Hi Stephen,
It would be more interesting to compare user authenticated ntlm_auth from the
command line versus Radius ntlm_auth for the same user.
What FreeRadius is nothing fancier than forking an ntlm_auth process and
passing it the arguments you defined in raddb/modules/mschap.
It checks the return code and then considers 0 to mean success and anything
else to be failure.
Try this and see if it helps:
Replace this line in your mschap configuration
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
> --challenge=%{mschap:Challenge:-00} --ntresponse=%{mschap:NT-Response:-00}"
With this:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
See how it goes and post the output of radiusd -d raddb -X.
Regards,
--
Louis Munro
[email protected] :: www.inverse.ca
+1.514.447.4918 *125 :: +1 (866) 353-6153
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2014-08-13, at 14:31 , "Stormont, Stephen (IMS)" <[email protected]>
wrote:
> Yes, the users and computers are all in the same domain (as
> with the servers). I did attempt to stick the laptop in an OU that has
> policy inheritance blocked.
>
> Ntlm as user succeeds:
> -bash-4.1$ ntlm_auth --username=stormont
> password:
> NT_STATUS_OK: Success (0x0)
> -bash-4.1$ ntlm_auth --username=zzhoppy
> password:
> NT_STATUS_OK: Success (0x0)
> -bash-4.1$
>
> And from log.winbindd (during interactive user authentication
> listed above)
> [2014/08/13 12:48:11.379309, 3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
> [38847]: request interface version
> [2014/08/13 12:48:11.379440, 3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
> [38847]: request location of privileged pipe
> [2014/08/13 12:48:11.379608, 3]
> winbindd/winbindd_misc.c:394(winbindd_domain_name)
> [38847]: request domain name
> [2014/08/13 12:48:15.921652, 3] winbindd/winbindd_misc.c:372(winbindd_info)
> [38847]: request misc info
> [2014/08/13 12:48:15.921795, 3]
> winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send)
> [38847]: pam auth OMNI\stormont
> [2014/08/13 12:48:26.815876, 3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
> [38848]: request interface version
> [2014/08/13 12:48:26.816002, 3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
> [38848]: request location of privileged pipe
> [2014/08/13 12:48:26.816106, 3]
> winbindd/winbindd_misc.c:394(winbindd_domain_name)
> [38848]: request domain name
> [2014/08/13 12:48:31.267636, 3] winbindd/winbindd_misc.c:372(winbindd_info)
> [38848]: request misc info
> [2014/08/13 12:48:31.267793, 3]
> winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send)
> [38848]: pam auth OMNI\zzhoppy
>
>
> Ntlm as machine still fails:
> [root@pfcv logs]# ntlm_auth --username=LT-T430-3\$
> --challenge=4ab096b446376d5f
> --ntresponse=4df85dd62db46ee5bef1aa07fe499e87fc16eca72bd529e7
> Logon failure (0xc000006d)
>
> Below is log.winbindd from when the laptop attempted machine
> auth:
> [2014/08/13 13:37:43.894898, 3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
> [38912]: request interface version
> [2014/08/13 13:37:43.895143, 3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
> [38912]: request location of privileged pipe
> [2014/08/13 13:37:43.895372, 3]
> winbindd/winbindd_misc.c:394(winbindd_domain_name)
> [38912]: request domain name
> [2014/08/13 13:37:43.895587, 3]
> winbindd/winbindd_pam_auth_crap.c:56(winbindd_pam_auth_crap_send)
> [38912]: pam auth crap domain: [OMNI] user: LT-T430-3$
>
>
> From: Louis Munro [mailto:[email protected]]
> Sent: Wednesday, August 13, 2014 9:49 AM
> To: [email protected]
> Subject: Re: [PacketFence-users] "No trusted SAM account"
>
> On 2014-08-12, at 15:58 , "Stormont, Stephen (IMS)" <[email protected]>
> wrote:
>
>
> When I entered the command that you suggested on the PacketFence/FreeRadius
> server, I got this:
>
> [root@pfcv sbin]# ntlm_auth --username=LT-T430-3\$
> --challenge=4ab096b446376d5f
> --ntresponse=4df85dd62db46ee5bef1aa07fe499e87fc16eca72bd529e7
> Logon failure (0xc000006d)
>
> Contents of mschp are below:
>
> mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = yes
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
> --challenge=%{mschap:Challenge:-00} --ntresponse=%{mschap:NT-Response:-00}"
> }
>
> Well, at least you can reproduce it reliably…
>
> Your mschap file looks about right.
> So I think the first step is to get user authentication working reliably.
> It's probably easier to figure out why user auth is not working first since
> it's easier to know if your password is correct.
>
> What happens when you try user auth at the command line using ntlm_auth?
>
> I.e.
> # ntlm_auth --username=whatever
>
> And if we compare with the FreeRADIUS debugging output for the same section?
> Can you post the relevant lines for that please (same ones as for the
> computer authentication)?
>
> What happens when you try to authenticate a user with the same arguments to
> ntlm_auth that FreeRadius uses (just as for the computer auth)?
>
> If user authentication works when you enter the password manually but not
> when freeradius tries it, then either the 802.1x client is not using a valid
> password or the AD cannot find that user.
>
> See this article for some background on ntlm:
> http://msdn.microsoft.com/en-ca/library/windows/desktop/aa378749(v=vs.85).aspx
>
>
> Have a look at the winbind logs (/var/log/samba/log.winbindd ).
> There should be a line for each authentication attempt like the following:
>
> [2014/08/13 09:31:56.156551, 3]
> winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send)
> [ 7023]: pam auth inverse.local\lmunro
>
> How does the line differ between when you are authentication manually (from
> the command line) as opposed to when FreeRadius calls winbind (and fails)?
> Is the domain the same?
>
>
> Of course it may help if you have some logs from the AD side as well.
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 *125 :: +1 (866) 353-6153
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
> Information in this e-mail may be confidential. It is intended only for the
> addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If you
> have received this e-mail in error, please notify the sender of the error.
> ------------------------------------------------------------------------------
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
