RE: MS-CHAP2 fails - samba version?

2013-07-08 Thread Lovaas,Steven 
Sending Access-Accept of id 203 to 127.0.0.1 port 42549
MS-CHAP-MPPE-Keys = 
0xb0ea48246e549461af612741d64404e4
MS-MPPE-Encryption-Policy = 0x0001
MS-MPPE-Encryption-Types = 0x0006
Finished request 0.

Works both on the CLI and from a Windows wireless client.


Thanks, Phil and Mathieu... that did the trick!

Steve

-Original Message-
From: freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org 
[mailto:freeradius-users-bounces+steven.lovaas=colostate@lists.freeradius.org]
 On Behalf Of Mathieu Simon
Sent: Monday, July 08, 2013 8:44 AM
To: FreeRadius users mailing list
Subject: Re: MS-CHAP2 fails - samba version?

Am 08.07.2013 16:30, schrieb Phil Mayers:
> On 08/07/13 14:59, Lovaas,Steven wrote:
>
>>
>> Exec-Program output: Reading winbind reply failed! (0xc001)
>
> Check the permissions on the winbind socket, which usually lives in 
> either /var/cache/samba/winbindd_privileged or 
> /var/lib/samba/winbindd_privileged
I guess Debian wheezy is mostly same as Ubuntu (|wher it is:
/var/run/samba/winbindd_privileged|).
I had to add the freeradius user to this privileged group using:

'sudo adduser freerad winbindd_priv' to make it work, I hope that helps.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP2 fails - samba version?

2013-07-08 Thread Mathieu Simon 
Am 08.07.2013 16:30, schrieb Phil Mayers:
> On 08/07/13 14:59, Lovaas,Steven wrote:
>
>>
>> Exec-Program output: Reading winbind reply failed! (0xc001)
>
> Check the permissions on the winbind socket, which usually lives in
> either /var/cache/samba/winbindd_privileged or
> /var/lib/samba/winbindd_privileged
I guess Debian wheezy is mostly same as Ubuntu (|wher it is:
/var/run/samba/winbindd_privileged|).
I had to add the freeradius user to this privileged group using:

'sudo adduser freerad winbindd_priv' to make it work, I hope that helps.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP2 fails - samba version?

2013-07-08 Thread Phil Mayers 

On 08/07/13 14:59, Lovaas,Steven wrote:



Exec-Program output: Reading winbind reply failed! (0xc001)


Check the permissions on the winbind socket, which usually lives in 
either /var/cache/samba/winbindd_privileged or 
/var/lib/samba/winbindd_privileged


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

MS-CHAP2 fails - samba version?

2013-07-08 Thread Lovaas,Steven 
Hello everyone,

I’m trying to bring up a fresh instance using 2.2.0, rather than just cloning 
old 1.x configs as has been done in previous upgrades. In building a new Ubuntu 
server, I grabbed the latest available build of samba (3.6.3); I’ve read that a 
version of at least version 3.5.4 is required to work with Windows Server 2008 
r2 AD. Compatibility with 2008 r2 is what is driving this upgrade.

Working from the Deploying Radius site, I’ve made good progress. So far, the 
directions have been clear and everything has worked well. I even took the 
opportunity to learn mercurial along the way… thanks ☺. I also created two 
virtual servers, to support different policies for our main campus wireless and 
eduroam. That also seems to be working well, with one SSID pointing to each 
virtual server… slick!

Ntlm works:
/usr/bin/ntlm_auth --request-nt-key --domain=COLOSTATE --username=slovaas
password:
NT_STATUS_OK: Success (0x0)
root@freerad13:/etc/freeradius/modules#

Winbind looks OK, though only the challenge/response version of authentication… 
that’s normal?:
wbinfo -a slovaas
Enter slovaas's password:
plaintext password authentication failed
Could not authenticate user slovaas with plaintext password
Enter slovaas's password:
challenge/response password authentication succeeded
root@freerad13:/etc/freeradius#

And with a forced default ntlm_auth in the users file, I can authenticate with 
radtest.

But here’s where I’m stuck. When I remove the default ntlm_auth line in the 
users file and put the ntlm_auth line in mschap, I no longer get access_accept.

The debug of the request is pasted below. But I wondered… basic authentication 
is working (with ntlm_auth) but mschap doesn’t get what it wants back (using 
ntlm_auth), which sounds like an issue that was around in earlier versions of 
samba. Before I go downgrading samba, though, I was wondering if anyone saw 
anything I missed or had any other suggestions.

Thanks,
Steve

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.07.08 07:43:48 =~=~=~=~=~=~=~=~=~=~=~=
rad_recv: Access-Request packet from host 127.0.0.1 port 35685, id=59, 
length=133
User-Name = "slovaas"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x160e7734756ad5899a83bbc504bd937c
MS-CHAP-Challenge = 0x105268b03ae9b2ee
MS-CHAP-Response = 
0x00013487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
server eid-dot11i {
# Executing section authorize from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group authorize {...}
++- entering policy filter_username_csu {...}
+++? if (User-Name != "%{tolower:%{User-Name}}")
expand: %{User-Name} -> slovaas
expand: %{tolower:%{User-Name}} -> slovaas
? Evaluating (User-Name != "%{tolower:%{User-Name}}") -> FALSE
+++? if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
+++? if (User-Name =~ / /)
? Evaluating (User-Name =~ / /) -> FALSE
+++? if (User-Name =~ / /) -> FALSE
+++? if (User-Name =~ /@(.+)?@/i )
? Evaluating (User-Name =~ /@(.+)?@/i) -> FALSE
+++? if (User-Name =~ /@(.+)?@/i ) -> FALSE
+++? if (User-Name =~ /\\.\\./ )
? Evaluating (User-Name =~ /\\.\\./) -> FALSE
+++? if (User-Name =~ /\\.\\./ ) -> FALSE
++- policy filter_username_csu returns notfound
++[preprocess] returns ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 127.0.0.1
[auth_log] expand: 
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 -> /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708
[auth_log] 
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
 expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130708
[auth_log] expand: %t -> Mon Jul  8 07:45:04 2013
++[auth_log] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "slovaas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /etc/freeradius/sites-enabled/eid-dot11i
+- entering group MS-CHAP {...}
[mschap] Client is using MS-CHAPv1 with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] ... expanding second conditional
[mschap] expand: %{User-Name} -> slovaas
[mschap] expand: %{%{User-Name}:-None} -> slovaas
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> 
--username=slovaas
[mschap]  mschap1: 10
[mschap] expand: %{mschap:Challenge} -> 105268b03ae9b2ee
[mschap] expand: --challenge=%{%{mschap:Challenge}:-00} -> 
--challenge=105268b03ae9b2ee
[mschap] expand: %{mschap:NT-Response} -> 
3487554c3d3f147c69f03fcc12fd5535dff2c0be3d5bbc10
[mschap] expan