Hello everyone,
I’m trying to bring up a fresh instance using 2.2.0, rather than just cloning
old 1.x configs as has been done in previous upgrades. In building a new Ubuntu
server, I grabbed the latest available build of samba (3.6.3); I’ve read that a
version of at least version 3.5.4 is required to work with Windows Server 2008
r2 AD. Compatibility with 2008 r2 is what is driving this upgrade.
Working from the Deploying Radius site, I’ve made good progress. So far, the
directions have been clear and everything has worked well. I even took the
opportunity to learn mercurial along the way… thanks ☺. I also created two
virtual servers, to support different policies for our main campus wireless and
eduroam. That also seems to be working well, with one SSID pointing to each
virtual server… slick!
Ntlm works:
/usr/bin/ntlm_auth --request-nt-key --domain=COLOSTATE --username=slovaas
password:
NT_STATUS_OK: Success (0x0)
root@freerad13:/etc/freeradius/modules#
Winbind looks OK, though only the challenge/response version of authentication…
that’s normal?:
wbinfo -a slovaas
Enter slovaas's password:
plaintext password authentication failed
Could not authenticate user slovaas with plaintext password
Enter slovaas's password:
challenge/response password authentication succeeded
root@freerad13:/etc/freeradius#
And with a forced default ntlm_auth in the users file, I can authenticate with
radtest.
But here’s where I’m stuck. When I remove the default ntlm_auth line in the
users file and put the ntlm_auth line in mschap, I no longer get access_accept.
The debug of the request is pasted below. But I wondered… basic authentication
is working (with ntlm_auth) but mschap doesn’t get what it wants back (using
ntlm_auth), which sounds like an issue that was around in earlier versions of
samba. Before I go downgrading samba, though, I was wondering if anyone saw
anything I missed or had any other suggestions.
Thanks,
Steve
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.08 07:43:48 =~=~=~=~=~=~=~=~=~=~=~=
rad_recv: Access-Request packet from host 127.0.0.1 port 35685, id=59,
length=133
User-Name = "slovaas"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x160e7734756ad5899a83bbc504bd937c
MS-CHAP-Challenge = 0x105268b03ae9b2ee
MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000003487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
server eid-dot11i {
# Executing section authorize from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group authorize {...}
++- entering policy filter_username_csu {...}
+++? if (User-Name != "%{tolower:%{User-Name}}")
expand: %{User-Name} -> slovaas
expand: %{tolower:%{User-Name}} -> slovaas
? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
+++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
+++? if (User-Name =~ / /)
? Evaluating (User-Name =~ / /) -> FALSE
+++? if (User-Name =~ / /) -> FALSE
+++? if (User-Name =~ /@(.+)?@/i )
? Evaluating (User-Name =~ /@(.+)?@/i) -> FALSE
+++? if (User-Name =~ /@(.+)?@/i ) -> FALSE
+++? if (User-Name =~ /\\.\\./ )
? Evaluating (User-Name =~ /\\.\\./) -> FALSE
+++? if (User-Name =~ /\\.\\./ ) -> FALSE
++- policy filter_username_csu returns notfound
++[preprocess] returns ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
-> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708
[auth_log]
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708
[auth_log] expand: %t -> Mon Jul 8 07:45:04 2013
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "slovaas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group MS-CHAP {...}
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} -> slovaas
[mschap] expand: %{%{User-Name}:-None} -> slovaas
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} ->
--username=slovaas
[mschap] mschap1: 10
[mschap] expand: %{mschap:Challenge} -> 105268b03ae9b2ee
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} ->
--challenge=105268b03ae9b2ee
[mschap] expand: %{mschap:NT-Response} ->
3487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
[mschap] expand: --nt-response=%{%{mschap:NT-Response}:-00} ->
--nt-response=3487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
Exec-Program output: Reading winbind reply failed! (0xc0000001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
} # server eid-dot11i
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> slovaas
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 59 to 127.0.0.1 port 35685
MS-CHAP-Error = "\000E=691 R=1"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 59 with timestamp +96
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
