El 30/11/2011 16:57, Alan Buxey escribió:
Hi,
Hello friends, I tell them:
When I try to authenticate using mschap I encounter this
error''NT_STATUS_WRONG_PASSWORD: Wrong Password'', yet when I do the
test using authentic pap without problems. I'm trying to authenticate my
freeradius server with active directory server.
Greetings and waiting for your help. William
what happens when you run the ntlm_auth command direct on command line?
what version of SAMBA are you running?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE
ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com
Hi Alan, when I run the ntlm_auth command gives me an effective response.
*ntlm_auth --request-nt-key --domain=MyDomain
--username=USER--password=PASS*
_/NT_STATUS_OK: Success (0x0)/_
_*freeradius -X (DEBUG MODE)*_
rad_recv: Access-Request packet from host 127.0.0.1 port 55866, id=115,
length=60
User-Name = "gwilliam"
User-Password = "1qazxsw23edc@"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130
[auth_log] expand: %t -> Wed Nov 30 17:05:41 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> TRUE
? Evaluating (User-Password) -> TRUE
++? if (!control:Auth-Type && User-Password) -> TRUE
++- entering if (!control:Auth-Type && User-Password) {...}
+++[control] returns noop
++- if (!control:Auth-Type && User-Password) returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=gwilliam
[ntlm_auth] expand: --password=%{User-Password} ->
--password=1qazxsw23edc@
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
[suffix] No '@' in User-Name = "gwilliam", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group ntlm_auth {...}
*[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=gwilliam
[ntlm_auth] expand: --password=%{User-Password} ->
--password=1qazxsw23edc@
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)*
Exec-Program: returned: 0
++[ntlm_auth] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 115 to 127.0.0.1 port 55866
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 115 with timestamp +34
Ready to process requests.
_*when I do the test using mschap radtest-t is when the key is erroneous*_
/radtest -t mschap gwilliam 1qazxsw23edc@ localhost 0 testing123/
rad_recv: Access-Request packet from host 127.0.0.1 port 37155, id=130,
length=116
User-Name = "gwilliam"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
MS-CHAP-Challenge = 0xd85c0848bec6df72
MS-CHAP-Response =
0x0001000000000000000000000000000000000000000000000000d6f2f97947a122925fa9019e04b04834cc4857db4a4d359f
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20111130
[auth_log] expand: %t -> Wed Nov 30 17:07:09 2011
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++? if (!control:Auth-Type && User-Password)
? Evaluating !(control:Auth-Type ) -> FALSE
? Skipping (User-Password)
++? if (!control:Auth-Type && User-Password) -> FALSE
*[ntlm_auth] expand: --username=%{mschap:User-Name} ->
--username=gwilliam
[ntlm_auth] expand: --password=%{User-Password} -> --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc000006a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject*
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> gwilliam
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 130 to 127.0.0.1 port 37155
Waking up in 4.9 seconds.
Cleaning up request 1 ID 130 with timestamp +122
Ready to process requests.
My samba version is 3.5.8, my OS is ubuntu server version 11.04.
Thanks for you help.
Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE
ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU!
http://www.antiterroristas.cu
http://justiciaparaloscinco.wordpress.com-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
