So I gave in and connected radius to my active directory (which we wish we
could get rid of).
I'm getting the following error now
Any thoughts on correcting this winbind error?
[mschapv2] +- entering group MS-CHAP {...}
[mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap] Told to do MS-CHAPv2 for VIDEOEGG\kplimack with NT-Password
[mschap] expand: %{Stripped-User-Name} ->
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
[mschap] expand: %{User-Name:-None} -> VIDEOEGG\kplimack
[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} ->
--username=VIDEOEGG\kplimack
[mschap] expand: %{mschap:NT-Domain} -> VIDEOEGG
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-VIDEOEGG} ->
--domain=VIDEOEGG
[mschap] mschap2: a0
[mschap] NT Domain delimeter found, should we have enabled with_ntdomain_hack?
[mschap] expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=f83a0b16419a7f71
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=fa180186e7d362c5ee57c6c776619d4d72173918ebc17b93
Exec-Program output: Reading winbind reply failed! (0xc0000001)
Exec-Program-Wait: plaintext: Reading winbind reply failed! (0xc0000001)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
On 6/18/10 1:54 PM, "Arran Cudbard-Bell" <a.cudba...@googlemail.com> wrote:
That has to go in the wiki somewhere. That's possibly the best explanation of
how FreeRADIUS processes requests I've ever heard... :)
-Arran
On Jun 18, 2010, at 1:50 PM, John Dennis wrote:
> On 06/18/2010 04:03 PM, Kyle Plimack wrote:
>> So how do I get pap to do it?
>
> If you're asking how to you get pap to do mschap then that's a nonsensical
> question.
>
> Here is how things work:
>
> The client sends you a radius auth request, you don't get to decide what's in
> it, the client does.
>
> The radius server looks the request and says
>
> "hmmm... lets see what do we have here? What can I do with this?"
>
> The answer to that is what auth types you have enabled, what the server can
> lookup, and what's in the request.
>
> The server will do something like this:
>
> "Yo unix module, can you handle this one?"
>
> "Hey pap module, can you handle this one?"
>
> "Yo mschap module, can you handle this one?"
>
> At some point hopefully one of the modules will say:
>
> "No problem I got it"
>
> The decision as to whether a module can handle the request is made by the
> module by looking at the data available to it.
>
> So lets say the client sends a request with a password and you've got pap
> enabled. The pap module looks at the request and says
>
> "hmmm ... do I have a password for this user"
>
> if so then compare my copy of the password to what's in the request.
>
> How does radius find a user's password? By consulting it's backend data store
> which can be the users file, a SQL database, or ldap.
>
> So before the pap module runs ldap will run. ldap says
>
> "hmm... Can I find passwords for this user?" If so I'll add them to the
> request as a check item so my dear friend the pap module can use them, you
> know that pap guy, he's always looking for passwords.
>
> But WAIT! What if the client sends a MSCHAP request? What does the radius
> server say then?
>
> "Well that's a fine kettle of fish! That client has really really tied my
> hands on this one" The only thing the server can do is run the mschap logic.
>
> The mshap module looks the request to see if there is a check item with
> either a clear text password or nt-hash (why? look at the protocol table). If
> those haven't been added by one of the datastores the mschap module says:
>
> "Sorry boss, no can do"
>
> But now the server has run out of options, it's only choice was mschap
> because that's what the client sent it and the mscap module can't handle it.
> So the server replies:
>
> "Loser! You ain't getting in here with those credentials" (Well really
> Auth-Reject)
>
>
>
> --
> John Dennis <jden...@redhat.com>
>
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
