Trying to use FR to query AD as an authentication oracle and set up per the docs at http://deployingradius.com/documents/configuration/active_directory.html and several others pertaining to setting up Kerberos and winbind.
smb/krb/winbind all run. The usual testing commands all produce the proper output. wbinfo, kbinit, kblist, net join, etc. FreeRADIUS Version 2.1.7, CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP Samba Version 3.3.8-0.52.el5_5.2 KRB5 I have been able to authenticate and authorize accounts using PAP via a Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and use ntlm_auth and eventually MSCHAP. Upon issuing the command: ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=eric.rossiter --password=Cyt3w0rk5 I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to an NT_KEY: I believe that's why the radtest command is failing: radtest sambatest somepass localhost 0 somesecret Sending Access-Request of id 225 to 127.0.0.1 port 1812 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20 Been reading and researching and testing for 3 weeks, but I'm stuck now. radius -X output: rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, length=61 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 [auth_log] expand: %t -> Fri Feb 18 17:19:10 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sambatest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 17 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest [ntlm_auth] expand: --password=%{User-Password} -> --password=somepass username must be specified! *# don't understand this... username is two lines up* If I shut down winbind, a winbind error preceeds "username must be specified! " don't understand # why samba is puking a help screen? Usage: [OPTION...] --helper-protocol=helper protocol to use operate as a stdio-based helper --username=STRING username --domain=STRING domain name --workstation=STRING workstation --challenge=STRING challenge (HEX encoded) --lm-response=STRING LM Response to the challenge (HEX encoded) --nt-response=STRING NT or NTLMv2 Response to the challenge (HEX encoded) --password=STRING User's plaintext password --request-lm-key Retrieve LM session key --request-nt-key Retrieve User (NT) session key --use-cached-creds Use cached credentials if no password is given --diagnostics Perform diagnostics on the authentictaion chain --require-membership-of=STRING Require that a user be a member of this group (either name or SID) for authentication to succeed Help options: -?, --help Show this help message --usage Display brief usage message Common samba config: --configfile=CONFIGFILE Use alternate configuration file Common samba options: -V, --version Print version Exec-Program output: Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sambatest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 4 to 127.0.0.1 port 39195 Waking up in 4.9 seconds. Cleaning up request 2 ID 4 with timestamp +349 Ready to process requests. wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, id=225, length=61 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218 [auth_log] expand: %t -> Fri Feb 18 17:32:09 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sambatest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 17 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest [ntlm_auth] expand: --password=%{User-Password} -> --password=Thursday77 username must be specified! Usage: [OPTION...] --helper-protocol=helper protocol to use operate as a stdio-based helper --username=STRING username --domain=STRING domain name --workstation=STRING workstation --challenge=STRING challenge (HEX encoded) --lm-response=STRING LM Response to the challenge (HEX encoded) --nt-response=STRING NT or NTLMv2 Response to the challenge (HEX encoded) --password=STRING User's plaintext password --request-lm-key Retrieve LM session key --request-nt-key Retrieve User (NT) session key --use-cached-creds Use cached credentials if no password is given --diagnostics Perform diagnostics on the authentictaion chain --require-membership-of=STRING Require that a user be a member of this group (either name or SID) for authentication to succeed Help options: -?, --help Show this help message --usage Display brief usage message Common samba config: --configfile=CONFIGFILE Use alternate configuration file Common samba options: -V, --version Print version Exec-Program output: Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sambatest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 225 to 127.0.0.1 port 57210 Waking up in 4.9 seconds. Cleaning up request 3 ID 225 with timestamp +1128 Ready to process requests. /etc/krb.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ADMIN.CYTEWORKS.LOCAL # dns_lookup_realm = false # all of these entries have been used for testing and are commented out now # dns_lookup_kdc = true # ticket_lifetime = 24h # forwardable = yes # default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC # default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC # preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC [realms] ADMIN.CYTEWORKS.LOCAL = { kdc = cyteworks.admin.cyteworks.local admin_server = cyteworks.admin.cyteworks.local default_domain = ADMIN.CYTEWORKS.LOCAL } [domain_realm] .cyteworks.local = ADMIN.CYTEWORKS.LOCAL cyteworks.local = ADMIN.CYTEWORKS.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } /etc/samba/smb.conf #======================= Global Settings ===================================== [global] idmap uid = 200000 - 300000 idmap gid = 200000 - 300000 workgroup = ADMIN ; netbios name = cyteworks realm = ADMIN.CYTEWORKS.LOCAL server string = Samba Server Version %v security = ads local master = no domain master = no preferred master = no winbind separator = + winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. 10.12.4 10.88.8 # --------------------------- Logging Options ----------------------------- # # Log File let you specify where to put logs and how to split them up. # # Max Log Size let you specify the max size log files should reach # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 # ----------------------- Domain Members Options ------------------------ ; password server = * security = ads ; passdb backend = tdbsam realm = ADMIN.CYTEWORKS.LOCAL ; password server = 10.12.1.40 Everything else is commented out in smb.conf. Don't need any printers, no shares, etc. /etc/raddb/radius.conf: # -*- text -*- ## # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 clients = per_socket_clients } listen { ipaddr = * port = 0 type = acct clients = per_socket_clients } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 2 status_server = yes } proxy_requests = no $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ /etc/raddb/clients.conf: # -*- text -*- ## ## clients.conf -- client configuration directives ## client localhost { ipaddr = 127.0.0.1 secret = somesecret require_message_authenticator = yes shortname = localhost nastype = other # localhost isn't usually a NAS... } clients per_socket_clients { client 127.0.0.1 { secret = somesecret } # Juniper - ESR - 01.24.11 client 192.168.20.254 { secret = somesecret shortname = juniper nastype = netscreen } # Dell PowerConnect 3448 - ESR - 02.01.11 client 10.12.1.11 { secret = somesecret shortname = dpc3448 nastype = other } } /etc/raddb/users # -*- text -*- # # Copyright (C) 2009 Deploying RADIUS Partnerships # All rights reserved. # # Save this file as "raddb/users", after first backing up # the copy that you have there. # # http://deployingradius.com/documents/configuration/pap.html # # Window 1: radiusd -X # Window 2: radtest bob hello localhost 0 testing123 # # ntlm_auth testing ESR 02.17.11 DEFAULT Auth-Type = ntlm_auth #************************ Juniper conf # - ESR - 01.24.11 #some.user Cleartext-Password := "somepass" # NS-Admin-Privilege := 4, # NS-VSYS-Name := "Read-Only-Admin" #some.user Cleartext-Password := "somepass # NS-Admin-Privilege := 2, # NS-VSYS-Name := "ROOT" # End of the file I commented out the PAP entries in the users file because one of the users has the same user.name in AD but a different password, and that was causing me some conflict. So, can anyone tell me why I'm not getting an *NT_KEY* reply when I issue the *ntml_auth* command? Is the missing key the reason the *radtest* command is failing? See any other glaring errors? Thanks for your time. E Rossiter
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html