Hi,
Here is my mscap file.
I played a little bit with the ntlm_auth options there for enable debugging
(--debuglevel=10) but without success.
# -*- text -*-
#
# $Id$
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = yes
# if mppe is enabled require_encryption makes
# encryption moderate
#
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# Call ntlm_auth through the logging wrapper. Make sure to preserve the
-- separator to distinguish between
# the args to the wrapper and those to the ntlm_auth executable itself
ntlm_auth = "/usr/local/pf/bin/ntlm_auth_wrapper -- \
--request-nt-key --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
# ntlm_auth should take less than three seconds.
# If it takes longer than that, something is probably wrong.
#
ntlm_auth_timeout = 3
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
#use_open_directory = yes
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
# Be careful setting this to yes. It could allow a device to hog the thread
by never replying.
#
allow_retry = no
# An optional retry message.
#
#retry_msg = "Re-enter (or reset) the password"
}
mschap chrooted_mschap {
#
# If you are using /etc/smbpasswd, see the 'passwd'
# module for an example of how to use /etc/smbpasswd
# if use_mppe is not set to no mschap will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
use_mppe = yes
# if mppe is enabled require_encryption makes
# encryption moderate
#
require_encryption = yes
# require_strong always requires 128 bit key
# encryption
#
require_strong = yes
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# If ntlm_auth is configured below, then the mschap
# module will call ntlm_auth for every MS-CHAP
# authentication request. If there is a cleartext
# or NT hashed password available, you can set
# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
# and the mschap module will do the authentication itself,
# without calling ntlm_auth.
#
# Be VERY careful when editing the following line!
#
# You can also try setting the user name as:
#
# ... --username=%{mschap:User-Name} ...
#
# In that case, the mschap module will look at the User-Name
# attribute, and do prefix/suffix checks in order to obtain
# the "best" user name for the request.
#
# Call ntlm_auth through the logging wrapper. Make sure to preserve the
-- separator to distinguish between
# the args to the wrapper and those to the ntlm_auth executable itself
ntlm_auth = "/usr/bin/sudo /usr/sbin/chroot
/chroots/%{PacketFence-Domain} /usr/local/pf/bin/ntlm_auth_wrapper -- \
--request-nt-key --username=%{mschap:User-Name:-None}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
# ntlm_auth should take less than three seconds.
# If it takes longer than that, something is probably wrong.
#
ntlm_auth_timeout = 3
# For Apple Server, when running on the same machine as
# Open Directory. It has no effect on other systems.
#
#use_open_directory = yes
# On failure, set (or not) the MS-CHAP error code saying
# "retries allowed".
# Be careful setting this to yes. It could allow a device to hog the thread
by never replying.
#
allow_retry = no
# An optional retry message.
#
#retry_msg = "Re-enter (or reset) the password"
}
2016-03-29 16:48 GMT+02:00 Louis Munro <[email protected]>:
>
>
> On Mar 29, 2016, at 3:45 , Tobias Friede <[email protected]> wrote:
>
> Hi,
>
> now I have reinstalled the PF server and configured the AD Auth like
> described in the documentation but with no success.
> I get the same error message like before.
>
> I have no idea where the mistake is. Maybe there is a bug?
>
>
>
> Anything is possible.
>
> Can you please post the contents of your raddb/modules/mschap?
>
> Regards,
> --
> Louis Munro
> [email protected] :: www.inverse.ca
> +1.514.447.4918 x125 :: +1 (866) 353-6153 x125
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
> www.packetfence.org)
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
