That ntlm_auth line should have read: ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=sambatest --password=Thursday77
which is a test account. The other account and passwd has been promptly nuked. Sorry bout that folks. E- On Fri, Feb 18, 2011 at 6:11 PM, E Rossiter <[email protected]> wrote: > Trying to use FR to query AD as an authentication oracle and set up per the > docs at > http://deployingradius.com/documents/configuration/active_directory.htmland > several others pertaining to setting up Kerberos and winbind. > > smb/krb/winbind all run. The usual testing commands all produce the proper > output. wbinfo, kbinit, kblist, net join, etc. > > FreeRADIUS Version 2.1.7, > CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP > Samba Version 3.3.8-0.52.el5_5.2 > KRB5 > > I have been able to authenticate and authorize accounts using PAP via a > Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and > use ntlm_auth and eventually MSCHAP. > > Upon issuing the command: > > ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL > --username=eric.rossiter --password=Cyt3w0rk5 > > I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to > an NT_KEY: > > I believe that's why the radtest command is failing: > > radtest sambatest somepass localhost 0 somesecret > Sending Access-Request of id 225 to 127.0.0.1 port 1812 > User-Name = "sambatest" > User-Password = "somepass" > NAS-IP-Address = 64.126.127.208 > NAS-Port = 0 > rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, > length=20 > > Been reading and researching and testing for 3 weeks, but I'm stuck now. > > radius -X output: > > rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, > length=61 > User-Name = "sambatest" > User-Password = "somepass" > NAS-IP-Address = 64.126.127.208 > NAS-Port = 0 > +- entering group authorize {...} > ++[preprocess] returns ok > [auth_log] expand: > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> > /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 > [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 > [auth_log] expand: %t -> Fri Feb 18 17:19:10 2011 > ++[auth_log] returns ok > ++[chap] returns noop > ++[mschap] returns noop > [suffix] No '@' in User-Name = "sambatest", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[unix] returns notfound > [files] users: Matched entry DEFAULT at line 17 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > Found Auth-Type = ntlm_auth > +- entering group authenticate {...} > [ntlm_auth] expand: --username=%{mschap:User-Name} -> > --username=sambatest > [ntlm_auth] expand: --password=%{User-Password} -> --password=somepass > username must be specified! *# don't understand this... username is two > lines up* If I shut down winbind, a winbind error preceeds "username must > be specified! " don't understand # why samba is puking a help screen? > > Usage: [OPTION...] > --helper-protocol=helper protocol to use operate as a stdio-based > helper > --username=STRING username > --domain=STRING domain name > --workstation=STRING workstation > --challenge=STRING challenge (HEX encoded) > --lm-response=STRING LM Response to the challenge > (HEX encoded) > --nt-response=STRING NT or NTLMv2 Response to the > challenge (HEX encoded) > --password=STRING User's plaintext password > --request-lm-key Retrieve LM session key > --request-nt-key Retrieve User (NT) session > key > --use-cached-creds Use cached credentials if no > password is given > --diagnostics Perform diagnostics on the > authentictaion chain > --require-membership-of=STRING Require that a user be a > member > of this group (either name > or > SID) for authentication to > succeed > > Help options: > -?, --help Show this help message > --usage Display brief usage message > > Common samba config: > --configfile=CONFIGFILE Use alternate configuration > file > > Common samba options: > -V, --version Print version > Exec-Program output: > Exec-Program: returned: 1 > ++[ntlm_auth] returns reject > Failed to authenticate the user. > Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0) > Using Post-Auth-Type Reject > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> sambatest > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 2 for 2 seconds > Going to the next request > Waking up in 0.9 seconds. > Waking up in 0.9 seconds. > Sending delayed reject for request 2 > Sending Access-Reject of id 4 to 127.0.0.1 port 39195 > Waking up in 4.9 seconds. > Cleaning up request 2 ID 4 with timestamp +349 > Ready to process requests. > wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, > id=225, length=61 > User-Name = "sambatest" > User-Password = "somepass" > NAS-IP-Address = 64.126.127.208 > NAS-Port = 0 > +- entering group authorize {...} > ++[preprocess] returns ok > [auth_log] expand: > /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> > /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 > [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d > expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 > [auth_log] expand: %t -> Fri Feb 18 17:32:09 2011 > ++[auth_log] returns ok > ++[chap] returns noop > ++[mschap] returns noop > [suffix] No '@' in User-Name = "sambatest", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[unix] returns notfound > [files] users: Matched entry DEFAULT at line 17 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING! No "known good" password found for the user. Authentication > may fail because of this. > ++[pap] returns noop > Found Auth-Type = ntlm_auth > +- entering group authenticate {...} > [ntlm_auth] expand: --username=%{mschap:User-Name} -> > --username=sambatest > [ntlm_auth] expand: --password=%{User-Password} -> > --password=Thursday77 > username must be specified! > > Usage: [OPTION...] > --helper-protocol=helper protocol to use operate as a stdio-based > helper > --username=STRING username > --domain=STRING domain name > --workstation=STRING workstation > --challenge=STRING challenge (HEX encoded) > --lm-response=STRING LM Response to the challenge > (HEX encoded) > --nt-response=STRING NT or NTLMv2 Response to the > challenge (HEX encoded) > --password=STRING User's plaintext password > --request-lm-key Retrieve LM session key > --request-nt-key Retrieve User (NT) session > key > --use-cached-creds Use cached credentials if no > password is given > --diagnostics Perform diagnostics on the > authentictaion chain > --require-membership-of=STRING Require that a user be a > member > of this group (either name > or > SID) for authentication to > succeed > > Help options: > -?, --help Show this help message > --usage Display brief usage message > > Common samba config: > --configfile=CONFIGFILE Use alternate configuration > file > > Common samba options: > -V, --version Print version > Exec-Program output: > Exec-Program: returned: 1 > ++[ntlm_auth] returns reject > Failed to authenticate the user. > Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0) > Using Post-Auth-Type Reject > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> sambatest > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 3 for 2 seconds > Going to the next request > Waking up in 0.9 seconds. > Waking up in 0.9 seconds. > Sending delayed reject for request 3 > Sending Access-Reject of id 225 to 127.0.0.1 port 57210 > Waking up in 4.9 seconds. > Cleaning up request 3 ID 225 with timestamp +1128 > Ready to process requests. > > /etc/krb.conf: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = ADMIN.CYTEWORKS.LOCAL > # dns_lookup_realm = false # all of these entries have been used for > testing and are commented out now > # dns_lookup_kdc = true > # ticket_lifetime = 24h > # forwardable = yes > # default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > # default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > # preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC > > > [realms] > ADMIN.CYTEWORKS.LOCAL = { > kdc = cyteworks.admin.cyteworks.local > admin_server = cyteworks.admin.cyteworks.local > default_domain = ADMIN.CYTEWORKS.LOCAL > } > > [domain_realm] > .cyteworks.local = ADMIN.CYTEWORKS.LOCAL > cyteworks.local = ADMIN.CYTEWORKS.LOCAL > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > /etc/samba/smb.conf > > #======================= Global Settings > ===================================== > > [global] > > idmap uid = 200000 - 300000 > idmap gid = 200000 - 300000 > workgroup = ADMIN > ; netbios name = cyteworks > > realm = ADMIN.CYTEWORKS.LOCAL > server string = Samba Server Version %v > security = ads > local master = no > domain master = no > preferred master = no > > winbind separator = + > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > > ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 > hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. > 10.12.4 10.88.8 > > # --------------------------- Logging Options ----------------------------- > # > # Log File let you specify where to put logs and how to split them up. > # > # Max Log Size let you specify the max size log files should reach > > # logs split per machine > log file = /var/log/samba/log.%m > # max 50KB per log file, then rotate > max log size = 50 > > # ----------------------- Domain Members Options ------------------------ > > ; password server = * > > > security = ads > ; passdb backend = tdbsam > realm = ADMIN.CYTEWORKS.LOCAL > > ; password server = 10.12.1.40 > > > Everything else is commented out in smb.conf. Don't need any printers, no > shares, etc. > > /etc/raddb/radius.conf: > > # -*- text -*- > ## > # > > prefix = /usr > exec_prefix = /usr > sysconfdir = /etc > localstatedir = /var > sbindir = /usr/sbin > logdir = ${localstatedir}/log/radius > raddbdir = ${sysconfdir}/raddb > radacctdir = ${logdir}/radacct > > name = radiusd > > confdir = ${raddbdir} > run_dir = ${localstatedir}/run/${name} > > db_dir = ${raddbdir} > > libdir = /usr/lib/freeradius > > pidfile = ${run_dir}/${name}.pid > > user = radiusd > group = radiusd > > max_request_time = 30 > > cleanup_delay = 5 > > max_requests = 1024 > > listen { > type = auth > > ipaddr = * > > port = 0 > > clients = per_socket_clients > } > > listen { > ipaddr = * > port = 0 > type = acct > clients = per_socket_clients > } > > hostname_lookups = no > > allow_core_dumps = no > > regular_expressions = yes > extended_expressions = yes > > log { > destination = files > > file = ${logdir}/radius.log > > syslog_facility = daemon > > stripped_names = yes > > auth = yes > > auth_badpass = yes > auth_goodpass = yes > > } > > checkrad = ${sbindir}/checkrad > > security { > max_attributes = 200 > > reject_delay = 2 > > status_server = yes > } > > > proxy_requests = no > > $INCLUDE clients.conf > > thread pool { > start_servers = 5 > > max_servers = 32 > > min_spare_servers = 3 > max_spare_servers = 10 > > max_requests_per_server = 0 > } > > modules { > $INCLUDE ${confdir}/modules/ > > $INCLUDE eap.conf > } > > instantiate { > exec > > expr > > expiration > logintime > } > > $INCLUDE policy.conf > > $INCLUDE sites-enabled/ > > /etc/raddb/clients.conf: > > # -*- text -*- > ## > ## clients.conf -- client configuration directives > ## > > client localhost { > ipaddr = 127.0.0.1 > > secret = somesecret > > require_message_authenticator = yes > > shortname = localhost > > nastype = other # localhost isn't usually a NAS... > > } > > clients per_socket_clients { > > > client 127.0.0.1 { > secret = somesecret > } > > # Juniper - ESR - 01.24.11 > > client 192.168.20.254 { > secret = somesecret > shortname = juniper > nastype = netscreen > } > > # Dell PowerConnect 3448 - ESR - 02.01.11 > > client 10.12.1.11 { > secret = somesecret > shortname = dpc3448 > nastype = other > } > } > > /etc/raddb/users > > # -*- text -*- > # > # Copyright (C) 2009 Deploying RADIUS Partnerships > # All rights reserved. > # > # Save this file as "raddb/users", after first backing up > # the copy that you have there. > # > # http://deployingradius.com/documents/configuration/pap.html > # > # Window 1: radiusd -X > # Window 2: radtest bob hello localhost 0 testing123 > # > > # ntlm_auth testing ESR 02.17.11 > > DEFAULT Auth-Type = ntlm_auth > > > > #************************ Juniper conf > # - ESR - 01.24.11 > > #some.user Cleartext-Password := "somepass" > # NS-Admin-Privilege := 4, > # NS-VSYS-Name := "Read-Only-Admin" > > #some.user Cleartext-Password := "somepass > # NS-Admin-Privilege := 2, > # NS-VSYS-Name := "ROOT" > > > # End of the file > > I commented out the PAP entries in the users file because one of the users > has the same user.name in AD but a different password, and that was > causing me some conflict. > > So, can anyone tell me why I'm not getting an *NT_KEY* reply when I issue > the *ntml_auth* command? > > Is the missing key the reason the *radtest* command is failing? See any > other glaring errors? > > Thanks for your time. > > E Rossiter >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
