I'm attempting to follow the guide at http://deployingradius.com/ Things were going very well until I tried to set up Active Directory authentication. Testing with ntlm_auth, I get a success:
$ ntlm_auth --request-nt-key --domain=MYDOMAIN --username=myuname --password=mypass NT_STATUS_OK: Success (0x0) But when I test with radtest it fails. I'm not sure I understand all of the debug output, but I thnk maybe it has to do with it thinking the realm is NULL. I have set it up in both smb.conf and krb5.conf as well as in the mschap module of freeradius. I am using freeradius version 2.1.10 on Ubuntu 11.10. Here's the output from the command line as well as the debug output: $ radtest -t mschap myuname mypass localhost 0 testing123 Sending Access-Request of id 99 to 127.0.0.1 port 1812 User-Name = "myuname" NAS-IP-Address = <mynasip> NAS-Port = 0 MS-CHAP-Challenge = 0xb89b59d41385c67c MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000003edd0cff110926a15d402 f5204078f2d78d908e773c3a9c6 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=99, length=20 rad_recv: Access-Request packet from host 127.0.0.1 port 42379, id=209, length=115 User-Name = "myuname" NAS-IP-Address = <mynasip> NAS-Port = 0 MS-CHAP-Challenge = 0x09d5dfb63fba5357 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000000704b6897326b27adb243 658c300fcd922f008014ee7e25b Mon Mar 5 14:45:54 2012 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Mon Mar 5 14:45:54 2012 : Info: +- entering group authorize {...} Mon Mar 5 14:45:54 2012 : Info: ++[preprocess] returns ok Mon Mar 5 14:45:54 2012 : Info: ++[chap] returns noop Mon Mar 5 14:45:54 2012 : Info: [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' Mon Mar 5 14:45:54 2012 : Info: ++[mschap] returns ok Mon Mar 5 14:45:54 2012 : Info: ++[digest] returns noop Mon Mar 5 14:45:54 2012 : Info: [suffix] No '@' in User-Name = "myuname", looking up realm NULL Mon Mar 5 14:45:54 2012 : Info: [suffix] No such realm "NULL" Mon Mar 5 14:45:54 2012 : Info: ++[suffix] returns noop Mon Mar 5 14:45:54 2012 : Info: [eap] No EAP-Message, not doing EAP Mon Mar 5 14:45:54 2012 : Info: ++[eap] returns noop Mon Mar 5 14:45:54 2012 : Info: ++[files] returns noop Mon Mar 5 14:45:54 2012 : Info: ++[expiration] returns noop Mon Mar 5 14:45:54 2012 : Info: ++[logintime] returns noop Mon Mar 5 14:45:54 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Mon Mar 5 14:45:54 2012 : Info: ++[pap] returns noop Mon Mar 5 14:45:54 2012 : Info: Found Auth-Type = MSCHAP Mon Mar 5 14:45:54 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Mon Mar 5 14:45:54 2012 : Info: +- entering group MS-CHAP {...} Mon Mar 5 14:45:54 2012 : Info: [mschap] Told to do MS-CHAPv1 with NT-Password Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: %{Stripped-User-Name} -> Mon Mar 5 14:45:54 2012 : Info: [mschap] ... expanding second conditional Mon Mar 5 14:45:54 2012 : Info: [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: %{User-Name:-None} -> myuname Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=myuname Mon Mar 5 14:45:54 2012 : Info: [mschap] No NT-Domain was found in the User-Name. Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: %{mschap:NT-DOMAIN} -> Mon Mar 5 14:45:54 2012 : Info: [mschap] ... expanding second conditional Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: --domain=%{%{mschap:NT-DOMAIN}:-MYDOMAIN} -> --domain=MYDOMAIN Mon Mar 5 14:45:54 2012 : Info: [mschap] mschap1: 09 Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=09d5dfb63fba5357 Mon Mar 5 14:45:54 2012 : Info: [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=0704b6897326b27adb243658c300fcd922f008014ee7e25b Mon Mar 5 14:45:55 2012 : Debug: Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctly. (0xc0000022) Mon Mar 5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/run/samba/winbindd_privileged are set correctly. (0xc0000022) Mon Mar 5 14:45:55 2012 : Debug: Exec-Program: returned: 1 Mon Mar 5 14:45:55 2012 : Info: [mschap] External script failed. Mon Mar 5 14:45:55 2012 : Info: [mschap] MS-CHAP-Response is incorrect. Mon Mar 5 14:45:55 2012 : Info: ++[mschap] returns reject Mon Mar 5 14:45:55 2012 : Info: Failed to authenticate the user. Mon Mar 5 14:45:55 2012 : Info: Using Post-Auth-Type Reject Mon Mar 5 14:45:55 2012 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Mon Mar 5 14:45:55 2012 : Info: +- entering group REJECT {...} Mon Mar 5 14:45:55 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> myuname Mon Mar 5 14:45:55 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Mon Mar 5 14:45:55 2012 : Info: ++[attr_filter.access_reject] returns updated Mon Mar 5 14:45:55 2012 : Info: Delaying reject of request 0 for 1 seconds Mon Mar 5 14:45:55 2012 : Debug: Going to the next request Mon Mar 5 14:45:55 2012 : Debug: Waking up in 0.9 seconds. Mon Mar 5 14:45:55 2012 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 209 to 127.0.0.1 port 42379 Mon Mar 5 14:45:55 2012 : Debug: Waking up in 4.9 seconds. Mon Mar 5 14:46:01 2012 : Info: Cleaning up request 0 ID 209 with timestamp +10 Mon Mar 5 14:46:01 2012 : Info: Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html