Hi Alan,
ldap] looking for check items in directory...
[ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W ]"
[ldap] userPassword -> Password-With-Header == "..."
[ldap] ntPassword -> NT-Password == 0x34343446...242
Hmm... that looks a lot like it's ASCII. i.e. "444..." Maybe that's
the problem? You have an ASCII string that's being interpreted as the
NT password. Instead, it needs to be interpreted as the *printed* form
of the password.
I had a look in the LDAP, and the ntPassword is having the correct lenght :
ntPassword: 44AFA3XXXXXXXXXXXXXXXXXXXXXXX856
One way to do this is to list "pap" last in the authorize section. It
goes through the various password attributes, and fixes them to be correct.
I did enable pap, but without success.
[ldap] looking for check items in directory...
[ldap] acctFlags -> SMB-Account-CTRL-TEXT == "[W ]"
[ldap] userPassword -> Password-With-Header == "JDEkMWs..."
[ldap] ntPassword -> NT-Password == 0x34343446...
[ldap] looking for reply items in directory...
[ldap] user host/dti-dahport authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] Failed to decode Password-With-Header = "JDEkMWs..."
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
...
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: host/dti-dahport
[mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password
[mschap] FAILED: MS-CHAP2-Response is incorrect
Is it possible that the issue is somewhere else? The nt/lmPassword are
properly handled when we do user auth, and the printout in debug is also
in a 0xsomething format.
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html