If no one else pipes in I'll try to help, but I'm gone for the night. From: E Rossiter [mailto:phe...@gmail.com] Sent: Friday, February 18, 2011 06:11 PM To: freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org> Subject: FR/AD integration
Trying to use FR to query AD as an authentication oracle and set up per the docs at http://deployingradius.com/documents/configuration/active_directory.html and several others pertaining to setting up Kerberos and winbind. smb/krb/winbind all run. The usual testing commands all produce the proper output. wbinfo, kbinit, kblist, net join, etc. FreeRADIUS Version 2.1.7, CentOS 5.5 2.6.18-194.32.1.el5 #1 SMP Samba Version 3.3.8-0.52.el5_5.2 KRB5 I have been able to authenticate and authorize accounts using PAP via a Juniper device and a Dell PC 3448. Am now trying to expand beyond PAP and use ntlm_auth and eventually MSCHAP. Upon issuing the command: ntlm_auth --request-nt-key --domain=ADMIN.CYTEWORKS.LOCAL --username=eric.rossiter --password=Cyt3w0rk5 I receive : NT_STATUS_OK: Success (0x0) but I do not see any reference to an NT_KEY: I believe that's why the radtest command is failing: radtest sambatest somepass localhost 0 somesecret Sending Access-Request of id 225 to 127.0.0.1 port 1812 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=225, length=20 Been reading and researching and testing for 3 weeks, but I'm stuck now. radius -X output: rad_recv: Access-Request packet from host 127.0.0.1 port 39195, id=4, length=61 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218> [auth_log] expand: %t -> Fri Feb 18 17:19:10 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sambatest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 17 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest [ntlm_auth] expand: --password=%{User-Password} -> --password=somepass username must be specified! # don't understand this... username is two lines up If I shut down winbind, a winbind error preceeds "username must be specified! " don't understand # why samba is puking a help screen? Usage: [OPTION...] --helper-protocol=helper protocol to use operate as a stdio-based helper --username=STRING username --domain=STRING domain name --workstation=STRING workstation --challenge=STRING challenge (HEX encoded) --lm-response=STRING LM Response to the challenge (HEX encoded) --nt-response=STRING NT or NTLMv2 Response to the challenge (HEX encoded) --password=STRING User's plaintext password --request-lm-key Retrieve LM session key --request-nt-key Retrieve User (NT) session key --use-cached-creds Use cached credentials if no password is given --diagnostics Perform diagnostics on the authentictaion chain --require-membership-of=STRING Require that a user be a member of this group (either name or SID) for authentication to succeed Help options: -?, --help Show this help message --usage Display brief usage message Common samba config: --configfile=CONFIGFILE Use alternate configuration file Common samba options: -V, --version Print version Exec-Program output: Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [sambatest/somepass] (from client 127.0.0.1 port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sambatest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 4 to 127.0.0.1 port 39195 Waking up in 4.9 seconds. Cleaning up request 2 ID 4 with timestamp +349 Ready to process requests. wbin^H^H^Hrad_recv: Access-Request packet from host 127.0.0.1 port 57210, id=225, length=61 User-Name = "sambatest" User-Password = "somepass" NAS-IP-Address = 64.126.127.208 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218> [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/127.0.0.1/auth-detail-20110218<http://127.0.0.1/auth-detail-20110218> [auth_log] expand: %t -> Fri Feb 18 17:32:09 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "sambatest", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 17 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=sambatest [ntlm_auth] expand: --password=%{User-Password} -> --password=Thursday77 username must be specified! Usage: [OPTION...] --helper-protocol=helper protocol to use operate as a stdio-based helper --username=STRING username --domain=STRING domain name --workstation=STRING workstation --challenge=STRING challenge (HEX encoded) --lm-response=STRING LM Response to the challenge (HEX encoded) --nt-response=STRING NT or NTLMv2 Response to the challenge (HEX encoded) --password=STRING User's plaintext password --request-lm-key Retrieve LM session key --request-nt-key Retrieve User (NT) session key --use-cached-creds Use cached credentials if no password is given --diagnostics Perform diagnostics on the authentictaion chain --require-membership-of=STRING Require that a user be a member of this group (either name or SID) for authentication to succeed Help options: -?, --help Show this help message --usage Display brief usage message Common samba config: --configfile=CONFIGFILE Use alternate configuration file Common samba options: -V, --version Print version Exec-Program output: Exec-Program: returned: 1 ++[ntlm_auth] returns reject Failed to authenticate the user. Login incorrect: [sambatest/Thursday77] (from client 127.0.0.1 port 0) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sambatest attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 3 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 225 to 127.0.0.1 port 57210 Waking up in 4.9 seconds. Cleaning up request 3 ID 225 with timestamp +1128 Ready to process requests. /etc/krb.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ADMIN.CYTEWORKS.LOCAL # dns_lookup_realm = false # all of these entries have been used for testing and are commented out now # dns_lookup_kdc = true # ticket_lifetime = 24h # forwardable = yes # default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC # default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC # preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC [realms] ADMIN.CYTEWORKS.LOCAL = { kdc = cyteworks.admin.cyteworks.local admin_server = cyteworks.admin.cyteworks.local default_domain = ADMIN.CYTEWORKS.LOCAL } [domain_realm] .cyteworks.local = ADMIN.CYTEWORKS.LOCAL cyteworks.local = ADMIN.CYTEWORKS.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } /etc/samba/smb.conf #======================= Global Settings ===================================== [global] idmap uid = 200000 - 300000 idmap gid = 200000 - 300000 workgroup = ADMIN ; netbios name = cyteworks realm = ADMIN.CYTEWORKS.LOCAL server string = Samba Server Version %v security = ads local master = no domain master = no preferred master = no winbind separator = + winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes ; interfaces = lo eth0 192.168.12.2/24<http://192.168.12.2/24> 192.168.13.2/24<http://192.168.13.2/24> hosts allow = 127. 192.168.5. 192.168.6. 10.12.1. 10.12.2. 10.12.3. 10.12.4 10.88.8 # --------------------------- Logging Options ----------------------------- # # Log File let you specify where to put logs and how to split them up. # # Max Log Size let you specify the max size log files should reach # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 # ----------------------- Domain Members Options ------------------------ ; password server = * security = ads ; passdb backend = tdbsam realm = ADMIN.CYTEWORKS.LOCAL ; password server = 10.12.1.40 Everything else is commented out in smb.conf. Don't need any printers, no shares, etc. /etc/raddb/radius.conf: # -*- text -*- ## # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 clients = per_socket_clients } listen { ipaddr = * port = 0 type = acct clients = per_socket_clients } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = yes } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 2 status_server = yes } proxy_requests = no $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ /etc/raddb/clients.conf: # -*- text -*- ## ## clients.conf -- client configuration directives ## client localhost { ipaddr = 127.0.0.1 secret = somesecret require_message_authenticator = yes shortname = localhost nastype = other # localhost isn't usually a NAS... } clients per_socket_clients { client 127.0.0.1 { secret = somesecret } # Juniper - ESR - 01.24.11 client 192.168.20.254 { secret = somesecret shortname = juniper nastype = netscreen } # Dell PowerConnect 3448 - ESR - 02.01.11 client 10.12.1.11 { secret = somesecret shortname = dpc3448 nastype = other } } /etc/raddb/users # -*- text -*- # # Copyright (C) 2009 Deploying RADIUS Partnerships # All rights reserved. # # Save this file as "raddb/users", after first backing up # the copy that you have there. # # http://deployingradius.com/documents/configuration/pap.html # # Window 1: radiusd -X # Window 2: radtest bob hello localhost 0 testing123 # # ntlm_auth testing ESR 02.17.11 DEFAULT Auth-Type = ntlm_auth #************************ Juniper conf # - ESR - 01.24.11 #some.user Cleartext-Password := "somepass" # NS-Admin-Privilege := 4, # NS-VSYS-Name := "Read-Only-Admin" #some.user Cleartext-Password := "somepass # NS-Admin-Privilege := 2, # NS-VSYS-Name := "ROOT" # End of the file I commented out the PAP entries in the users file because one of the users has the same user.name<http://user.name> in AD but a different password, and that was causing me some conflict. So, can anyone tell me why I'm not getting an NT_KEY reply when I issue the ntml_auth command? Is the missing key the reason the radtest command is failing? See any other glaring errors? Thanks for your time. E Rossiter <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html