > (0) mschap:    --> --username=deang
> > (0) mschap: mschap1: 70
> > (0) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
> > (0) mschap:    --> --challenge=705afc537b41679b
> > (0) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
> > (0) mschap:    -->
> > --nt-response=1564af7eff18c01a21daaaf03a78f61de5802689cbb65a8b
> > (0) mschap: ERROR: No NT-Domain was found in the User-Name
> > (0) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-TESTDOMAIN.COM}
> > (0) mschap:    --> --domain=TESTDOMAIN.COM
> > (0) mschap: ERROR: Program returned code (1) and output 'The attempted
> > logon is invalid. This is either due to a bad username or authentication
> > information. (0xc000006d)'
> > (0) mschap: External script failed
> > (0) mschap: ERROR: External script says: The attempted logon is invalid.
> > This is either due to a bad username or authentication information.
> > (0xc000006d)
> > (0) mschap: ERROR: MS-CHAP2-Response is incorrect
> > (0)     [mschap] = reject
> > (0)   } # authenticate = reject
> > (0) Failed to authenticate the user
> > (0) Using Post-Auth-Type Reject
> > (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
> > (0)   Post-Auth-Type REJECT {
> > (0) attr_filter.access_reject: EXPAND %{User-Name}
> > (0) attr_filter.access_reject:    --> deang
> > (0) attr_filter.access_reject: Matched entry DEFAULT at line 11
> > (0)     [attr_filter.access_reject] = updated
> > (0)     [eap] = noop
> > (0)     policy remove_reply_message_if_eap {
> > (0)       if (&reply:EAP-Message && &reply:Reply-Message) {
> > (0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
> > (0)       else {
> > (0)         [noop] = noop
> > (0)       } # else = noop
> > (0)     } # policy remove_reply_message_if_eap = noop
> > (0)   } # Post-Auth-Type REJECT = updated
> > (0) Login incorrect (mschap: No NT-Domain was found in the User-Name):
> > [deang/<via Auth-Type = mschap>] (from client localhost port 0)
> > (0) Delaying response for 1.000000 seconds
> > Waking up in 0.3 seconds.
> > Waking up in 0.6 seconds.
> > (0) Sending delayed response
> > (0) Sent Access-Reject Id 191 from 127.0.0.1:1812 to 127.0.0.1:56941
> > length
> > 61
> > (0)   MS-CHAP-Error = "\000E=691 R=1 C=970a944ede733eb6 V=2"
> > Waking up in 3.9 seconds.
> > (0) Cleaning up request packet ID 191 with timestamp +4 due to
> > cleanup_delay was reached
> > Ready to process requests
> >
> > I've searched for some explanation why the radtest isn't working but I
> > can't find anything related to this particular test.
> >
> > I am attaching the full log if needed.
> >
> > Any help appreciated.
> >
> > thanks - Dean Guenther
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list